I’m a professional hacker, or as we are referred to in the security industry, a penetration tester. As a penetration tester, I am hired by organisations to attack their systems, networks, applications, and employees in the same fashion that a malicious attacker would. It is my job to find and exploit weaknesses before malicious attackers can. These weaknesses include application and network-based attacks (exploiting a vulnerability in a company’s software or hardware), physical attacks (gaining unauthorised physical access to a company’s offices) and social engineering attacks (targeting a company’s employees via email (phishing), phone (vishing) or SMS (smishing) messages).
When performing a social engineering attack, social media is a godsend and often my first stop on any engagement. It should come as no surprise that, as the world becomes increasingly connected and social media plays a major part in the lives of the majority of the world’s population, the potential for over-sharing and putting one’s personal data at risk becomes exponentially greater.
One of the first steps for any social engineering attack is to properly identify targets. Identifying the targets often entails identifying employees that would have privileged access on the network, or access to others who would have that access, such as executive assistants. After identifying potential targets, the next step is to start performing reconnaissance on the targets, identifying their likes and dislikes, family members, personal and professional habits, important dates, etc. With this information, I can begin building custom password lists to be used for password spraying attacks (this is an attack where multiple passwords are “sprayed” against a users’ logins in the hopes of gaining access to their resources), as well as gathering information to craft targeted phishing/vishing/smishing campaign, unique to the target. This type of targeted phishing is often referred to as spear phishing.
Before social media, doing proper reconnaissance on a target could take days or weeks, while now it can be done in a matter of hours. With the multitude of social media options available, it is almost a given that an individual or organisation that I’ve been tasked with assessing will have accounts on at least one of the popular platforms. I regularly review profiles on Facebook, Twitter, Instagram, TikTok and even some lesser-known platforms during assessments to identify useful data for my “attacks.”
The chronic oversharing that takes place on social media can be a significant risk for users who regularly and unknowingly provide data that attackers can leverage during common attacks: important dates, family member names, pet names, childhood memories, and things the target likes to spend their time doing. As explained above, this seemingly mundane data can be helpful for crafting password lists to be used in password spraying attacks. EXIF data (EXIF is metadata of an image file that can give location, camera used, shutter speed, date, etc.) can also be used to determine a user’s habits and tendencies, allowing the attacker to learn the user’s schedules and proclivities. Camera or phone data can be useful when creating targeted attacks, such as exploits targeting the phone the user is using. Knowing locations the target frequents can allow for more “physical” based attacks, where I can get close enough to the target, to clone their building access card using an RFID cloner or plant a malicious USB drive on their person or in an area where they are likely to pick it up and hopefully use it.
How do attackers take seemingly benign posts and learn the target’s deepest secrets? The answer to that is simple: every “quiz” or “get to know you” that’s filled out, every picture posted and every rant made gives an attacker more information with which to work. All this data is used to build a dossier on the target, that can then be used to attack the target, their loved ones, or one’s employer.
My targets are not in any actual danger, as my objective is to help their organisation’s better secure sensitive data and access. A real-life attacker, however, may have much more sinister objectives in mind. Oversharing can have very real-world consequences such as identity theft and unauthorised banking access, but could also include threats of physical harm.
Fortunately, there are things that social media mavens can do to help protect themselves while still enjoying all that social media has to offer.
- Disable location services (GPS) on both cameras and social media apps. This avoids providing location information to an attacker who has gained access to social media profiles
- Lock down social media profiles so that only friends can see posts. Properly vetting friend requests limits the audience to which information is shared
- Always avoid sharing intimate details on public profiles. If it is necessary to post to public profiles or make a public post on an individual’s secured profile, avoid sharing intimate details about one’s self, workplace or loved ones
As the workforce becomes more comfortable with social media, companies should consider the following:
- Companies should have social media policies, providing guidelines for how users share information pertaining to the company
- Companies should provide security awareness training enforcing the principles outlined above, guiding employees on how they can safely use social media
Following these guidelines can help protect critical personal data, while still allowing users to enjoy the benefits of social media.