Tag Archives: digital shadows

Your Social Posts: Hackers Love Them

Social media is embedded in our lives—Facebook alone had 1.79 billion daily users as of September 2016—which means cyber criminals are not far behind.

As companies increasingly rely on this digital channel for marketing, recruiting, customer service and other business functions, social media also has become a highly effective vehicle for cyber attacks. Outside of the corporate network perimeter and an organization’s control, it throws traditional security approaches out the window.

A growing category of digital risk monitoring vendors, identified by Forrester Research Inc. in a recent quarterly Wave report, are catering to this problem. According to the report, digital channels—social, mobile, web and dark web—“are now ground zero for cyber, brand and even physical attacks.”

The ways in which cyber criminals weaponize these channels are limited only by their imagination. Hackers can create fake corporate accounts for harvesting customer credentials, impersonate company executives, damage the brand’s reputation and post legitimate-looking links that contain malware.

See also: Hacking the Human: Social Engineering  

According to Cisco’s 2016 annual security report, Facebook, for example, was the top mechanism last year for delivering malware, through social engineering, in order to gain access to organizational networks.

“(Social media) is a business technology platform, and because it’s been adopted at all levels of business … organizations have to figure out how to protect it,” says Evan Blair, co-founder and chief business officer at ZeroFOX, a digital-risk monitoring (DRM) vendor launched in 2013.

“And it’s a gold mine for intelligence on individuals,” he adds.

Social media—the ideal weapon

The sheer volume of traffic on social networks is a magnet not only for businesses but also for the criminal element.

According to the Pew Research Center, 79% of internet users are on Facebook, the most popular social network. About a third of internet users are on Instagram, and a quarter are on Twitter.

Better click-through rates and lower advertising costs, among other things, are compelling companies to throw more money at social media advertising (Hootsuite estimates social media budgets have nearly doubled, from $16 billion in 2014 to $31 billion in 2016).

But it’s not just the growing numbers of users and increased brand presence that creates an attractive playground for bad actors. It’s easy to create accounts and instantly attract followers—which means it’s easier than email for reaching a massive number of people with a phishing attack.

Adding to the problem is that social media can be highly automated because it was built on an open API (application programming interface) that allows developers access to proprietary applications.“It’s a frictionless environment that allows you to communicate immediately,” says Devin Redmond, general manager and vice president of digital risk and compliance solutions for Proofpoint, another DRM vendor.

Blair says: “Social media was built with automation in mind. You can create an account that interacts completely autonomously.”

Even though email remains the medium of choice, according to various security companies, email phishing is on the decline. Social media phishing, on the other hand, is growing.

Why organizations are at risk

Eric Olson, vice president of intelligence operations at LookingGlass, says what makes digital risk a high priority is that it’s a business risk that touches multiple facets of an organization. It not just about cybersecurity—it also involves compliance, human resources and legal, among others.

He says it’s important for security practitioners to focus on the how — e.g. phishing — rather than the channel it came from.

“You have to be able to keep eyes in all the dark corners,” Olson says.

A new technique Proofpoint identified in 2016 is angler phishing. Bad actors create a fake social media account on, say, Twitter, using stolen branding. They watch for customer service requests addressed to the legitimate account for a bank or a service like PayPal. They then tweet a reply with a link to a lookalike fake website where the customer is asked to enter login credentials.

Despite this growing threat, however, many security practitioners are not aligned with social media, Redmond says.

“The pace of adoption of social by enterprises and the pace of the risks that are evolving around that are growing much faster than people are addressing those risks,” he says.

An emerging space

The offerings of the vendors in this space vary. For example, ZeroFOX focuses largely on social media. Proofpoint covers social, mobile, web and email. LookingGlass integrates machine readable/open source feeds, analyst services, threat intelligence tools and appliances.

Whatever approach they take, more security companies are likely to join in because the market is still growing.

But even savvy companies are struggling to secure these channels. The hacking of Microsoft’s Skype for Business Twitter account in 2014 is proof—the Syrian Electronic Army wasted no time tweeting negative messages after taking over the account. They got some 8,000 retweets.

See also: Social Media And The Insurance Implications  

“Social media is the best attack platform for a nation-state actor and sophisticated cyber criminals, not just because it’s the easiest one to leverage for compromise, but it’s also completely anonymous,” Blair says.

Redmond expects mobile to be another rising digital frontier, as more bad actors use fraudulent apps to do things like harvesting credentials.

“If you look at it through the lens of bad actors, they’ve figured out all these are effective vehicles,” he says. They don’t have to break in any more — they just have to pretend they’re someone else.

He adds, “They can do that more rapidly, at a greater scale, with less chance of detection.”

This post was written by Rodika Tollefson and first appeared on ThirdCertainty.

5 Things to Know About ‘Hacktivism’

In July 2015, a hacker who goes by the name Phineas Fisher breached an Italian technology company, Hacking Team, that, ironically, sells spying and hacking software tools.

Fisher exfiltrated more than 400 gigabytes from the company and declared his motive was to stop its “abuses against human rights.”

“That’s the beauty and asymmetry of hacking: With 100 hours of work, one person can undo years of work by a multimillion-dollar company,” Fisher wrote online. “Hacking gives the underdog a chance to fight and win.”

Hacktivism, or the act of hacking into others’ computer networks to promote one’s political or other agenda, has been around as long as the internet. But the technology that’s available is easier and cheaper than ever, lowering the barrier of entry even for those with little experience.

“You don’t have to be an expert to have access and to cause damage to people and their websites,” says Rick Holland, vice president of strategy at Digital Shadows, which has tools to search the internet and the Dark Web to compile compromised information about their clients.

Anonymous, perhaps the most notorious hacking group, largely markets itself as hacktivists. But with the emergence of social media as a loud megaphone that also enables anonymity, other lesser-known hacktivists have become increasingly emboldened in heralding their cause and calling for others to join.

See also: 2 Novel Defenses to Hacking of Browsers  

Here are five things every company should grasp about hacktivism:

• Hacktivists are true believers. They are individuals who often belong to a hacker network group online that shares their values and ideology. They can act alone or be prompted by a broader hacktivist campaign, such as OpIcarus or Ghost Squad Hackers. Hacktivists are motivated by branding their agenda — Operation X — and distinguish themselves from cyber criminals who merely pursue financial gains.

But “there’s a lot of blurring of the lines between criminals, espionage actors and hacktivists,” Holland says. “It’s oftentimes difficult to tell who it is. You see some of the cybercriminal organizations that might moonlight take contracts.”

• Controversy can make you a target. Controversial individuals, companies and governmental and nongovernmental organizations are often targets. The list of past victims includes autocratic governments, politicians, agrochemical manufacturers, oil companies, pharmaceutical companies, genetically modified food makers, religious groups, social media websites and others. They generally target large organizations.

Small- to medium-size businesses typically are not on their radar unless they operate in controversial industries. A small supplier to GMO manufacturers, for example, could potentially be a target. “Hacktivists can come after you because of that relationship in the supply chain,” Holland says.

• Attacks can be widespread. Data on the frequency of attacks are hard to come by. But one group, Ghost Squad Hackers, plans to target banks, and their activity offers a glimpse of how quickly plans can proliferate. “We’ve seen 70 different organizations that they’ve announced are going to be targets,” Holland says.

• Attacks can take varied forms. Hackers can compromise the target’s computer systems in all the ways that are available to cyber criminals. They can set up a phishing domain that looks like the target’s domain to acquire sensitive information, such as passwords and company data. Using Twitter (or other social media channels), they may coordinate a distributed-denial-of-service attack on a web page to take it down.

See also: Hacking the Human: Social Engineering  

“We may find this out, and then we can tell the company, ‘Look we’re seeing a campaign against one of your executives,’” Holland says. “We give them an idea of a risk to their staff that they didn’t know about.”

• The best defense: Use security best practices, keep a low profile. All the usual cybersecurity steps should be established, such as virtual private networks, multifactor authentication protocol, firewalls and tools to guard against DDoS attacks. Companies should undergo a “threat modeling exercise” to determine how they’d respond in the event of an attack, Holland says. Knowing who to call for help is important.

Organizations that can afford cloud-based services should consider them, as a company can move its traffic up to the cloud if it’s attacked. “If you’re a big bank, you can afford those kinds of services. But if you’re a smaller-tier company, (you should ask) ‘Do I need to spend that kind of money?’ That’s a difficult question,” Holland says.

According to Holland, executives should be trained by the PR staff or consultants to be more careful when speaking publicly and not say things that could incite hacktivists. Suppliers also should be alerted about the possible dangers.

“A lot of hacktivists are typically younger, idealistic people who are getting attached to these causes. So there’s no shortage of that,” he says. “This will never end.”

More stories related to hactivism:
Cybersecurity a concern for candidates on 2016 campaign trail
Despite precautions, DDoS attacks becoming more dire, damaging
Chaos theory takes root in aftermath of Sony Pictures hack

This post first appeared on ThirdCertainty. It was written by Roger Yu.