social media

A Match Made in Heaven: Fraud and Social Media

Since the days of Friendster and GeoCities, fraud has thrived on social media.

Social media is the fraudsters’ playground—an unregulated, highly visible, easily exploitable platform that connects with billions of people and serves a host of purposes in a hacker’s repertoire. Many fraudulent accounts are mere satire or innocuous trolling, but others are created with far more devious intentions.

Even inexperienced cyber criminals can carry out low-tech attacks via social media by building convincing profiles and connecting to the right people. In a targeted attack, hackers connect with colleagues and friends of the target, a tactic called “gatekeeper friending,” to appear more legitimate once connecting to the target itself.

In the unverified world of social media, fraudsters lay claim to whatever they like—that they work at the same organizations, have the same alma mater, or share all the same goals and interests. Never in the history of human communication has deceit been easier. With these elements in place, the hackers can request sensitive information or ask for money. If the target believes the account to be a coworker, relative, or love interest, these things are openly shared.

In a SEC Form 10 filing Facebook estimates that nearly 15 million of its accounts are “undesirable.” Even more are considered “false” accounts—nearly 100 million. According to Barracuda Labs, Twitter is similarly fraudulent—about 10% of accounts. Expect these trends to grow. Fake accounts can be leveraged in more technical attacks as well, such as phishing or malware attacks. Launching such a campaign from a well connected, legitimate-looking profile increases the efficacy of any malware or phishing campaign.

Imitating a brand is also particularly simple. A quick Google image search to get the company logo, and a hacker can set up a fake customer service representative account. Again, these can be low-tech, used to slander the company, or for more advanced ends, such as to spread malware links via targeted scams and attacks. These fraudulent accounts will often try to phish company employees into disclosing brand account credentials or sensitive company data. These attacks can be spread using company hashtags both to make the account seem more legitimate and to amplify the attack across the company’s social footprint.

Impersonations can also target the employees of an organization. These attacks often start with a senior executive impersonator account requesting sensitive information or account credentials from subordinates. Hackers can then use these credentials to gain access to the legitimate brand accounts and post anything they choose, from malicious links to slander and abuse.

Fake accounts have existed since the beginning of social media. A handful of examples from the past half-decade: In 2010 a Paramount Entertainment impersonator rattled off racist and inappropriate tweets. Last year, a Thai woman stole some $200,000 using a fake Furby Instagram account. Also in 2013, a fraudulent Southwest Airlines Facebook page boasted some 2000 followers and an Instagram scam promised VIP deals on American Airlines, Jet Blue, Delta, United Airlines and Emirates.

The app InstLike, as seen in the picture, tricked over 100,000 users into letting the app hijack their account and like random photos. In January, fake Twitter accounts disguised as market researchers connected to traders in the finance world and claimed several small companies were under investigation by the Department of Justice—hackers rode the ensuing stock plunge.

One group historically prone to social media fraud is the military. Hackers launch “romance scams,” in which fake profiles of servicemen abroad connect with loved ones at home, or even initiate online relationships. Once the targeted party believes they are communicating with a real person, the hacker will request money. One unnamed military official in particular has some 30 imposter Facebook accounts. More troubling is the nearly 100 fake Skype accounts – the most popular means of communication between military personnel and loved ones at home, and thus the easiest target for “romance scams.” Even the Russian social networking site VK has 75 different profiles under this same military official’s name.

Most recently, the fake Jamie Dimon Twitter account took center stage in the news of fraudulent social media activity. It began benignly, posting tweets like, “We are excited to announce that our CEO James Dimon has joined Twitter. This account is managed by the Global Media Relations Department.” The account followed notable business leaders and tweeted several times throughout the day.

For organizations, the cost of social media fraud varies on the type and breadth of the attack. Customer scams have serious business implications further down the road, in the form of customer loyalty and support costs. Executive impersonations can result in brand reputation damage or stock manipulation. Businesses are beginning to understand the full scope of this problem—a third of users say they have been sent malware on social, 24% of SMBs say they have been compromised via social, and 72% of companies believe employees’ use of social media poses a threat to their organization.

As long as social media exists, fraud will persist as a problem. It’s time for organizations to take the threat of social media very, very seriously.

This article was originally published in Security Week. See the full article here.

A CISO's Nightmare: Digital Social Engineering

Olga Redmon is an attractive young professional whose resume includes experience in customer service and Microsoft Office.

Her LinkedIn profile boasts 500+ connections and dozens of endorsements, all of which come from Midwestern professionals in the automotive industry. Olga’s profile picture depicts her in a tight black tank top and red lipstick.

Unfortunately for the hundreds of professionals connected to her, she isn’t real. Corresponding accounts on other networks are equally shady and incomplete, none of which have posted in months. No other information about her exists online, and the “People Also Viewed” panel contains equally suspicious profiles of scantily-clad women. But astoundingly, Olga has a considerable following in the Ohio/Michigan area, all of whom seem to believe the account is genuine. The hacker responsible could very well be distributing malicious links via direct message, or executing a comprehensive social engineering campaign targeting the auto industry.

While Olga Redmond could be written off a satirical account, the amount of time and effort someone spent making it seem legitimate and connecting with such specific industry professionals suggests that this is something more sinister than satire. Olga Redmon is a well planned and executed next generation social engineering campaign. Social engineering is when a hacker creates convincing fake profiles to connect and interact with a target or group of targets. Hackers create the profiles, build up a network of connections to make them appear trustworthy, and eventually connect with their actual target. Once the request is accepted a hacker can steal information or launch a cyberattack. Instead of a promising HR, marketing, or sales lead, profiles like Olga Redmon’s can be serious cyber security threat.

Social engineering campaigns are shockingly easy to carry out. This was made clear at the RSA Europe conference last year when IT services provider World Wide Technology presented the results of a comprehensive penetration test carried out for one of their clients. The story will sound familiar – a fake account under the named Emily Williams, claiming to be an MIT grad with 10 years experience. Within days, the pen-testers received endorsements, job offers, and even a company laptop.

 

Had this been an actual attack, as a cyber criminal could have compromised an entire corporate network or brand by just creating a single fake account. From this point, the potential for attack would be nearly endless. The hacker could launch phishing and malware campaigns with increased effectiveness or begin to mine sensitive company information from unsuspecting employees.

By creating an account like Olga Redmon, no actual hacking, in the traditional sense, has been done, meaning this type of attack goes completely unaddressed by traditional security measures like anti-virus or email gateways. A tweenager with no programming experience could bypass existing security infrastructure with no more than a free afternoon and an Internet connection. Now imagine it in the hands of a skilled hacker.

In the event of a serious information breach, the CMO and the sales team will most likely not be held liable. They will always be able to point to the extensive body of research supporting social media as a robust business development tool. Social media isn’t going anywhere–the CISO need to learn how to manage the corresponding risks.

Social media is already ripe with threats, and not just Olga Redmon. Our research suggests that between 4-8% of all social media links are malicious in nature, meaning the daily number of malicious links on Twitter alone nearly exceeds the population of Spain. Expect these trends to continue.

Monitoring social media is a daunting task. It’s not a matter of logging into a company’s profiles once a day to look for suspicious activity. Employees, customers, executives, and anyone connected to your organization are the new endpoints for attack. A recent survey suggests that of the 74% of Internet users now active on social media, and the average person has 3 different social media accounts. Apply these stats to your company’s workforce and customer base – that is your full attack surface.

Social media is no longer exclusively in the realm of the marketers, and in truth, never has been. Information security professionals need to be in dialogue with all departments that leverage social media across an organization. Risk management plans need to be in place to monitor, identify, combat and remediate social media-based threats. A simple test is this – go back through your traditional information security risk management plans line by line. Ask yourself if, in all their complexity, they could prevent an attack originating from a carefully worded LinkedIn post from Olga Redmon.

The words “social media,” evoke colorful marketing infographics and peppy names like Hootsuite or Savyy or Feedly, not a massive, unchecked cyber security threat vector. CISOs need to change that, because adversaries are utilizing social media as the latest and greatest avenue for targeted attacks.

This article was originally published in Security Week. See the full article here.