Hackers and cybercriminals are increasingly turning their attention to social media attacks because users' bad...
habits have made these attacks the path of least resistance to mine personal data and fool unassuming victims.
While social media risks have typically been an issue for consumers, experts said the risks have extended to enterprises users, as attackers look to collect sensitive, personal information online and also execute phishing attacks. For example, many cybercriminals can easily trick individuals on social media sites, such as Facebook and Twitter, into clicking on malicious links, according to Gary Bahadur, CEO of Miami-based security consulting firm KRAA Security LLC and the author of Securing the Clicks: Network Security in the Age of Social Media. "When a hacker deploys a social engineering attack [on social media], they take advantage of people's trust," Bahadur said.
Samir Kapuria, vice president and general manager of Cyber Security Services at Symantec, said cybercriminals are becoming much more adept at using social media services and sites to their advantage. Specifically, he said Symantec has seen a rise in the number of social media attacks that scam users into clicking on malicious links.
"They're automating the ruse more through social media, so the victims are being brought right to the doorstep of the bad guys," Kapuria said. "They're using the power of social networking, along with the surge of mobile devices, and they're getting more efficient and effective with how they conduct their business."
Such scams are often presented in the form of news about fake celebrity death reports and sex tapes, unbelievable world news, must-see videos, and free offers for smartphones, plane tickets, or gift cards. These spread rapidly on social media because people are more likely to click on links posted by a friend or if it has many shares. This is known as social proofing, and it describes how individuals attribute more trust and value into something because it's been clicked on or approved by other users.
Furthermore, criminals use a methodology called likejacking, which presents users with intriguing news, videos and photographs. The hackers encrypted the Facebook Like button with malicious code that is used for an assortment of criminal activity. For example, some malicious posts bring the users to unsafe sites that request the victim to fill out a bogus survey or sign up for fake special offers and services.
But potentially greater social media risks for enterprise users involve the reckless posting of personal information online, which can be exploited by hackers. "People, especially the younger generations, are not trained to protect or limit the information they share online," Bahadur said. "Once they hit the corporate world, their online presence could be a disaster, and they won't understand the concept of privacy and sensitive data."
Gary Bahadurauthor and CEO of KRAA Security
According to experts, exploiting social networks is easier for hackers because it is the path of the least resistance; enterprise networks are becoming more sophisticated and conscious of cybersecurity, but uneducated users are more likely to fall victim to social media attacks because they don't know the value of their personal information or how much data they're actually exposing on the Web. In a recent study by the American Press Institute, 34% of millennials are not worried about their information online, while 46% of millennials are only worried a little bit.
Bahadur said employees need to take appropriate precautions to protect their identity because it can also affect their work environment. For example, when users fail to configure completely different usernames and passwords for social media sites, also known as password fatigue, it can put their email accounts, bank accounts and especially enterprise accounts at risk. "From an enterprise perspective, the cost to educate their employees on basic security is minimal," Bahadur said. "It's surprising how many people still need to be told to not click on malicious links on their email or give their personal information over the phone."
Social media attacks, however small or innocuous, have become a lucrative business. The cybercriminals that drive traffic to malicious sites receive a payout from an affiliate program. For example, Symantec's 2015 Internet Security Threat Report found that illegitimate adult dating services and webcam sites pays "affiliates up to $6 for every user who signs up for an account and up to $60 if a user signs up for a premium service, which typically involves paying for a subscription using a credit card." Although $6 for each sign-up isn't much, the amount of traffic passing through the site is enough to produce a "handsome profit."
Christopher Budd, global threat communications manager at Trend Micro Inc., based in Irving, Texas, said users need to be aware of social media risks and recognize that overexposing themselves online can make them -- and their employers -- an easier target for hackers. "If there is gold over here, heavily protected, and silver over there, not protected," he said, "then the hackers will go after the silver, not the gold."