In this YouTube video, Trend Micro CTO Raimund Genes discusses how an attacker can use information from social networks such as LinkedIn and Facebook to hack into a corporate network.
The picture Raimund paints shows how attackers can get publicly available email addresses on social networks and send a customized targeted email to the person containing a malicious URL, which points to an exploit that triggers the download of a Trojan.
Some people may scoff at this scenario and say, “Too many things need to happen for me to get infected.” If you are part of this group, you probably have a point. The email needs to pass through spam filters first and needs to be convincing enough for the target to click on the link. Should the target click on it, the exploit scripts need to get through antivirus detection. To do so, the exploit should be a zero-day to become 100 percent successful. Otherwise, the attacker can just keep hoping that the target has not applied the latest patches yet.
Too many things need to happen in order for the attack to succeed, right?
Then again, an attacker can take the long route in, as with the Twitter hack last year wherein a hacker going by the pseudonym Hacker Croll was able to infiltrate Twitter’s corporate network.
Case in Point: Twitter Hack Attack
Hacker Croll started out by building a profile of Twitter employees from publicly available information using search engines. From there, he was able to gather employee names with their associated email addresses, business positions, and bits and pieces of personal information. Hacker Croll then tried to get access to a Twitter employee’s Gmail account using Gmail’s password recovery feature, which sends a user’s password to a secondary email account.
Hacker Croll got lucky, as the targeted employee’s secondary email was an inactive Hotmail account. Hotmail removes inactive accounts so Hacker Croll just registered the inactive account to himself, asked Gmail’s password recovery to send the password to the Hotmail account he then owned, and bingo! He gained access to that Twitter employee’s mailbox.
From there, Hacker Croll was able to gather more information about other Twitter employees. He was able to access other Web services the original target subscribes to (because the target reuses passwords most of the time) and he was able to hack into other Twitter employees’ accounts by exploiting the secret question feature common to Gmail and other Web-based email services. This gave Hacker Croll a detailed profile of his targets so answering a secret question like, “What’s the name of your pet?” was trivial.
By the time Hacker Croll finished, he was in possession of confidential company information, iTunes accounts, credit card information, and control of Twitter domains in GoDaddy, all because of publicly available personal information.
Revealing Too Much Can Be Harmful
The moral of the story? Listen to what our CTO is saying, “Please don’t reveal too much information on social networking sites.” And if I may add, please don’t use the same password for most of your online accounts.
Trend Micro may be able to protect you from malicious email, websites, and malware using our Smart Protection Network™ but we cannot protect you if the hackers will use information that you yourself made available.
*Detailed account of the Twitter attack documented by TechCrunch.