In early 2017, a Russian spearphishing operation ensnared more than 10,000 U.S. Department of Defense employees. According to TIME, the perpetrators sent each victim a personalized social media message with a link to seemingly innocuous content, such as sports highlights or an Academy Awards recap.
Prime Day: Two-days of epic deals start July 15th. See early deals now.
The link’s payload was anything but innocuous. When clicked, it delivered a devastatingly effective malware program that commandeered victims’ devices, co-opting them for some unknown purpose.
Given the victims’ occupations and security clearances, this was no typical security breach, and its full ramifications may not yet be known. Nevertheless, it’s a clear example of the sophistication of black hat cybercriminals and malicious state actors – and a sobering reminder that we all have a lot to lose from careless social media use, even if we don’t know state secrets.
Here’s a closer look at the most common risks for everyday social media users and some straightforward tips to stay safe in the digital public square.
Top Social Media Risks for Everyday Users
Some of these risks involve attempted or successful account compromise. Others involve the theft of personal information or credentials not directly related to the social media accounts in question. Still others aim to harass account holders without compromising their accounts or stealing personal information.
1. Identity Theft
Like email and e-commerce, social media is a common medium for identity theft. Scammers looking to steal sensitive information such as usernames, passwords, account numbers, and personal identification numbers use tactics including:
- Posing As Authorized Representatives. Attackers may impersonate trusted individuals or organizations and request sensitive information. This tactic is commonly known as phishing, and its less-adept practitioners are no doubt clogging your email spam folder as you read this.
- Direct-Messaging Business or Employment Proposals. This is the social media version of the “Nigerian prince” email scam: the offer of a too-good-to-be-true windfall or can’t-lose business opportunity that – surprise, surprise – won’t end well for you.
- Spoofing Post Authorization Requests. Executed properly, this is a convincing strategy. It alerts you that someone in your network has tagged you in a post or photo, perhaps of a salacious nature, and requests your approval before the content goes live. Once you’ve entered your social media login credentials, it’s too late.
Identity thieves are endlessly creative, so don’t assume that every attempt to steal your personal information or credentials via social media will look like these scenarios. When in doubt, don’t engage.
Pro tip: Identity Guard is a great way to get peace of mind. For a small monthly fee, they will use IBM Watson Artificial Intelligence to process billions of pieces of information, alerting you when a potential threat exists. They will monitor your social security number, credit card numbers, bank accounts, health insurance number and more to protect it from the dark web.
Malicious actors can impersonate, or “spoof,” your social media persona without gaining control over your accounts. Sophisticated, persistent impersonation efforts are known as “social engineering” campaigns, as they condition people and organizations in your network to accept you as the legitimate source of information you didn’t create or authorize. Because impersonation campaigns require more effort than other scams, they’re usually targeted at specific individuals or organizations.
Impersonation campaigns involve the creation of a fake account that resembles the victim’s, complete with a generic public domain photo of the account owner and a near-identical handle, typically with a single character missing, added, or changed.
A long-running impersonation campaign may include weeks or months of “incubation,” during which the impostor account posts non-objectionable content and steadily gains followers. This is often followed by an active period, during which the impostor account’s behavior is intended to discredit or embarrass the victim. Impostor accounts may also spread malicious links, malware, or both. (More on those below.)
All social media platforms take countermeasures against transparent impersonation attempts, but the problem is overwhelming on some networks. Twitter’s fake account problem is particularly egregious, though not all false Twitter accounts are impostors. Millions of false accounts are either automated bots built to amplify content created by other accounts or human-controlled troll accounts created to harass other users or spread fake news.
3. Account Capture
“Captured” accounts are legitimate accounts that are taken over by attackers, who may gain control by:
- Tricking the victim into clicking a malicious direct-message link
- Hacking the victim’s account through the network itself or a third party, often as part of a larger hack
- Guessing the victim’s password
- Skimming login credentials from another compromised location, such as a hacked Google account
Captured accounts are often conscripted into botnets used to spread malicious links or objectionable material. My own social media accounts have been on the receiving end of vast amounts of poorly devised, highly objectionable botnet appeals, usually of a pornographic nature.
Capture attacks may also target specific users. Such targeted attacks may have personal motivations, such as revenge. When the victim is well-known, attackers may have notoriety or specific political goals in mind……….Read More>>