Social Media Sharing

How employees help bad guys steal credentials.

Social Media Sharing can be a fun, interactive way to keep up with friends and share where you’ve been and what you’ve been up to. However this information can also be used against you and your company.

The folks over at Malwarebytes (you should download this if you haven’t already) wrote the following statements about social media:

One of the primary reasons that phishing is so effective is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts.

To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook whom I do not know personally but has an active presence and provides a significant amount of information on his public Facebook page.

Phishing and spear phishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals. Organizations must work to raise awareness among their employees or risk the exploitation of sensitive company data.” We could not agree more.

Social Media Sharing Can be DangerousSo, here is what I suggest you send to your employees. You’re welcome to copy/paste/edit:

A security researcher decided to see how hard it would be to create a targeted phishing attack on a total stranger. He went to Facebook and found a guy he did not know personally and found a wealth of information, including:

He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
He visited The Brewhouse in Whistler on Sept. 16.
The names of at least some of the people he was with on Sept. 13.
He visited the 192 Brewing Company on Sept. 12.
He visited the Chainline Brewing Company on Sept. 11.
He visited American Pacific Mortgage on Sept. 9.
He went to a Seattle Seahawks game on Sept. 3.
And based on his Facebook profile, it was clear who he worked for, the city in which he lives, his wife’s name, and lots of other information.

If the security researcher was a bad guy trying to get access to this victim’s corporate login credentials, he could easily create an email with the subject line “Problem with your credit card charge at Tapley’s Pub” — a subject line that would make him open the email given his recent visit there.

Next, in the email, the bad guy could write a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, and GAME OVER.

The bad guy can now capture every keystroke of the victim from then on, which would include login credentials and other confidential information.

The moral of this story: do not share all kinds of personal information on social media. This is true from the mail room up to the board room. Shared personal information can come back to you and bite hard.

Think Before You Share.

Use Social Media Safely

Get advice for you and your employees on the best ways to use social media safely.  Facebook has lots of privacy settings!