Social media has grown over the last fifteen years from being something you used occasionally to being something that some people rely on to do just about everything on. Social media sites and apps have included services and functionality to enable users to interact with brands and personalities in ways that were never possible.
This is an edited transcript from a video blog recording of Sarb Sembhi, CTO and the CISO for Virtually Informed, and his co-host Nick Ioannou, Director of Boolean Logic.
Today we are looking at Social Media and what Small Organisations need to consider, to protect themselves from related attacks. Social media sites and apps have developed and included services and functionality to hook users to interact with brands and personalities in ways that were never possible. They have also generated and created individual brands who are known for nothing other than being known on social media.
Why Social Media may be an Issue for Organisations?
More than often, crimes are now facilitated not just by technology or the internet, but by or through social media. Its adoption both by the public and by Organisations makes it an ideal medium for criminals to utilise. With Organisations eager to promote everything they are doing and drawing people to get involved with those activities and exposing more information than either would have previously done. These services have created a different norm of sharing information about things that were once not for sharing, and often not of interest, to making the blandest of things interesting, and exposing personal habits and information that were once secret. And it's not just individuals in their own right, but also about individuals as employees, and how they interact with their employers and colleagues. The weekly, monthly, yearly push by these services to get users to share more of themselves and “be themselves” on these services make it easier to create models to target advertising anything to them.
According to Q3 Fraud and Abuse Report from Arkose Labs in 2019 More than 53% of logins on social media are fraudulent, and 25% of new account applications are fraud. It also found that one in 10 transactions are attacks, ranging from automated bots to malicious humans. Further that “Developing economies are quickly becoming fraud hubs because they have easy access to sophisticated tools, cheap manual labour and good economic incentives associated with online fraud.” With more than 75% of attacks on social media are automated bot attacks, and account takeover attacks are more common for social media, and logins twice as likely to be attacked than account registrations – due to fraudsters looking to harvest rich personal data from the accounts of legitimate users. According to the Verizon Data Breach Investigation Report (DBIR):
- 66% of malware is installed via malicious email attachments;
- 90% of incidences and breaches included a phishing element;
- 21% of ransomware involved social actions, such as phishing;
- 43% of all breaches included social tactics;
- 93% of social attacks were phishing related;
- 28% of phishing attacks are targeted.
Social media sites are attractive channels for all targeting because they make finding and engaging targets trivial, easy, cost effective, because they are free to access and do what they want. The other most important thing to remember is that the attackers are not trying to exploit a technical vulnerability, but the individual. This can be through sophisticated misinformation or just carefully crafted social engineering.
Targeting End Users
We’ve all seen news reports of how different players in the political spectrum have profiled social media users to figure out who are the most and least likely to be persuaded, where they stand on certain issues, how much they earn, etc. etc. Basically, criminals were using many of these techniques long before those with political motivations, the difference now is that since vast sums of money was poured into political manipulation, the newer techniques and methodologies have improved for criminals to use the targeting too. The world cannot unlearn what is has leant, so it will not be long before many of the secrets of profiling and targeting techniques revealed over the last few years are improved in criminal products used to target employees.
We have seen the effects of the “Genie getting out of the bottle” effects that can’t be unlearnt for example in the creation and use of malware as a result of some of the malware created by nation states.
Since Small Organisations often have the least security controls, they are the most obvious targets on social media sites. Where although the account pages belong to an Organisation, the pages are updated, reviewed and managed by individuals who are real and may be profiled to identify how easy they are to manipulate over a series of weeks, months or years.
In the same way that ordinary people may not know or refuse to believe that they were manipulated to vote or not vote one way or another, Small Organisations, business owners and employees will not know that they are being manipulated. In voting, once someone has voted, that may be job done for another few years, in work environments however, clicking on a link that infects the user device with malware could be the end of that Organisation for ever. This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.