Insider Threats on Social Media
It’s not really social media itself you need to worry about, but the people who use it. Consider how much compromising information people share on social media which can include personal life details, political views, location, interests, and much more. For cyber criminals this data about a target is an absolute goldmine. Especially if the target is sharing work details! More than sharing information, social media platforms also provide another vector for phishing and drive-by-installations of malware. In either case social media platforms become a threat to your organization, which cannot be ignored if you allow your employees to use their social media at work.
Cyber crime on social media comes in a many forms, some of which are outright bizarre but effective. One of the more recent cases saw the use of Britney Spears’ Instagram posts to control malware on other infected networks. Social media cyber crime was not always this advanced though. The earliest criminal activity on social networks came in the forms of poorly formatted emails and clickbait posts that your friend would never post themselves.
Social Cyber Crime
When people think about cyber security and social media, there is an assumption that social platforms are safe spaces to share information. With the amount of information shared and traffic flowing to social media platforms, it creates the perfect phishing grounds for cyber criminals. Often the cyber crime on social platforms come in three forms.
Whether a broad sweep or a targeted attack, social media can be an excellent platform for malicious actors to carry out phishing and social engineering attacks. These types of attacks have had a mutualist evolution with people’s recognition of being manipulated. In the most basic form this could be getting people to click a link to an infected location. However, the more recent forms of social engineering have been very visible. Consider the numerous cases of fictitious customer service accounts being created and stealing information from customers looking for help. By playing on people’s assumptions that companies would have a customer service account they willingly give up their information, hoping their issue will be resolved. Imagine in your company if your employee sought support for an issue with 3rd party software installed on your network and one of these accounts reached out offering help. The employee would give credentials in the hopes of getting the issue fixed. Avoiding such issues requires some baseline education about social media phishing to all employees.
People feel very comfortable on social media, with their profiles often set to public. For one employee you may find a public Facebook, Twitter, Instagram, or Linkedin account where they share information regularly. In these cases cyber criminals don’t really have to do anything more than simply visit their profile and track changes. When hackers target a company, they target people who they determine as the weakest link and gather all they can about that person. With the information they need made public, they then plan out phishing or social engineering tactics to help gain access to the network.
Trading & Control Centers
The Britney Spears incident mentioned above may sound funny, but it was a very effective strategic move. The volume of traffic to social media sites makes it near impossible to separate malicious traffic from normal traffic. Which provides the perfect cover for criminals to set up data exchanges and control centers. In the case of the Britney’s Instagram account, all the hackers had to do was comment on this public account to control the malware they infected networks with. It does not take much effort to set up a fake profile and offer up stolen data for sale to the highest bidder on platforms like Facebook and Twitter; by extension, hackers also control self-developed malware. In these cases malicious engagement is not about the user on the network, but about using the network as a means of information exchange among one another.
For security purposes, understanding the threats on social media can save you from a negligent insider incident. Many companies outright ban social media while at work. However, this policy alone doesn’t completely solve the problem, but it does mitigate risk while you employees are online at work. Based on your company’s context you may feel some social media is needed, in some cases you may feel none is needed. In either case you should be aware of the risks of having employees on social media. Education here is important as employees are often looking for guidance on how to conduct themselves online while working.