For organizations, social media is vital for the success of their business. It forms a central part of their efforts to build brand awareness, establish their community, do market research and gather intelligence. However, because of the frequency with which it’s used and the importance of the role it plays, social media cybersecurity threats can have a very tangible impact on an organization through reputational damage, data breaches, or worse.

In a recent survey by Statista, it was revealed that 22% of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. Due to the constantly changing nature of technology and trends, it’s difficult to pin down a defined set of best practices. 

In this article, we take a look at why and how attackers target social accounts as well as reviewing some of the current best practices for mitigating the risks.

Why Do Hackers Target Social Media Accounts?

A successful account takeover can enable threat actors to achieve a variety of malicious objectives, from the distribution of malware to the spreading of misinformation. Some of the most common uses for a compromised account are as follows:

Continuing the Attack: Generally speaking, most people are wary of random messages from strangers. However, if you can gain access to someone’s account and launch your phishing campaign against their contacts you can leverage the trust already established as a personal contact to dramatically improve the success rate of the phishing campaign. In the case of an organization’s account, these attacks are particularly harmful as they can target thousands or even millions of followers and can come with serious associated reputational damage.

Gathering Intelligence: The actual account takeover might not be the endgame of the attack. Instead by taking over an account, they gain access to intelligence, from an individual's messaging history to extensive personal details on an individual and their contacts.

Reputational Damage: We’ve already mentioned the potential for reputation damage as a by-product. However, there is a chance that reputation damage is the entire objective of the attack. Attackers might have a grudge against an organization or person, for example. Once they have access to the account they could do a range of things, such as posting racist slurs from the account or directly targeting followers through the account.

Credential Stuffing: Many people use the same login credentials across websites. Once attackers have successfully compromised an account, they then attempt logins at other popular websites using the same credentials to see what else they can gain access to. Often the objective is a financial reward.

Blackmail: If embarrassing or damaging information is surfaced through the account attack then hackers are unlikely to miss the opportunity to blackmail the individual or organization to further their other objectives.

4 Examples of Successful Social Media Attacks

LinkedIn Hacked, Exposing 117 Million Credentials

• When: May 2016

• Tactic: Data Breach, Account Takeover

• The 2016 LinkedIn data breach exposed 117 million records of its users including email and password combinations. These were sold on the dark web and allowed hackers to gain access to and control thousands of accounts as well as use the data for credential stuffing.

Vevo Hacked Via LinkedIn Phishing

• When: September 2017

• Tactic: Targeted Phishing & Malware

• In 2017 the streaming service Vevo suffered a breach when one of its employees was phished via LinkedIn. Through this attack, hackers obtained and publicly released over 3TB worth of the company’s sensitive internal data.

HAMMERTOSS Malware

• When: July 2015

• Tactic: Malware/Data Exfiltration

• HAMMERTOSS is a malware which was created to automatically search and extract data from social networks and was controlled by commands posted by attacker profiles. This novel approach to weaponizing social media shows the need to analyze social media as part of the full lifecycle of a cyber attack. 

Twitter Bitcoin Scam

• When: July 2020

• Tactic: Account Takeover

• Through a series of targeted phishing campaigns, hackers were able to get access to internal systems and tools at Twitter. They used this access to take control of numerous high profile accounts, including verified accounts such as Kanye West, Barack Obama, Apple, and Joe Biden. The attackers used the platform to Tweet a message requesting Bitcoin be sent to a specific wallet number with a promise they’d return it doubled. In the short time the message was up the attackers collected over $100,000.

6 Quick Tips to Improve your Organizations Social Media Cybersecurity

1. Employ strong unique passwords.

Avoid the risks of credential stuffing by ensuring that all accounts are locked with strong unique passwords.

2. Keep personal and business accounts separate.

Linking personal and business accounts just make it easier for hackers to gain access to both. So, when possible, keep a separate and distinct login and password for both. 

3. Restrict access and permissions.

Not everyone needs to have the ability to login to the organization’s social media accounts. Not everyone needs to be able to post, share or send messages through it. Additionally, when an employee leaves make sure to revoke their access to all social media accounts.

4. Be mindful about what you share.

Even harmless posts might unwittingly share sensitive data that could be used by attackers. For example, you might share an employee update, maybe congratulating an employee for having a child, information which could be used in a targeted spear-phishing campaign.

5. Protect the physical access points.

Make sure devices are password-protected, don’t leave USB devices lying around, ensure that wi-fi networks are private and secure. These physical security threats are particularly prevalent currently with many employees working from home. 

6. Be wary of third-party apps.

Third-party apps like scheduling softwares are invaluable, allowing you to save a huge amount of time. However, they also provide an additional way for attackers to gain access to your social media accounts. 

The Role of OSINT in Securing Social Media Platforms

By monitoring social networks for mentions of your brand and keywords, you’ll know right away when suspicious conversations about your brand emerge. For example, people might be sharing fake coupons or offers, or an imposter account starts tweeting in your name. Using OSINT you can monitor all the relevant activity online regarding your business and quickly identify fraud allowing you to respond to it in a timely fashion.

Additionally, you can use OSINT tools like Signal to monitor not only your social media channels for things like imposters but also for physical threats against employees or branch locations. 

OSINT is vital in identifying when one of the above-mentioned risks of social media becomes more than just a threat when it becomes a reality. Being amongst the first to know when something like this happens allows you to respond quickly and effectively.

Social engineering is an attempt by attackers to fool or manipulate others into surrendering access details, credentials, banking information, or other sensitive data. Once access is gained the general goal is to gain money. 

Recently, for example, Twitter was subject to a high profile social engineering attack. Attackers manipulated several Twitter employees to gain access to the platforms admin accounts. Once they got access they used the admin privileges to post a tweet saying “All Bitcoin sent to our address below will be sent back to you doubled!”  They posted on a number of celebrity and company profiles including Apple, Bill Gates, Elon Musk and Joe Biden.

Twitter shut the attack down quickly but not before the attackers got away with an estimated $120,000 USD worth of Bitcoin.

Social engineering is a creative strategy for attackers to exploit human emotion and ego, generally for a financial reward. It often forms part of other strategies as well such as ransomware. 

In this article, we take a look at some of the more common forms and tactics of social engineering as well as exploring just how an organization can protect itself from such an attack.

What are the stages of a social engineering attack?

In general, social engineering attacks are implemented in three stages.

1. Research. Attackers perform research to identify potential targets as well as to determine what strategies might work best against these particular targets. Attackers will likely collect data off company websites, LinkedIn and other social media profiles and potentially even in-person.

2. Planning. Once the attackers know who they will be targeting and have an idea of the targets potential weaknesses, they have to put together a strategy that is likely to work. The attacker needs to design the strategy and specific messages they will use to exploit the target’s individual weaknesses. Sometimes discussions surrounding plans can be found on darknet forums.

3. Implementation. The first stage of execution of their prepared strategy is often sending messages through email, social media messaging or some other messaging platform. Depending on their approach the entire process could be automated, targeting a broad number of individuals, or it might be more personal with the attacker interacting personally with their victim. Generally, they are aiming to gain access to private accounts, uncover banking or credit card details, or to install malware.

6 of the Most Common Social Engineering Attack Strategies

1. Phishing and Spear Phishing.

Phishing messages are designed to get a victim’s attention with an alarming or curious message. They work on emotional triggers and often masquerade as well known brands making it seem like the messages come from a legitimate source.

Most phishing messages have a sense of urgency about them causing the victim to believe that something negative will happen if they don’t surrender their details. For example, they might pose as a banking institute and pretend to be a fraud notice asking them to log into their account immediately, however, the email actually links to a fake login page.

Spear phishing is similar but with a more targeted individualistic approach.

2. Baiting.

A baiting attack generally pretends to offer something that the victim would find useful, for example, a software update. However, instead of a useful update or new software, it is, in fact, a malicious file or malware. 

3. Scareware. 

Playing on the targets fear this approach seeks to persuade the target that there is already a malware installed on their computer, or perhaps seek to persuade them that they already have access to their email address. This attack will then persuade the target to pay a fee to remove the malware. 

4. Pretexting.

In a pretexting atack the attacker creates a fake identity and they use it to manipulate their victims into providing private information. For example, the attacker might pretend t be part of a third-party IT service provider. They would then ask for the users account details and password in order to assist them with a problem. 

5. Quid Pro Quo. 

Similar to baiting, a quid pro quo attack promises to perform an action which will benefit the target. For example, an attacker might call an individual in company who has a technical support inquiry and then pretend to help them. However, instead of actually helping them they get the individual to compromise the security of their own device.

6. Tailgating.

Tailgating is a physical type of social engineering. It enables criminals to gain physical access to a building or secure area. An example of how this might work would be the criminal following behind someone authorized to access an area, they ask the person ahead to simply hold the door for them assuming an air of innocence.

How to Prevent Social Engineering

One of the key reasons social engineering is so difficult to protect against is because of the variety of ways it can be implemented. Attackers can be incredibly creative and this can make it very hard to spot a social engineering attack. Additionally, security professionals have to contend with skilful manipulation of the human ego.

Social engineering attacks exploit human behaviour. They target peoples fears or concerns often with messaging that centres around urgency attempting to encourage victims to take action immediately before they figure out they are part of a social engineering attack. Key to prevention then is remaining suspicious of emails, voicemails, or instant messages through platforms such as Facebook. 

Additionally, security teams need to stay ahead of the attackers. They need to be aware of each variation of a particular social engineering attack. Using OSINT tools, for example, they can learn about current messaging and strategies being implemented as well as potential exploits. Allowing them to take actions to mitigate evolving and emerging threats.

Increased awareness and vigilance though is only the first step. These attacks are common because they are effective, and they are effective because they take advantage of inherently human traits. Changing this human behaviour though doesn’t happen overnight. An internal education strategy needs to be put in place to regularly inform and teach employees about current social engineering strategies in an effort to reduce the potential for any employee to fall prey to one. In these ways, security professionals can mitigate the potential risks that surround social engineering attacks.