by Dr. Scott A. Wells and Justyna La Pay, Ultimate Knowledge Institute
As we just learned from Cyberdefense specialist Aamir Lakhani, Robin Sage social media attacks are alive and well. By creating a fake social media account under the name “Emily Williams” and tricking government personnel into accepting his requests, Lakhani, a penetration tester for World Wide Technology, gained access to passwords, sensitive documents, and even the computer of the head of information security at an unnamed government agency. It took only 15 hours for Lakhani to gain over 55 connections to his targets via Facebook and Linkedin. After a short time, male employees offered to help “Emily” get a laptop, and, most surprisingly, offered her a job and gave her early access to their network. Read more
about this penetration testing attack.
Insidious, simple social media attacks that rely on penetrating social networks aren’t new, either. In 2009, security specialist Thomas Ryan tricked hundreds of defense specialists into giving him sensitive information by crafting the fake online persona “Robin Sage.”
One would think that national security professionals would be more careful about who they allow into their social networks. This latest example shows how vulnerable our data networks are to these types of attacks, and underscores the value of comprehensive cyber security training programs.
Here are three ways to prepare your organization against attacks like these:
1) Avoid allowing unknown people into your social network.
Often users tend to spend too little effort to ensure that the friendship requests are from actual friends. It’s been shown that 78 percent of all Facebook users use the number of friends they have in common with their current friends as the most compelling reason to accept an incoming friendship requests.
Google Image search can be used to help validate unknown social media requests.
We all know about Google Images, but do we all know about Google’s reverse image search engine? It’s a service that allows users to search by images. No, that isn’t search for images per se — it is search by images: you input an image URL or upload an image, and then Google finds similar looking images. Although the service may sound simple, it can be very useful.
Let’s say you have a profile picture of a person and you want to verify that they are who they claim to be. Simply copy their picture to your desktop, drag it into the Google Image search field and there you go. It either verifies their identity or you may find yourself in the middle of a catfish attack. A catfish attack is when an individual pretends to be someone they’re not, like in the case of “Emily Williams”. We can use Google Image search as a quick counter measure to those attacks. It is a great tool for confirming someone’s identity on Facebook, LinkedIn, Social Dating sites, and any other venue in which a friendship is established based on a profile.
Use: Google Chrome or Firefox Browser
2) A social media network is only as strong as its weakest link.
Be aware of connections in your network that may be compromised – even real associates or friends may be allowing bad actors in their network to view your data. If your friend hasn’t checked the authenticity of the friend request prior to accepting it and you’re approached by the same person, you may be dealing with a hacker.
3) Stress the importance of social media security awareness.
There are few technologies out there that will protect you from threats coming through social media. User security training is the best way to fend off attacks. Everyone can fall prey to social media attacks, even the very cyber security-savvy professional as evidenced by Lahkani’s research.
Learn more about Social Media Security Professional (SMSP) certification powered by CompTIA
About Scott A. Wells, Ph.D.
Co-Founder / Director of Training, Ultimate Knowledge Institute (UKI) | Chief Architect of the Social Media Security Professional (SMSP) Certification Powered by CompTIA
Dr. Scott Wells is recognized throughout the industry as a world-renowned instructor and consultant known for his commanding presence in the classroom and breadth of knowledge in the world of Information Technology and Information Security. Dr. Wells achieved his doctorate in Applied Mathematics (Cryptology) and has worked for and consulted industry leading corporations such as Microsoft, Digital, and Cisco as well many other Fortune 100 companies. For the past 12 years Dr. Wells has developed and taught hundreds of Information Technology and Cybersecurity training programs for the Department of Defense, Federal Agencies and Fortune 500 enterprises. Dr. Wells leads the initiative to establish Ultimate Knowledge Institute as the industry leader in providing Social Media Security, Forensics, and Governance training as well as a renowned certification body awarding cybersecurity experts with the Social Media Security Professional (SMSP) Powered by CompTIAcertification, the Social Media Engineering & Forensics (SMEFP) and Social Media Management & Governance (SMMGP) certification.