Social Media Networks: A New Attack Vector

Networks. They are the inevitable byproducts of how we engage and interact with the world around us. Without giving it a second’s thought, each of us participates in multiple networks every day. Whether comprising our family members, friends or community, life without networks would indeed be very lonely.

However, in recent years a new phenomenon has emerged to radically alter the ways in which we connect and communicate with others: social media networks.

Facebook, Twitter, Instagram and TikTok are now integral parts of our daily lives. We readily share our personal information, thoughts and activities with all our contacts in these platforms. They are fantastic ways to keep in touch with friends and relatives, especially those from whom we are separated by long distances.

But social media networks can be a double-edged sword. They can be a treasure trove of information for any malicious actor seeking to engage in social engineering or Business Email Compromise (BEC) attacks.

Aggregating Data from Multiple Breaches

LinkedIn recently revealed that malicious actors have scraped the data of some 500 million LinkedIn profiles. This staggering number of victims have unknowingly had their phone numbers, email addresses and employment details compromised. Whilst all the data in question was publicly viewable information, it has apparently been combined with data aggregated from other websites or companies.

In practice, what this means is that malicious actors have obtained publicly available information from the LinkedIn platform, and tied those individuals’ details to information from elsewhere.

For example, if the hackers obtained John Citizen’s contact details and employment status from LinkedIn, they may have managed to associate this information with other confidential data about John Citizen obtained from other sites. This other data may be financial details, such as credit card numbers, or even information about his personal life.

Linking hacked data in this way gives those with malicious intent much more comprehensive information about individuals they are targeting.

Social Engineering and Business Email Compromise

We know from experience that hackers are using social engineering methods against specific individuals in companies. This means they are undertaking extensive reconnaissance on those people, like CEOs and CFOs, who have high-level privileges in an organisation. They are looking for any information that will enable them to realistically impersonate the target, so they can then launch a BEC attack.

Once an attacker knows all the details about a CEO or CFO, and they have infiltrated their email account, they can proceed to issue very realistic instructions to the accounts payable team, in order to get them to send funds to the attacker’s bank account.

That’s why we should all be very cautious about any information we post on social media networks.

Seemingly innocuous details, such as when the CEO or CFO is away on vacation, can be used by attackers to issue urgent payment instructions to the accounts team, knowing that phone verification may be difficult at such a time, resulting in the payment being processed without going through the usual checks.

So, when it comes to social media networks, it’s best to act with extreme caution. Make sure your privacy parameters are set to the strictest levels. Additionally, be very cautious about any information you share. Even if you think the information is harmless, it could be tied to other information from other sites, giving malicious actors a deeper awareness of your identity and patterns of behavior.

Finally, you should have a technology solution in place that is able to warn you about suspicious payments. Eftsure cross-checks a payee’s account name with BSB and account number, so if you have been unknowingly subjected to a BEC attack, you will be able to limit the risk of sending funds to the fraudster.

Contact the team at eftsure today for further information about mitigating your exposure to BEC attacks.