Tag Archives: LookingGlass

Your Social Posts: Hackers Love Them

Social media is embedded in our lives—Facebook alone had 1.79 billion daily users as of September 2016—which means cyber criminals are not far behind.

As companies increasingly rely on this digital channel for marketing, recruiting, customer service and other business functions, social media also has become a highly effective vehicle for cyber attacks. Outside of the corporate network perimeter and an organization’s control, it throws traditional security approaches out the window.

A growing category of digital risk monitoring vendors, identified by Forrester Research Inc. in a recent quarterly Wave report, are catering to this problem. According to the report, digital channels—social, mobile, web and dark web—“are now ground zero for cyber, brand and even physical attacks.”

The ways in which cyber criminals weaponize these channels are limited only by their imagination. Hackers can create fake corporate accounts for harvesting customer credentials, impersonate company executives, damage the brand’s reputation and post legitimate-looking links that contain malware.

See also: Hacking the Human: Social Engineering  

According to Cisco’s 2016 annual security report, Facebook, for example, was the top mechanism last year for delivering malware, through social engineering, in order to gain access to organizational networks.

“(Social media) is a business technology platform, and because it’s been adopted at all levels of business … organizations have to figure out how to protect it,” says Evan Blair, co-founder and chief business officer at ZeroFOX, a digital-risk monitoring (DRM) vendor launched in 2013.

“And it’s a gold mine for intelligence on individuals,” he adds.

Social media—the ideal weapon

The sheer volume of traffic on social networks is a magnet not only for businesses but also for the criminal element.

According to the Pew Research Center, 79% of internet users are on Facebook, the most popular social network. About a third of internet users are on Instagram, and a quarter are on Twitter.

Better click-through rates and lower advertising costs, among other things, are compelling companies to throw more money at social media advertising (Hootsuite estimates social media budgets have nearly doubled, from $16 billion in 2014 to $31 billion in 2016).

But it’s not just the growing numbers of users and increased brand presence that creates an attractive playground for bad actors. It’s easy to create accounts and instantly attract followers—which means it’s easier than email for reaching a massive number of people with a phishing attack.

Adding to the problem is that social media can be highly automated because it was built on an open API (application programming interface) that allows developers access to proprietary applications.“It’s a frictionless environment that allows you to communicate immediately,” says Devin Redmond, general manager and vice president of digital risk and compliance solutions for Proofpoint, another DRM vendor.

Blair says: “Social media was built with automation in mind. You can create an account that interacts completely autonomously.”

Even though email remains the medium of choice, according to various security companies, email phishing is on the decline. Social media phishing, on the other hand, is growing.

Why organizations are at risk

Eric Olson, vice president of intelligence operations at LookingGlass, says what makes digital risk a high priority is that it’s a business risk that touches multiple facets of an organization. It not just about cybersecurity—it also involves compliance, human resources and legal, among others.

He says it’s important for security practitioners to focus on the how — e.g. phishing — rather than the channel it came from.

“You have to be able to keep eyes in all the dark corners,” Olson says.

A new technique Proofpoint identified in 2016 is angler phishing. Bad actors create a fake social media account on, say, Twitter, using stolen branding. They watch for customer service requests addressed to the legitimate account for a bank or a service like PayPal. They then tweet a reply with a link to a lookalike fake website where the customer is asked to enter login credentials.

Despite this growing threat, however, many security practitioners are not aligned with social media, Redmond says.

“The pace of adoption of social by enterprises and the pace of the risks that are evolving around that are growing much faster than people are addressing those risks,” he says.

An emerging space

The offerings of the vendors in this space vary. For example, ZeroFOX focuses largely on social media. Proofpoint covers social, mobile, web and email. LookingGlass integrates machine readable/open source feeds, analyst services, threat intelligence tools and appliances.

Whatever approach they take, more security companies are likely to join in because the market is still growing.

But even savvy companies are struggling to secure these channels. The hacking of Microsoft’s Skype for Business Twitter account in 2014 is proof—the Syrian Electronic Army wasted no time tweeting negative messages after taking over the account. They got some 8,000 retweets.

See also: Social Media And The Insurance Implications  

“Social media is the best attack platform for a nation-state actor and sophisticated cyber criminals, not just because it’s the easiest one to leverage for compromise, but it’s also completely anonymous,” Blair says.

Redmond expects mobile to be another rising digital frontier, as more bad actors use fraudulent apps to do things like harvesting credentials.

“If you look at it through the lens of bad actors, they’ve figured out all these are effective vehicles,” he says. They don’t have to break in any more — they just have to pretend they’re someone else.

He adds, “They can do that more rapidly, at a greater scale, with less chance of detection.”

This post was written by Rodika Tollefson and first appeared on ThirdCertainty.

Third Parties Pose Problems With Cyber

In today’s cyber world, business is done digitally. Trusted cyber relationships between partners must be formed to effectively conduct business and stay at the forefront of innovation and customer service. Having these trusted partnerships comes with a major drawback, however.

Look at it from this perspective: If your organization is the target of a malicious actor, yet they find your defenses too difficult to penetrate, the attacker can use a partner company to find a way in. Depending on the difficulty, the attackers could target multiple third parties in an attempt to gain access to your network.

The important factor to keep in mind here is that just because your organization may have top-notch security practices in place, it does not mean your partners do, and they can be targeted for their valuable insider access to your systems.

Related story: Third-party vendors are the weak links in cybersecurity

Third-party companies, no matter how trivial they may seem to your everyday operations, need to be thoroughly vetted. If they are given secure insider access as part of doing business with your organization, their systems must be reviewed and assessed for security vulnerabilities. The adage, “you’re only as strong as your weakest link,” could not be more true when it comes to third-party vulnerabilities.

Coming to grips with risk

Partners may think of themselves as unlikely targets, but even your HVAC vendor could be creating a gaping hole in your security network that malicious actors may use to gain access to your sensitive information.

For example, financial enterprises have extremely large networks of third-party vendors and partners, from payment processors and auditors to Internet providers and other financial institutions. Being able to map your third parties’ public Internet space and network presence allows you to identify indicators of compromise and risk that paint an accurate depiction of your partners’ potential attack surface.

When we think of potential targets for hacking, we naturally think of big companies or government agencies-organizations that have large volumes of critical and sensitive data. But because these organizations typically have the funds and resources to implement sophisticated security, they are usually not the weak link when it comes to an attack.

Because these organizations cannot be easily accessed, malicious actors adjust their attack strategies to use alternate paths to their desired goal-less secured partners with privileged access. Once a vulnerable company is compromised, its trusted access into other partners allows malicious actors to bypass security controls with exploits that didn’t work previously. Adversaries now are free to roam the connected partner networks, essentially undetected.

Dealing with the problem

The moral here is that insider threats don’t necessarily have to come from within an organization. Trusted third parties, once compromised, create significant security risks to sensitive data. Organizations must look beyond their own defensive perimeters and consider monitoring their partners to better understand their complete attack surface-especially large and complex organizations in which new services are frequently delivered on outward-facing infrastructures.

Understanding the complete attack surface not only provides the intelligence to prevent abuse, but it provides insight into how an attacker may view a path of attack. Additionally, gaining insight into third-party partners, vendors and suppliers is crucial in creating an informed and dynamic risk management program.

Most organizations are busy enough dealing with their own IT infrastructure, so double-checking the risks associated with their partners may not be at the top of their priority list. However, in today’s cyber threat landscape, if you don’t take into account the security posture of your partners, you will never be able to truly mitigate your risk and are leaving gaps in your defenses for anyone to access your critical information.

This article was written by Jason Lewis. Lewis is the chief collection and intelligence officer at LookingGlass. Lewis is a network analyst who has technology initiatives in the private and public sectors.