Social media is surely one of the phenomena of the 21^st Century. Everyone has a favorite social media platform and this has changed the way we communicate – sharing news and gossip. Twitter and Facebook, for example, are force multipliers when it comes to the spread of information. This, however, leads to an interesting attack surface; one, criminals have been exploiting for years.
Overall, seven triggers have been found that make Facebook and Twitter particularly big targets. Of these, one of the biggest reasons for easy attacks on social media platforms is a particular psychological trigger known as the strong effect. This makes nefarious use of a person’s heightened sense of emotion; be it fear, excitement, grief or panic for the reason of luring a victim to action.
Big news events that impact a lot of people are prime targets – like Whitney Houston’s death or the MH17 – with hackers quickly hijacking trending keywords, promising ‘shocking’ or ‘exclusive’ content. Links are provided that lead to survey scams, click-fraud and malware. This can potentially lead to the loss of key information and passwords. Steve Ragan, Senior Staff Writer at CSOnline.com, tells us that “With each click, the criminals earned advertising compensation and exposed the visitor to information theft … No matter what option is presented as a lure, the payoff for the criminal is a person installing malware that harvests personal information and passwords.”
As a result, it’s not only tragic events that are targeted. The ALS Ice Bucket challenge also been targeted in phishing scams. This one also propagated via email, as well as wider social media. In this instance a link or an attachment was hidden in a funny video. Further attacks have included the iCloud incident that led to many private celebrity photos being released; showing that many different genres of ‘lure’ are targeted.
By targeting such human emotion, as well as the information vacuum that develops in the wake of breaking news criminals are hijacking topics on social media sites and stealing valuable information with ease. Dealing with this is not a simple matter. Some small help, is awareness programs that can be conducted – getting people to realize the consequences of clicking on strange links and attachments – but these can only go so far.
The fact is that, simply because humans are human, as long as there are people who will click these links – this wide open point of entry will remain a target.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”