Using Social Media as an Attack Vector – Part 2 of 3

While email addresses and home addresses may not seem like much, from an attackers perspective it’s a great start. But before I explain the anatomy of a typical attack let’s look at what motivates would be attackers to expend energy and resources. While motives are as diverse as there are stars in the night sky, the most common include;

• identity theft
• financial gain
• corporate espionage or network penetration
• politically or state motivated agenda
• social or economic movements
• social group bragging rights

In the short history of the Internet you can find many examples of attacks within each of these categories simply by Google’ing. But let me construct a typical, “Corporate espionage or network penetration” attack scenario.

There is a common misconception amongst corporate circles, that a well protected front door mitigates corporate networks from targeted penetration. In my opinion nothing could be further from the truth. In this case the front door being the typical network firewall. Please don’t mis-understand me, I’m not saying firewalls are obsolete or not required. All I’m eluding to, is the fact an attacker will not waste their time at the front door because it is well protected. Instead most will look at alternate corporate network entry points which typically are not well protected and honestly much easier targets requiring less energy and effort to exploit.

Let’s assume I’m an attacker, and today’s target is Corporation XYZ. If I’m not attempting the direct approach, then what are my alternatives? Well, I could exploit badly configured web servers, but again that requires effort and may draw too much attention. Instead I’ll direct my efforts at the weakest link; “corporate users”. And with the advent of social media and social networks the “user” is becoming the preferred target. So, let’s look at the anatomy of a typical social engineering attack using social media.

A typical attack may begin by using public information published by Coporation XYZ to build a profile of the company and attempt to learn more about its employees. This involves XYZ corporate web site and common search engines like Google, Yahoo, Bing and others. Gathered information can later be used to build credibility during the attack phase; at this point we’re simply gathering information. Let’s assume I’m interested in XYZ research and development, and my discovery phase identified the VP of R&D at XYZ Corp. named John Smith. With my target in hand I can utilize legitimate tools like ‘Maltego’ to gather more specific information about John Smith and correlate results with Corporation XYZ. Maltego’s powerful correlation engine will cross-harvest social networks like LinkedIn, constructing an ever more accurate profile of the target. While harvesting information and correlating a range of social media sites can be accomplished manually, tools like Maltego do it extremely quickly with virtually zero effort from the attacker.

Unfortunately, many don’t realize a disturbing characteristic amongst social media is the information contained within one site, can be useful in attacking others. A good example is the social site ‘Classmates.com’. The information available at sites like Classmates.com can be used to hijack accounts at other social and non social sites. To the detriment of many web users, web sites use password recovery or reset questions like “What High School did you attend?” or “Who was your 9th grade English teacher?” This information can often be harvested from sites like Classmates.com and used to gain access to accounts by resetting passwords. From an attackers perspective, imagine the value of hijacking the credibility of a high profile Twitter account. Most followers of said hijacked account wouldn’t think twice about clicking a malware infested link tweeted from the account. Credibility significantly improves the success rate of attacks, and attackers know this well.