IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Taming the social media exhibitionist

Status updates and tweets reveal more than you think. Rohyt Belani, CEO of PhishMe believes they also offer the channel an opportunity

Twitter, Facebook, and LinkedIn logos on a smartphone screen

According to AllTwitter, every minute of the day more than 100,000 tweets are sent; 684,478 pieces of content are shared on Facebook; 48 hours of video are uploaded to YouTube; and 3,600 photos are shared on Instagram.

It won’t be long, if it isn’t already, for an individual’s expertise and/or popularity to be measured purely by the number of ‘followers’ or ‘friends’ that they have. From the famous to the infamous, it seems everyone and anyone is happy to tell virtual strangers what they’ve had for dinner or where they’re going on holiday. The issue is, while many consider status updates a means to raise their profile, the sad truth is far too many users are oblivious to the intimate details they are innocently revealing via social media channels to friends and the bad guys too.

In September 2012, users of the popular photosharing website Pinterest began complaining about widespread account takeovers that spilled image spam onto adjoining social networks like Twitter and Facebook. Users who had linked their Pinterest account to adjacent social networks like Facebook and Twitter found that the spammers were quickly able to take advantage of that access, blasting out tweets and wall posts linking to the spam images.

Once Pinterest was notified of the attack, the site advised users to have a unique password for each social networking site – however it didn’t mention anything about refraining from linking Pinterest accounts with other social networking sites.

Users should be particularly careful when linking social networking sites. If a hacker is able to compromise one site they find it far easier to gain access to others. It is advisable that users look at the links between each of their social media accounts, identifying what information is connected and what could be of value to hackers.

The Pinterest example is just one of many that show how data we provide to social networking sites can be used in ways we didn’t intend. For instance, pictures sent over Twitter often contain metadata that reveals our location, allowing someone to potentially track our movements without our knowledge.

Opaque or transparent?

Many individuals are blissfully unaware of the security risks these public domains pose. While revealing who you are in contact with, and where you frequent, has obvious physical security implications, the risks run much deeper. And not just to the individual concerned but, for an employee, it can also leave the organisation they work for exposed to unnecessary risks.

The reality is that today’s criminal is busily scanning these public forums, researching their victims and collecting any personal information they can find that can be used to digitally attack the individual and/or their network of friends and peers. Using this intelligence, they craft messages that are highly customised and immediately gain the potential victims’ trust – known as spear phishing attacks.

Spear phishes encourage recipients to either open a malicious attachment, follow a false link that introduces malware to the user’s device, and the infrastructure to which it connects, or to disclose personal information that can be used by criminals fraudulently. This leaves the employee and his employer open to potentially massive security breaches, such as the loss of customer data, R&D information, system disruption – you name it.

Two-pronged defence

Rather than reiterate the risks, let’s look at what can be done to mitigate these attacks.

For organisations, corporate policies can be used – especially in terms of offering guidelines and setting expectations. In particular, detailing what is, and isn’t acceptable behaviour for social media – for example around the use of privacy settings etc. available on forums such as Facebook. However, while that is acceptable for someone’s professional persona, it is increasingly difficult to dictate what someone can and can’t do online in their personal life.

This is where training bridges the gap. People need to be made aware of not only what they can and shouldn’t be doing, but also what to look out for and understand how they might be targeted.

For example, one social media avenue that phishers are exploiting is the use of shortened URLs. On Twitter a criminal can use bit.ly or a similar tool to disguise the true URL destination. Users need to be aware that clicking a link may not take them to paradise, but instead could lead them up a dark virtual alley. A simple solution is to use a browser ‘plug in’ which shows the underlying URL when the cursor hovers over a short link, unmasking the true destination.

It’s a brave new digital world – but it’s also fraught with dangers. Employees need to understand what their virtual profile says about them – both intentionally and unintentionally, if they’re to make sure they aren’t leaving themselves, and their employers, vulnerable to attack.

For security experts in the channel, the dangers posed by social media exhibitionism could offer a lucrative new business opportunity.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Darktrace partners with HackerOne to bring AI to attack resistance
cyber security

Darktrace partners with HackerOne to bring AI to attack resistance

11 Aug 2022
Waterstones suffers stock nightmare after botched IT upgrade
digital transformation

Waterstones suffers stock nightmare after botched IT upgrade

10 Aug 2022
Barclays strikes deal with Microsoft to migrate staff to Teams
collaboration

Barclays strikes deal with Microsoft to migrate staff to Teams

10 Aug 2022
Logicalis snaps up UK-based IT consultancy Q Associates
mergers and acquisitions

Logicalis snaps up UK-based IT consultancy Q Associates

9 Aug 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022