Social media is back in the headlines and Facebook in particular is on the receiving end of a good kicking. It’s no secret that cybersecurity professionals have an inherit distrust of social media platforms as they are often used by criminals to glean valuable information about an individual or organisation.
In this post we take a look at how cybercriminals use social media platforms to launch phishing campaigns and what not to do.
*
Wendy is a 28-year-old accounts assistant working for a fairly large financial organisation. Her hobbies range from binge watching television to posting every. Single. Detail. Of her life on social media. She doesn’t really understand how they work and so blissfully posts day and night about her latest lifestyle choices. Her social media accounts are wide open for anyone to see, she’s not aware of the privacy options provided. She enjoys nothing more than receiving likes and follows and doesn’t care that random people are basically watching her every move.
Unfortunately for Wendy she’s caught the eye of a hacker who has been looking for a way to target Wendy’s employer for a few weeks. Using reconnaissance techniques, he’s already been able to discover who the company’s CEO is, who the head of finance is and other leading figures. All he needs now is someone a bit lower down the organisational chain and this is where Wendy comes in.
As her social media accounts are wider open the hacker can guess certain things about her. Sure enough, the dozens of pictures of her dog along with the animal’s name are likely to be a password she uses. He knows who her friends are and can see that she is close to head of finance. He knows what interests her, what companies she buys from and even where she eats. (So many food posts, ugh!)
With all of this information to hand the hacker creates an email claiming to be from her favourite shop. All he has to do is ensure that the email is branded to look the same as a legitimate one. He easily finds the company logo via an image search and by signing up the company newsletter he now knows how the email appears to subscribers.
With the email created he then emails Wendy (whose email address is visible on her social media profiles for all the world to see). When the email arrives with a header advertising a massive sale Wendy excitedly clicks on it. She doesn’t realise that the sender address isn’t quite the same as a legit email. Now the hacker knows that Wendy can easily be tricked via a phishing email. The next step of his plan is to then impersonate one of her work colleagues, in this case her CEO. It’s not hard for him to guess the CEO’s email address seeing as most organisations use the user’s name and then the companies. E.g, bob.green@business.com
In her position in the accounts department she regularly receives messages from colleagues requesting the transfer of funds to different areas of the business. The hacker knows this and sends a message as the CEO requesting the transfer of funds to a ‘clients’ bank account. The wording makes out the transfer needs to be done urgently and Wendy is already under a bit of pressure due to her heavy workload. Not wanting to anger the boss she carries out the transaction. With that job done she then continues on with her other work.
A hacker knows that employees under pressure are likely to carry out their fake requests. No one wants to upset their employer or be accused of not doing their job properly. And so, a few days go by and Wendy is called into her bosses’ office. In his hand is a bank statement. He demands to know why several thousand pounds has been transferred to an unknown account. Its only then that the realisation sinks in that Wendy was scammed. By the time the organisation realised the money had been sent the hacker had already moved it onto other dummy bank accounts or withdrawn it making it virtually impossible to track.
The above is just one example of how unsecured social media can be used to scam and steal from individuals and organisations. Scammers have been known to steal profile pictures, entire identities from social media sites and use them in fraudulent activities.
