Using Social Media as an Attack Vector – Part 1 of 3
Over the last three years we have witnessed an exponential growth in the use of Social Media like LinkedIn, Twitter and Facebook; both personal and business use. It comes as no surprise then that during that very same time, attacks leveraging these social networking sites have increased dramatically. You may be wondering; Why, and how does Facebook or LinkedIn impact cyber attacks against individuals or corporations alike?
According to Paul Wood, a senior analyst at Symatnec’s MessageLabs Intelligence, the answer is simple: “The amount of information people post to social networks like Facebook and Twitter has made it much easier to social engineer people into thinking a link or message is legitimate.” The fundamental problem with online social networks is they have no built-in authentication system to verify that someone is indeed who they say they are. An attacker can create a free profile on a site like LinkedIn, Twitter or Facebook and design said profile to match the personal or business interests of its target. If the target accepts the attacker as a connection or friend, then the attacker will have gained access to the target’s social network, including contacts, contact information and personal information related to each connection.
If you’re skeptical of Mr. Wood’s claim, unfortunately one does not have to search far and wide for a practical real world example. In a recent study published by the University of British Columbia’s Vancouver campus concerning the potential hazards of social networks, researchers were able to collect and obtain over 250GB worth of personal information. The team created 102 social bots (Wikipedia defines bots as software applications that run automated repetitive tasks over the Internet. Typically, bots perform these tasks at an incredible rate, much faster than possible for a human alone and are perfectly adapted to massive information gathering). These created bots took on the names and pictures of fictitious Facebook users, impersonating real users with regular status updates and released them into the Facebook network. Each bot proceeded to build a sizable friend network by first sending connection requests to a randomly selected list of 5,000 profiles, and continuing with new connection requests to the friends of those who accepted the initial invitation. In total, over the course of the eight week project the researchers were able to successfully obtain over 46,500 email addresses and 14,500 home addresses.