In the world of technology, social media is starting to become king. Just think about this for a minute, 15 years ago, there was no Twitter, Facebook, Instagram or Snapchat.
Now, it seems every American is on one or all of these devices. Social media has become such a fabric in our culture that there isn’t a time when you don’t see someone walking with their head down looking at their phones.
Learn how social engineering is the new gold mine.
Millions of people log into their social media accounts every day. In fact, 1.3 billion users log onto their favorite social networking sites each month. They share their favorite photos and check up on friends on a daily basis.
On someone’s network, you can find their name, date of birth, location, workplace, interests, hobbies, skills, relationship status, telephone number, email address and favorite foods. All of this information can be used against you by social engineers.
In spear phishing, social engineering is the use of known social behaviors and patterns to make targets more likely to take a suggested course of action, like clicking on a link. They can send crafted spear phishing emails to your inbox, or they can try and imitate you to trick your contacts.
Social Media Usage by the Numbers
In January 2010, social media lures, which is when a hacker uses someone’s friend request to launch a successful phishing campaign, were used by 8.3% off all phishing attacks. By December of that year, they were used in 84.5% of attacks - a staggering increase of 918%.
Targeting Social Accounts
In years past, it was companies that were being targeted the most by attackers. But now with social media being so prevalent, attackers are finding it easier to go after the user.
A recent article by Blueprint IT Security hits on that notion. They talk about how Facebook, Twitter and Linkedln are “goldmines” for phishing. So much so that Linkedln has fueled an entire industry of bogus connection requests. Their usefulness isn't to launch a phishing attack, but to research it, spotting high-value management targets after being accepted into the network of contacts that might legitimately know them.
Blueprint goes on to say their first defense is to research Open Source Intelligence (OSINT) in order to see a company’s information footprint from the attacker’s point of view.
Targeting or spearing, as it is being referred to now, is often the first stage of a wider attack, which is designed not to simply steal credentials but to find a way into the deeper parts of the target organization, or user, for a variety of reasons - including data theft and extortion.
Attackers now are doing their homework more and more on their potential targets. As Blueprint states in their recent article, attackers are becoming more aware of the people they are going after.
Reconnaissance - Normally, a targeted attack is focused on a specific person within an organization, which is also a calculated guess based on what can be gleaned about the company from OSINT. OSINT is a fancy term to describe information gathered from public sources that companies find it almost impossible to control.
Stealth - Whatever channel attackers decide to choose, the goal is not to draw attention to themselves. An email or contact request must not stand out as unusual, or it could trigger interactions that could reveal it for what it really is. If that happens, it is no better than an opportunistic phishing attack.
Subterfuge - The close ally of stealth is technical subterfuge. In organizations who do not use email authentication, this usually includes using spoofed email addresses that appear to come from an internal address.
Software - This explains the value of carrying out reconnaissance on the software and services used by a target organization. Again, users rarely check these closely.
Awareness - The attack surface can be reduced in a variety of ways but ideally this should be done alongside changing the outlook of employees. A popular solution is to engage some form of anti-phishing awareness training.
The idea behind awareness training is to baseline the degree to which employees can be snared by test phishing scenarios, comparing their behavior when running the same tests weeks or months later. The best approach seems to be to start with a longer training session, running short monthly tests every month for a year.