Sophisticated Social Engineering
Today we are going to circle back to the Twitter hack that occurred earlier this summer. We have some new information about how the hack was executed and a warning about the insidiousness of social engineering.
Initially, it was reported that the Twitter hack was due to an insider threat. Twitter took to their blog to dispel that notion and provide a more detailed explanation of the attack. Hackers first targeted lower level employees with a phone spear phishing attack. This gave them access to some internal systems and processes. The hackers took that information and used it to socially engineer employees with higher level access. Once they had that restricted access, hackers were able to take over the accounts of high-profile celebrities and politicians. It wasn’t a hack of the system; it was a hack of the employees.
Social engineering is a people hack. It can be far easier to exploit human vulnerabilities than system vulnerabilities. While it’s almost impossible to build systems that are completely hack-proof, there are concrete steps IT can take to protect the network. IT professionals can stay on top of new threats and deploy defenses against them. It’s different with social engineering. We can teach people about social engineering and what to look for, but there are so many potential variations and, ultimately, it comes down to a split-second decision made by someone who may be distracted or concerned. It only takes one mistake to compromise the network.
Personal or inside information that can be used in a sophisticated phishing attack is often publicly available on social media. In fact, social media can be a treasure trove of information that can be used to socially engineer you. Information that seems benign, like the name of your employer or an upcoming work event, can be manipulated to make you click a link, respond to a suspicious email, or provide information over the phone. Personal information such as location and names of friends and family members can also be used in the same way.
An organization’s official social media page or website may also be oversharing. One example is email addresses. When an email directory is published online, it makes employees an easy mark for phishing. Hackers can target multiple employees within an organization using personal or company information found on social media. In fact, many organizations choose to use a contact form rather than publishing email addresses as a safety precaution.
Has your organization ever welcomed a new employee on social media? While it’s a nice way to recognize someone, you are giving away information a hacker could use to target a vulnerable employee! They could send a phishing email with a link to “onboarding” information or a request from “HR” to provide sensitive information.
It can be easy to drop your guard on cyber awareness when the phone rings. The Twitter blog noted the initial attack was a phone spear phishing attack. Spear phishing means that the victims were specifically targeted. Remember that hackers will use any method available to them to trick or socially engineer you. They aren’t limited to email, text, and social media messages. You may come across a fraudster on the phone, via mail, or even in person. Stay alert for any suspicious interactions.
Finally, hackers are willing to play the long game, watching company and employee social media for months in order to formulate a scam that could trick almost anyone. A low tech effort can lead to a high profile attack, as we saw with Twitter. When you limit what you share, you help to thwart these attacks. In a social media-centric world, it can be hard to find the balance between security and social media engagement, but it is vital to our reputations and the safety of our networks.