Over the past couple of years, we have seen social engineering attacks graduate from email to that increasingly prevalent form of communication - social media. By ‘social engineering’ we’re talking about online confidence tricks - anything that can dupe the reader into acting, clicking on a link, giving up personal details or otherwise falling for whatever scam is on offer.
Through education and experience, we are learning to ignore ‘phishing’ emails pretending to be from our banks and internet service providers. While the rate is up (1 in 414 emails are a phishing attack, Internet Security Threat Report, Volume 18), the number of incidences of breaches is not as high as it was.
People are increasingly falling for similar forms of attack which take advantage of social media, however. The problem with social sites such as Facebook and Twitter is two-fold: first, they are designed to enable clicking, liking and sharing almost as throw-away gestures; and second, that they often connect people who don’t know each other that well.
As a result, as scammers have discovered, it has become quite straightforward to entice users on social media sites. In our December 2013 Intelligence Report we highlighted five types of attack that you need to be aware of:
Fake Offerings which invite users to join a fake event or group, using incentives such as free gift cards. Joining often requires the user to share credentials with the attacker or send a text to a premium rate number. Fake offerings account for four out of five social media attacks.
Fake Plug-in Scams in which users are tricked into downloading fake browser extensions. These pose like legitimate extensions but when installed can steal sensitive information from the infected machine.
Like-jacking Scams which use fake “Like” buttons to trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, enabling the attack to be spread.
Fake Apps that appear to be legitimate apps; however, they contain a malicious payload. The attackers often take legitimate apps, bundle malware with them, and then re-release it as a free version of the app.
Like farming and manual sharing. These rely on victims to do the hard work by presenting them with intriguing or heartstring-pulling videos, fake offers or poignant messages, accumulating ‘likes’ which can then be sold.
In the corporate environment, social media is already posing a challenge as it erodes traditional corporate boundaries - particularly in marketing and customer services, where a company’s social site may become a major conduit for communications. It is also part of the picture we call consumerization, in which personal tools, devices and services make it harder to protect the corporate boundary.
With social media, inviting the devil over the corporate doorstep has never been easier. Given that no watertight answer exists (malware-checking tools will never be able to protect against all such scams), education has a major role to play, which needs to be taken into account by organizations who have a duty of care to protect their staff.
We can all learn to be more vigilant, and benefit from common sense reminders about these new takes on some of the oldest con tricks in the book. Not least, to think before clicking on links, and if something looks too good to be true, it probably is.