If you recall, in the discovery phase we identified our target, John Smith; however we also learned of a co-worker, Jane Doe. Lucky for us Jane Doe has a LinkedIn account. Therefore in the attack phase we’ll construct a spoofed LinkedIn phishing email impersonating Jane Doe. In this email we’ll request a LinkedIn connection from John Smith. From his office computer, John Smith accepts our fake request because he knows Jane Doe and assumes this is a legitimate connection request. By accepting, he is redirected to an exploit site targeting a web browser vulnerability. Ultimately his computer becomes infected with a custom Trojan his Anti-Virus has never seen before hence is defenseless. Our custom Trojan is instructed to connect with our computer across the Internet and viola we’ve infiltrated XYZ Corp’s network and established a beachhead.

This type of attack is not as farfetched as you may think. Leveraging the information provided to social media sites by legitimate users make these attacks one of the easiest and unfortunately most successful. The information is made freely available and often the level of personal information posted online would raise red flags in other social settings; but it seems because, its online users loose site of that fact and anything goes. While the majority actually utilize these social services as they were intended to be used, a fringe minority are taking advantage of people’s good will and twisting them for nefarious purposes. However, despite the risk it’s not all doom and gloom. Like it or not, Social Media is here to stay and we must learn proper etiquette to stay safe. There are ways we can protect ourselves and continue to enjoy the benefits of social media.

• Review Social Site Privacy Policy and your account privacy settings.
• Adhere to the least privilege principle.
• Think twice or even three times before posting personal details online.
• Scrutinize invitations, tweets and email messages asking for action on 3rd party web sites ~before clicking :-)
• Use common sense.

Many don’t realize the Internet has an unlimited memory, information posted to 3rd party social web sites may be used and retained by these 3rd parties forever. In some cases once you post, you lose control over the information. It may become impossible to remove or delete. Personally, before I post personal information online, I perform the “telephone test”. It goes something like this; If I received a phone call, asking for the information I’m about to post online, would I be comfortable, providing it to the anonymous caller on the other end of the telephone? If the answer is ‘no’ then I don’t post.

While email addresses and home addresses may not seem like much, from an attackers perspective it’s a great start. But before I explain the anatomy of a typical attack let’s look at what motivates would be attackers to expend energy and resources. While motives are as diverse as there are stars in the night sky, the most common include;

• identity theft
• financial gain
• corporate espionage or network penetration
• politically or state motivated agenda
• social or economic movements
• social group bragging rights

In the short history of the Internet you can find many examples of attacks within each of these categories simply by Google’ing. But let me construct a typical, “Corporate espionage or network penetration” attack scenario.

There is a common misconception amongst corporate circles, that a well protected front door mitigates corporate networks from targeted penetration. In my opinion nothing could be further from the truth. In this case the front door being the typical network firewall. Please don’t mis-understand me, I’m not saying firewalls are obsolete or not required. All I’m eluding to, is the fact an attacker will not waste their time at the front door because it is well protected. Instead most will look at alternate corporate network entry points which typically are not well protected and honestly much easier targets requiring less energy and effort to exploit.

Let’s assume I’m an attacker, and today’s target is Corporation XYZ. If I’m not attempting the direct approach, then what are my alternatives? Well, I could exploit badly configured web servers, but again that requires effort and may draw too much attention. Instead I’ll direct my efforts at the weakest link; “corporate users”. And with the advent of social media and social networks the “user” is becoming the preferred target. So, let’s look at the anatomy of a typical social engineering attack using social media.

A typical attack may begin by using public information published by Coporation XYZ to build a profile of the company and attempt to learn more about its employees. This involves XYZ corporate web site and common search engines like Google, Yahoo, Bing and others. Gathered information can later be used to build credibility during the attack phase; at this point we’re simply gathering information. Let’s assume I’m interested in XYZ research and development, and my discovery phase identified the VP of R&D at XYZ Corp. named John Smith. With my target in hand I can utilize legitimate tools like ‘Maltego’ to gather more specific information about John Smith and correlate results with Corporation XYZ. Maltego’s powerful correlation engine will cross-harvest social networks like LinkedIn, constructing an ever more accurate profile of the target. While harvesting information and correlating a range of social media sites can be accomplished manually, tools like Maltego do it extremely quickly with virtually zero effort from the attacker.

Unfortunately, many don’t realize a disturbing characteristic amongst social media is the information contained within one site, can be useful in attacking others. A good example is the social site ‘Classmates.com’. The information available at sites like Classmates.com can be used to hijack accounts at other social and non social sites. To the detriment of many web users, web sites use password recovery or reset questions like “What High School did you attend?” or “Who was your 9th grade English teacher?” This information can often be harvested from sites like Classmates.com and used to gain access to accounts by resetting passwords. From an attackers perspective, imagine the value of hijacking the credibility of a high profile Twitter account. Most followers of said hijacked account wouldn’t think twice about clicking a malware infested link tweeted from the account. Credibility significantly improves the success rate of attacks, and attackers know this well.

Over the last three years we have witnessed an exponential growth in the use of Social Media like LinkedIn, Twitter and Facebook; both personal and business use. It comes as no surprise then that during that very same time, attacks leveraging these social networking sites have increased dramatically. You may be wondering; Why, and how does Facebook or LinkedIn impact cyber attacks against individuals or corporations alike?

According to Paul Wood, a senior analyst at Symatnec’s MessageLabs Intelligence, the answer is simple: “The amount of information people post to social networks like Facebook and Twitter has made it much easier to social engineer people into thinking a link or message is legitimate.” The fundamental problem with online social networks is they have no built-in authentication system to verify that someone is indeed who they say they are. An attacker can create a free profile on a site like LinkedIn, Twitter or Facebook and design said profile to match the personal or business interests of its target. If the target accepts the attacker as a connection or friend, then the attacker will have gained access to the target’s social network, including contacts, contact information and personal information related to each connection.

If you’re skeptical of Mr. Wood’s claim, unfortunately one does not have to search far and wide for a practical real world example. In a recent study published by the University of British Columbia’s Vancouver campus concerning the potential hazards of social networks, researchers were able to collect and obtain over 250GB worth of personal information. The team created 102 social bots (Wikipedia defines bots as software applications that run automated repetitive tasks over the Internet. Typically, bots perform these tasks at an incredible rate, much faster than possible for a human alone and are perfectly adapted to massive information gathering). These created bots took on the names and pictures of fictitious Facebook users, impersonating real users with regular status updates and released them into the Facebook network. Each bot proceeded to build a sizable friend network by first sending connection requests to a randomly selected list of 5,000 profiles, and continuing with new connection requests to the friends of those who accepted the initial invitation. In total, over the course of the eight week project the researchers were able to successfully obtain over 46,500 email addresses and 14,500 home addresses.