Most large organizations today have a sizable presence on social media, including Twitter, Facebook and LinkedIn, among others. While social networks can enhance customer engagement and strengthen the company's brand in the marketplace, opportunistic attackers looking to embarrass an enterprise, tarnish its brand or make a statement to the world have no better avenue than compromising corporate social media accounts. This has been evidenced in a number of recent attacks, namely on the Twitter accounts of Microsoft, CNN, The Washington Post and others.
In this tip, let's review the most common ways in which attackers compromise social media accounts, and the steps that enterprises should take to ensure they don't fall prey.
Secure social media management
RT @bbcweather: Saudi weather station down due to head on-collision with camel— Jay Yarow (@jyarow) March 21, 2013
This tweet was just one of several bizarre posts that appeared on the weather Twitter feed of the U.K.'s BBC after the account was hijacked by pro-Assad online activists the Syrian Electronic Army (SEA). Like other similar attacks, post-incident analysis revealed that phishing emails had been sent to several of the victims' employees prior to the attack. For example, soon after an attack on The Associated Press' Twitter account, an AP reporter tweeted:
The @AP hack came less than an hour after some of us received an impressively disguised phishing email.— Mike Baker (@ByMikeBaker) April 23, 2013
Using social engineering in phishing emails means an attacker doesn't have to circumvent network perimeter defenses, rather they only craft a credible and persuasive email that tricks the employee who manages the enterprise's social media accounts into clicking a malicious link or providing the password to the accounts.
Companies that want to maintain trust in their brand must put forth the extra effort required to stop them from falling prey to brand hacks and social attacks.
Enterprises and organizations with a large social media following must ensure that those employees responsible for social media accounts receive security awareness training that covers how to recognize and deal with social engineering-based attacks prior to being given access credentials to corporate social media accounts.
This training should explain how social engineers operate and the tactics employees should be on the lookout for. With the proper training, these encounters should become second nature; the employee should know to trash offers that look too good to be true or links requiring login credentials -- even if they appear to come from an internal address or partner organization. Simple safeguards such as checking that the sender actually sent an email with an attachment are invaluable. Be sure to keep employees informed of the latest techniques being used in brand hacking attacks such as phishing emails based on breaking news stories, both true and fictitious. Enterprises must also put procedures in place for employees to report unusual emails so that network surveillance can be stepped up and other employees forewarned.
Emerging attacks and security controls
It's important to note that it's not just social media account credentials that need safeguarding. A number of attackers have successfully compromised social media accounts by subverting domain name system (DNS) data. By capturing the login credentials of people authorized to modify DNS records, attackers can redirect tweets, blogs and other traffic to servers they control. Enterprise DNS administrators should take advantage of security features offered by Registrars to control modifications made to their domain.
Twitter itself has also put security controls in place to help prevent hacking across its platform. A recent SEA attack against Twitter was only partially successful as the company had implemented the "Domain Lock" feature which prohibits certain changes to a domain until it is unlocked -- a simple but valuable control.
In addition, two-factor authentication should be introduced for both social media accounts and for those that control important services like DNS. Out-of-band checks such as a security code sent to the user's mobile phone can greatly reduce the chances of a phishing email being enough to gain access to an account. Ideally, dedicated computers should be used to access and update social media content so that additional security checks and controls can be deployed on these systems to monitor for unusual network traffic and keyloggers, which have become another suspected method used by hackers to obtain social media account credentials.
More on social media security
Social media security risks and real-time communication security
What are the risks of social networking sites?
Social networking best practices for preventing social network malware
How to implement and enforce a social networking security policy
It is critical to draw up an emergency response plan to reduce the impact of a social media account breach, should one occur. CNN removed tweets posted to its feed by the SEA within 10 minutes, which greatly minimized the effect on its business and clients. It is important that website administrators know which modules or components within a site provide social media content so that they can be quickly disabled should the need arise. This will also help prevent the need for an entire site to be taken offline.
While social media is a great way for enterprises to interact with their customers and strengthen their reputation, companies that want to maintain trust in their brand must put forth the extra effort required to stop them from falling prey to brand hacks and social attacks.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).