Although social media is a powerful tool for professionals and businesses, it is also an equally powerful tool for cyber criminals. The same information used to express your personality and background can be used by cyber criminals to exploit personal and business vulnerabilities through elaborate social engineering schemes. And it’s happening far more often than one might expect.
BrandProtect security experts recently analyzed Fortune 100 CEO Twitter and LinkedIn accounts to identify duplicate or copycat accounts. 40% of Fortune 100 CEOs on Twitter had profiles flagged as possible copycat accounts. On LinkedIn, 15% of Fortune 100 CEOs are represented by multiple LinkedIn profiles. These accounts represent a risk – to the executive, and to the business.
Of course, parody on Twitter has become an art. Political leaders are often imitated in numerous parody of satire accounts. Donald Trump, for example, has inspired more than 90 parody Twitter accounts. But he is also imitated by no fewer than 56 other twitter accounts that present themselves as legitmate accounts (Hillary Clinton has 17 similar imitators). Handles like realDonaldTranp, keelDonaldTrump, reaIDenaldTrump, realDonoldDrump, and realDonaldTruvp are easy to look past, giving schemers a chance to confuse the electorate with their posts. All it takes is one viral retweet to start spreading misinformation.
Cyber criminals use public information already existing online to steal an identity or biography. While some accounts are completely fake, masquerading as a recruiter with a stock photograph and invented resume, duplicate accounts are even more dangerous. They look identical to the real thing, presenting the guise of an actual trusting relationship. And these connections can quickly grow, providing the criminal access to a wide network of contacts. Armed with access to email accounts and features like InMail, criminals send out dangerous links from the fake trusted source, leveling a devastating email-based attack within the organization.
How Attacks Happen:
- Social engineers mine social sites for professionals’ life details, work histories and key words to plausibly assume any identity.
- Hives of imposter accounts generate bogus endorsements, recommendations and contacts to increase credibility. Bogus affinity pages and groups can further attract potential contacts.
- The cyber criminals use connections with legitimate profiles to mine increasingly personal information, including workgroup information, names and nicknames of colleagues and peers.
- Attackers identify reporting structures, ongoing projects, and “inside information” like work and vacation schedules.
- The criminal crafts a seemingly legit email that can be used in a spear phishing/BEC attack, ransomware, or whaling scheme.
- The email is sent to a logical target, apparently from a trusted and authoritative source. The email will talk knowledgeably and casually about company issues. It will then request or demand an action of the reader – money or information transfer, network access, or opening a malware or ransomware-laden file.
How Security Teams Can Fight Back
These simple steps minimize the financial, reputational and operational risks caused by masquerading accounts:
- Identify duplicate domains that represent real company employees and investigate further to verify if they are a threat.
- Look for, review, and validate other LinkedIn profiles that claim an association you’re your company. Any rogue accounts should be reported immediately.
- Evaluate LinkedIn groups, including alumni groups and affinity groups connected to the company. When an unauthorized social domain is identified, it should be shut down.
How Individuals Can Fight Back
Individuals can take proactive steps to protect themselves and their businesses. Here are three simple ways to prevent social engineering:
- When a stranger asks to connect online, ask yourself if you know them and how many common connections they have.
- Scrutinize connections from peers and colleagues you previously have connected with. These are likely the work of a spoofer or a social engineer. Search for your friend’s actual profile. If you are suspicious, you should report the profile to the site.
- Be vigilant about potential attacks. Emails, particularly urgent requests and strange stories should be verified. Before you click, you should proactively investigate the requests legitimacy.
Socially engineered attacks continue to be profitable for cybercriminals, but they are preventable. Spreading awareness of social engineering is an easy first step to save your company millions.
About The Author
Greg Mancusi-Ungaro is the chief marketing officer for BrandProtect, a leader in cyber threat monitoring, intelligence and mitigation services. He is a frequent author and speaker, and a constant evangelist on cyber security issues, the changing nature of the modern threat landscape, and the emerging technologies that look beyond the perimeter to drive enterprise defenses against cyberattack. He blogs regularly on cyber threat and cyber security at info.brandprotect.com. For more information, email Greg.