Aug 14, 2013
How Attackers Target and Exploit Social Networking Users
Social networking sites have become an invaluable resource for personal and business purposes. They help individuals stay in touch, find old friends and meet new ones. Businesses leverage social media for marketing, recruiting and sales. But just as these social networks can be used for legitimate purposes, malicious attackers can take advantage of the information posted on them and use it to target enterprise networks.
The popularity of sites like Facebook, Twitter and LinkedIn make social networking sites juicy targets for reconnaissance against businesses and their employees. An attacker can identify employees by using information such as the organizations they are associated with, their likes and dislikes, birth dates or other age-specific information (such as year of graduation from high school or college). All of this information can be used to, among many other things, create targeted spear phishing attacks and defeat password-reset mechanisms that ask so-called “secret” questions.
Companies are trying to combat social network usage and the posting of sensitive information, but security controls can only do so much on corporate-owned systems. Policies and awareness programs also need to be created to address the use of social networks outside of the office. The average user doesn’t understand just how easily a seemingly harmless photo taken in the office and posted to Twitter can be used during a targeted attack. The photo could reveal physical security controls in the office, computer screens and applications running on them, geolocation information (where the photo was taken) and employee badge information.
In this report, Dark Reading examines the ways in which today’s attackers are exploiting connections to Facebook, Twitter, LinkedIn and other social networks to infect your users’ devices with malware, conduct phishing attacks and collect information that may help them crack your corporate defenses. (S7320813)