People are posting too much sensitive information on their social media accounts according to a report by Tessian. Titled, How to Hack a Human, the report contains the results of a survey of 4,000 UK and US professionals and interviews with the HackerOne community. It reveals that people share work information on social media and personal data. The resulting data makes it easier for cybercriminals to target attacks against individuals.
According to Tim Sadler, CEO and Co-Founder, Tessian: “The rise of publicly available information makes a hacker’s job so much easier. While all these pieces of information may seem harmless in isolation — a birthday post, a job update, a like — hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. Remember, hackers have nothing but time on their hands. We need to make securing data feel as normal as giving up data. We also need to help people understand how their information can be used against them, in phishing attacks, if we’re going to stop hackers hacking humans.”
What information are people giving away?
Anything they can. The survey shows that 90% of people post information relating to their personal and professional lives online. The type of information posted includes details of new jobs (93%), travel photos of business trips (32%), birthday celebrations (72%) and other data on friends, family and colleagues. Much of that information is posted to public accounts, making it easy for cybercriminals to acquire and collate.
That collation of data is critical to effective spear-phishing campaigns and to widen the data that can be gathered on a person. Tagging work colleagues and friends in photos means they become part of the data gathered. It also makes them targets and information they post can be used to target other people.
But not everyone is posting everything they can, and sharing varies by age group. For example, only 7% of those aged 18-24 said they didn’t share personal or business information online. That compares to 16% for those 35-54 and 26% for those 55+.
How would a criminal use this information?
It’s easy. Once a target has been identified, a mix of public sources, including social media, provides a lot of data on an individual. Let’s start with a social media profile. Information that can quickly be gathered are age, location, marital status, spouse/partner and children (if any), names of friends and work colleagues. That data can then be compared to public sources to see if they own their house, what they paid for it, where their children go to school and how they spend their free time and holidays.
It is easy to craft a set of phishing emails around holidays with activities that appeal to the individual. Alternatively, the scammer could pretend to be a parent from the school or someone moving into the area and looking for information on a sports club. Once the conversation has started, photos can be sent, containing malicious code. They are less suspicious because there is an ongoing conversation.
A similar approach can be taken from a work perspective. Establish the job role, responsibilities and likely salary. Approach with a potential job offer or send a fake email from a work colleague who has been identified in a photograph on a social media page. Quickly build a rapport and then use attachments with malware to gain access to user credentials.
Given that 77% admitted to reusing passwords, any credential gathering is an invitation to dig further. Once one individual is compromised, cybercriminals can use those credentials to compromise other people in the company. One way this happens is thread hijacking where an email chain is created, and the attacker appears to be legitimate.
Out of office emails can be a serious risk
The report looks at one common vector such as Out Of Office (OOO) emails. People regularly set these so that contacts will not think their emails are being ignored. However, as the report shows, there is often lots of unintended but useful information in those emails.
- Why you are away
- Where you are
- When you will be back
- Who to contact in your absence
- Your mobile number
An attacker knowing you are away will exploit that period to create a relationship with your contacts. That information allows an attacker to impersonate you. It might be to other people in the company or your business contacts. Either way, it increases the chance that a Business Email Compromise (BEC) attack will be successful. The report even gives an example of such an attack to get a wire transfer initiated.
So what can you do?
There are many ways to improve security from social media to email. Although they may not be the most accessible, most organisations already have guides for employees.
For social media, restrict who can see the content. Limit it to friends or even close friends. Do not make everything public. That is easier with some social media than others, but it is important. Also, remove or restrict the information that doesn’t need to be accessible – telephone number, date of birth, family members, town, school and university data. These all provide useful sets of data for attackers. Be wary of old school friends or colleagues you cannot remember who suddenly “get in touch”.
For email, check email addresses carefully. Look for mistakes or email addresses that are unfamiliar. Hover over links in an email to see if they make sense. Pay attention to a URL that doesn’t seem right. If the link is obfuscated, then don’t click it. Don’t open attachments unless you are certain they come from a trusted source. Better to save and scan with security software first than open them. The tone, language and grammar of an email is often a giveaway. Rarely used words or words that you wouldn’t expect that sender to use are all red flags.
Old school attacks, such as unexpected phone calls, especially those that ask for personal details, are still effective. When you call your bank, they will want to take you through security. But what when your bank calls you? How do you know it is your bank? It could be a scammer pretending to be your bank and who is looking to harvest additional security information. Always ask for their name, hang up, use a different phone (lines can be kept open) and call you bank back. This is just as important for business finance, especially when you get a call about a change of bank details.
Enterprise Times: What does this mean?
Humans are social animals, and in a security sense, that makes then easy prey. Often the cybercriminal doesn’t need to try and get information from people, they just volunteer it without thinking. Social media might allow people to widen their “friend” circle and make them feel more connected, but it is just as much a risk as a reward.
Basic hygiene of social media and email will keep a lot of information out of cybercriminals hands or, at least, make it harder for them to gain. Don’t be the person who posted too much information and became the cause of the breach.