For the most of us who enjoy the usage of Facebook, Instagram, Twitter and the humble E-mail, here is a succinct warning message. Be careful of messages you receive, even if they are from your friends. In fact, that presents the most salient point of vulnerability for social media users. The faith we place in our friends is huge. Whilst we may be wary of clicking on a wayward looking site advertising the latest in massage-chair technology; a private message by a friend, linking toward a particular website, and personally addressing us to ‘have a look at it’, would be an innocuous way to gain a hacker access to our information.
Spear fishing is a brutal phrase conjuring an image of helpless prey. Phishing, translated into computer terminology, bears a similar meaning. The prey being your innocent click, and the spear, in spear-phishing, provided by an attacker’s intricately prepared analysis of your social media profile prior to their assault. Think of the plethora of information we provide our accounts. Every single post by every employee made in relation to company detail, whether it be a seemingly innocuous discussion of tomorrow’s agenda or a flagrant rant at the boss’ (or a co-worker’s) repeated ineptitude, feeds valuable information to hacking companies’ relentless appetite. In referring to your boss by name (let’s say William, for example) over your timeline of posts, hackers will be able to draw a relation between your emotional outbursts and your reasons for them. They could then ascertain control of a co-worker’s account, mention William’s name in context, and ask innocently for a company-secure department username and password. This would imaginably pose a huge financial and legal compromise to your whole company. All from the revealing of information by one employee.
Such dangers have been brought to the spotlight in recent news such as the Russian hacking scandal, in which a link, advertising a family-friendly vacation summer deal, was clicked on by a Pentagon official. It is difficult to prevent such events from happening, particularly as hacking methodology has evolved from the simple Email or website-containing virus. No longer is it as simple as downloading a client for malware removal and resting easy knowing you’re protected by an antivirus program. Hacking experts are now targeting social media accounts due to the leverage they possess and the wealth of personal and company information they contain. If you click on one virus-containing message, it will capitalise on the opportunity to send a message, or post a link on your feed, to your list of other trusting friends. The fact that they consider you as their friend is the crucial point of concern. As the aforementioned example impersonates William, posts you have made before will have created exploitable sets of segmented data for hackers to use, creating contexts in which your friend could ‘trust’ your message enough to click on it. If you have posted enough about football, hackers could begin a conversation with your friend by mentioning a particular team, thus granting closure on any authentication wariness he/she might have, leaving further personal information-siphoning just another click away.
With such elaborate hacking methodology poised to capitalise on the number of followers and friends an individual has, it’d only be logical to target popular figures. In compromising these accounts, with leverage of one million (and upwards) followers, the purposes of hacking companies, whether political or financial, can be exponentially amplified. Such has been seen in the recent cyber attack targeting A-list celebrity social media accounts. Selena Gomez, boasting a follower list to the tune of 125 million people, had her Instagram profile compromised, with naked pictures of her ex-boyfriend Canadian singer Justin Bieber posted moments before the entire account was shut down. Exploiting a bug in the application’s software, the suspected cyber criminal claimed to have gained access to the emails and phone numbers of affected accounts and were able to trade them for cryptocurrencies in dark web markets. Whilst such cases of information phishing may be seemingly less consequential, it is more illustrious of financial disaster when company accounts are compromised.
Following a profitable trend through which they are able to access and distribute information through entertainment-mediated platforms, widespread company usage of social media nevertheless poses significant risk when information regulation policies are not well reviewed, updated and implemented. In 2017, a group named OurMine gained access of entertainment firm HBO’s Facebook and Twitter accounts, releasing a warning post ironically proclaiming: “Hi, OurMine are here, we are just testing your security, HBO team please contact us to upgrade the security …”. Previously, this group already boasted the heady track record of Netflix, Wikipedia co-founder Jimmy Wales, Mark Zuckerberg and Google CEO Sunder Pichai’s accounts. Consequently, Game of Throne scripts were released as well as yet-to-be broadcasted episodes of other shows including Curb Your Enthusiasm. With the ideas of such popular TV shows being literally held ransom, this poses huge danger to companies with significant cloud data accumulated. HBO, in this incident, lost a reported 1.5 Terabytes.
Phishing, in its elementary form, takes advantage of personal information in its impersonation of you to gain access to individual and company information. Losses can be only quantified in hindsight, thus it is paramount that messages be subjected to successive factors of authentication prior to being trusted. If your colleague asks you for usernames or passwords over social media, don’t give it to them. Not because they’re not your friend, but because you never know if it is truly them.