It can be easy for users of social media to let their guard down. Platforms such as Facebook, Twitter and Instagram all encourage sharing of information that can be used to identify a person, his or her whereabouts – including present location with geo-tagging – as well as facts about friends, family members, coworkers and employers. All of these details help keep people connected, and in tune with the lives of distant friends and relatives.
But like everything in the virtual world, social media can be used for nefarious purposes. While many users just want to share cat videos, or browse through a friend's recent vacation photo album, others have a more sinister purpose: to gather information needed to execute a cyberattack.
Phishing scams and malware
All the logging in and out and rampant sharing of links make social media platforms such as Facebook, Twitter and LinkedIn ideal breeding grounds for phishing ploys. One of the newest scams in circulation uses this knowledge as an attack strategy. According to HackRead, some users have received emails asking if they have recently reported suspected page forgery. The message is sent from "email@example.com" and goes directly to the inbox, rather than being filtered as spam. The email recipient is then prompted to click on a clink if the email has been sent in error. This link takes the user to a very clean, seemingly legitimate webpage that requests a phone number, email address, password and security question and answer. A paragraph toward the bottom of the form field claims that Facebook users must fill out this page to verify their account if they have received the afore-mentioned email.
Other more common social media scams involve the sharing of graphic information on Facebook. According to Trend Micro, any content or videos in a feed that claim to reveal a new celebrity sex scandal or other salacious information – either as an ad or because a friend liked or shared it – is most likely malware and should be avoided. Clicking on the link can result in infection. Generally speaking, Internet best practices encourage users to get any online news from credible sources.
The Twittersphere is also rife with cyber threats. One of the most common traps takes the form of a message, tweet or email from a fellow tweeter claiming that someone has said something nice about you, or has shared a picture of you. Nine times out of 10, this is click-bait designed to hijack a Twitter account or install malware. Resist the urge to click.
Most click-bait and phishing scams are frivolous relative to the severity of social engineering. This is the practice of gathering information about individuals that is available online for malicious purposes – for example, as way to execute an advanced targeted attack. Social engineering can take a variety of forms, such as the creation of false online identities. Typically, the goal is to identify targets that may be easily deceived into breaking security protocols.
One current, high-profile example was reported this October. Dell SecureWorks Counter Threat Unit identified 25 fake LinkedIn profiles that it was able to connect to Iran-based Threat Group-2889. Some of the profiles had 500 or more connections, mostly in government and telecom sectors, and others were posing as recruiters for large technology companies such as General Motors. A motive was never identified, however, the fraudulent accounts represent a text-book example of social engineering.
In the most recent updates regarding Iran-based hacking efforts, the New York Times reported in late November that officials at the State Department who focus on Iran and the Middle East have had their email and social media accounts breached by Iranian hackers over the course of the past few months. While these incidences were fairly standard spear-fishing ploys, the status of the targets seems to point to social engineering.
It's worth noting that unlike many other cyber threats, social engineering does not have to be intrinsically technical. In some cases, such as the false LinkedIn profile, malware, viruses and breaches are not involved. For this reason, detection can be more complicated and requires a degree of human vigilance and intelligence on top of threat protection solutions.
Tips for safe socializing
The best way to avoid becoming a victim of a social media scam is through constant awareness. Being cognizant of the threats currently in circulation helps users know what to look out for. Exhibiting attentiveness while browsing the Web and using social media can ensure that you will not miss warning signs. For example, avoid links to known news sources if there are any misspellings or oddly placed grammar in the source name.
Another useful tactic is to use two-factor authentication for accounts, so that logins from new devices require a second layer of security such as a text message. In the occurrence of repeated login attempts from unknown destinations, consider contacting the social media website directly to inquire about an investigation, or any measures that could prevent an issue from arising as a result.
Social engineering can be a little more difficult to defend against, but awareness and vigilance are still key. Avoid adding unknown people on social media, or opening links that are sent from users who are not on your network. This is especially key for enterprises. Having many followers is valuable, but it is essential that information is shared strategically to avoid fraudulent or malicious users from finding a vantage point from which they can exploit the company,
Last but not least, consider leveraging software designed to ward off online threats. Internet Security from Trend Micro can help social media users defend against cyber threats.