News Stay informed about the latest enterprise technology news and product updates.

Social media attacks a growing concern for enterprises

It's important for online users to understand social media risks and the caution they should use when sharing personal information online.

Hackers and cybercriminals are increasingly turning their attention to social media attacks because users' bad...

habits have made these attacks the path of least resistance to mine personal data and fool unassuming victims.

While social media risks have typically been an issue for consumers, experts said the risks have extended to enterprises users, as attackers look to collect sensitive, personal information online and also execute phishing attacks. For example, many cybercriminals can easily trick individuals on social media sites, such as Facebook and Twitter, into clicking on malicious links, according to Gary Bahadur, CEO of Miami-based security consulting firm KRAA Security LLC and the author of Securing the Clicks: Network Security in the Age of Social Media. "When a hacker deploys a social engineering attack [on social media], they take advantage of people's trust," Bahadur said.

Samir Kapuria, vice president and general manager of Cyber Security Services at Symantec, said cybercriminals are becoming much more adept at using social media services and sites to their advantage. Specifically, he said Symantec has seen a rise in the number of social media attacks that scam users into clicking on malicious links.

"They're automating the ruse more through social media, so the victims are being brought right to the doorstep of the bad guys," Kapuria said. "They're using the power of social networking, along with the surge of mobile devices, and they're getting more efficient and effective with how they conduct their business."

Such scams are often presented in the form of news about fake celebrity death reports and sex tapes, unbelievable world news, must-see videos, and free offers for smartphones, plane tickets, or gift cards. These spread rapidly on social media because people are more likely to click on links posted by a friend or if it has many shares. This is known as social proofing, and it describes how individuals attribute more trust and value into something because it's been clicked on or approved by other users.

Furthermore, criminals use a methodology called likejacking, which presents users with intriguing news, videos and photographs. The hackers encrypted the Facebook Like button with malicious code that is used for an assortment of criminal activity. For example, some malicious posts bring the users to unsafe sites that request the victim to fill out a bogus survey or sign up for fake special offers and services.

But potentially greater social media risks for enterprise users involve the reckless posting of personal information online, which can be exploited by hackers.  "People, especially the younger generations, are not trained to protect or limit the information they share online," Bahadur said. "Once they hit the corporate world, their online presence could be a disaster, and they won't understand the concept of privacy and sensitive data."

People, especially the younger generations, are not trained to protect or limit the information they share online.
Gary Bahadurauthor and CEO of KRAA Security

According to experts, exploiting social networks is easier for hackers because it is the path of the least resistance; enterprise networks are becoming more sophisticated and conscious of cybersecurity, but uneducated users are more likely to fall victim to social media attacks because they don't know the value of their personal information or how much data they're actually exposing on the Web. In a recent study by the American Press Institute, 34% of millennials are not worried about their information online, while 46% of millennials are only worried a little bit.

Bahadur said employees need to take appropriate precautions to protect their identity because it can also affect their work environment. For example, when users fail to configure completely different usernames and passwords for social media sites, also known as password fatigue, it can put their email accounts, bank accounts and especially enterprise accounts at risk. "From an enterprise perspective, the cost to educate their employees on basic security is minimal," Bahadur said. "It's surprising how many people still need to be told to not click on malicious links on their email or give their personal information over the phone."

Social media attacks, however small or innocuous, have become a lucrative business. The cybercriminals that drive traffic to malicious sites receive a payout from an affiliate program. For example, Symantec's 2015 Internet Security Threat Report found that illegitimate adult dating services and webcam sites pays "affiliates up to $6 for every user who signs up for an account and up to $60 if a user signs up for a premium service, which typically involves paying for a subscription using a credit card." Although $6 for each sign-up isn't much, the amount of traffic passing through the site is enough to produce a "handsome profit."

Christopher Budd, global threat communications manager at Trend Micro Inc., based in Irving, Texas, said users need to be aware of social media risks and recognize that overexposing themselves online can make them -- and their employers -- an easier target for hackers. "If there is gold over here, heavily protected, and silver over there, not protected," he said, "then the hackers will go after the silver, not the gold."

Next Steps

Find out why a former MI6 officer believes social media is a serious cyber terrorism threat.

Learn how to avoid brand hacking and ensure enterprise social media security.

Dig Deeper on Social media security risks

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization address social media risks in its security awareness training for employees?
Absolutely!  We are in the process of updating our awareness module on 'social insecurity' to reflect current threats, including phishing (of course) plus social media and apps more generally. With the festive season approaching fast, employees who let their guards drop become more vulnerable than usual, hence it's a ideal time for an awareness update. 
Yes, they have mentioned things such as listing the technologies, such as databases, that you're familiar with on your online resume or LinkedIn profile, as it could give helpful information to a potential hacker. I don't see how that could really be avoided, though. Even HR lists specific technologies in their job descriptions. 
We tell them the company policy but it seems it never gets enforced. We have been bitten a few times and that seems to be the only times action is taken. Too late.
Sort of. Since I'm a one-person company, I'm acutely aware of keeping all our systems safe. Further, as a social media trainer for the largest news organizations and publications in the world, I fully embrace dual authentication, hashed passwords and frequent evaluation of activity across all our accounts. This is something akin to log management and it's vital for any business.
This is a definite concern and should be a strategy of all organizations - especially large ones.  Obviously we cannot remove social media from the workplace - for several reasons: One being that with the rise of millennials in the workplace, we must accommodate the desire to be "connected" at all times.  And most importantly, we should embrace social media as an add-on enhancement to the organization's outreach to the world.

The goal of the organization has to be to ensure that social media is not used simply to "keep up with friends and connections".  But more as a tactic to grow the business outreach.  With that said, the perception exists that emails and websites within the workplace are always looked at with scrutiny and a level of risk, but when folks look at social media, they become dependent on the social media sites to take care of their security.  Therefore, training and awareness has to be constant.  Most organizations are having periodic training, redundant at times, to ensure the employees are aware of the risks - whether in or out of the workplace.

The goal of the organization is to never assume that people are going understand the risks.  While it may be irritating and redundant to some of the more experienced users of social media, it will become increasingly important to repeatedly require awareness sessions and trainings within the organization.
Sure we do, regularly and often. Unfortunately, getting people to listen is an entirely different thing. Only when personally bitten do they look up. Even then, they seem to have a very short attention span. 
Interesting how many people are so security conscious about how their children use social media, but let their own guard down and fall victim to these attacks.