Using Social Media as an Attack Vector – Part 3 of 3
If you recall, in the discovery phase we identified our target, John Smith; however we also learned of a co-worker, Jane Doe. Lucky for us Jane Doe has a LinkedIn account. Therefore in the attack phase we’ll construct a spoofed LinkedIn phishing email impersonating Jane Doe. In this email we’ll request a LinkedIn connection from John Smith. From his office computer, John Smith accepts our fake request because he knows Jane Doe and assumes this is a legitimate connection request. By accepting, he is redirected to an exploit site targeting a web browser vulnerability. Ultimately his computer becomes infected with a custom Trojan his Anti-Virus has never seen before hence is defenseless. Our custom Trojan is instructed to connect with our computer across the Internet and viola we’ve infiltrated XYZ Corp’s network and established a beachhead.
This type of attack is not as farfetched as you may think. Leveraging the information provided to social media sites by legitimate users make these attacks one of the easiest and unfortunately most successful. The information is made freely available and often the level of personal information posted online would raise red flags in other social settings; but it seems because, its online users loose site of that fact and anything goes. While the majority actually utilize these social services as they were intended to be used, a fringe minority are taking advantage of people’s good will and twisting them for nefarious purposes. However, despite the risk it’s not all doom and gloom. Like it or not, Social Media is here to stay and we must learn proper etiquette to stay safe. There are ways we can protect ourselves and continue to enjoy the benefits of social media.
• Adhere to the least privilege principle.
• Think twice or even three times before posting personal details online.
• Scrutinize invitations, tweets and email messages asking for action on 3rd party web sites ~before clicking :-)
• Use common sense.
Many don’t realize the Internet has an unlimited memory, information posted to 3rd party social web sites may be used and retained by these 3rd parties forever. In some cases once you post, you lose control over the information. It may become impossible to remove or delete. Personally, before I post personal information online, I perform the “telephone test”. It goes something like this; If I received a phone call, asking for the information I’m about to post online, would I be comfortable, providing it to the anonymous caller on the other end of the telephone? If the answer is ‘no’ then I don’t post.