We pour information about ourselves, our work, into social media. Threat actors are abusing social media and related services as part of their online attacks. Matt Webster, Counter Threat Unit researcher at IT security company SecureWorks, talks about how threat actors are using social media, such as LinkedIn, and online file storage to profile targets; why this is a serious and persistent issue; and what companies can do to protect themselves.
How are threat actors using social media and online file storage?
We have seen several instances of threat actors abusing social media and other online services (such as file storage) as part of their attacks. Threat groups appear to leverage these services to fulfil a variety of objectives at different stages in the intrusion process, meaning that for network defenders the associated risks with these online services can be dynamic and challenging to deal with.
We have seen examples of threat groups using social media platforms (such as LinkedIn) to identify particular profiles of individuals within organisations they are trying to target, and to cultivate relationships that can later be exploited as part of their attack. Not only can adversaries identify and communicate with individuals of interest, via overly descriptive job role descriptions, they may also find information that might assist their attack planning (e.g. the security tools and technologies deployed within a target network, and individuals working in desirable areas of an organisation). Social media channels have even been used to enable malware to communicate with attackers, once it has successfully infected a system. We have also seen examples of threat groups leveraging free cloud storage websites in their attacks, including as a mechanism to deliver malicious software to targeted organisations, or using online file storage sites to store data stolen from networks.
2. What type of threats are using online services for malicious activity?
As these services are freely available and can be leveraged to support an intrusion in a number of different ways, we have seen threats of all types use these services (including nation state espionage groups, and financially motivated cyber criminals). We have also seen examples of malicious insider activity in which file storage websites were used as a conduit for data theft.
3. Do we expect it to continue?
Attackers will continue to leverage services that are free/cheap, easy to access and effective in terms of the attacker’s end-goal. At the present time free online services (such as file sharing sites and social media) generally meet each of these criteria.
Social media and recruitment sites continue to be powerful resource for attackers to understand the individuals or organisations they are targeting. This information can be used to make phishing emails that are more appealing to the intended victim, or give them the inside track on an organisation’s operations, security tools and information assets. Recruitment sites also present a favourable environment for cold contact and developing online relationships.
Another benefit for the attacker in using popular online social media and file storage sites is that internet users typically attach some degree of legitimacy when accessing links to trusted and recognizable.
Malicious activity on popular social media and file storage websites can also be difficult to detect amongst legitimate use through technical means, e.g. some automated detection systems or network traffic filters may be configured to trust popular social media or file storage sites, meaning connections to malicious files may not be flagged as suspicious. In addition the vast majority of popular file storage or social media sites encrypt communications between the user’s device and the website, meaning that some network defenders maybe blind to the content of the communications with these sites.
4. What can companies do to minimise the associated risks?
Companies should ask themselves the question: does my organisation need access to these websites on corporate systems? Where the answer is no, organisations should be able to significantly reduce these risks by preventing access to these site, or allowing access by exception. Other approaches to managing this risk may include:
– user education to help staff avoid risky behaviour (including clicking on links in unsolicited emails)
– policies that prevent disclosure of sensitive business information on online resumes
– security monitoring and technologies (including end-point threat detection).
For a white paper from the firm on hybrid IT visit https://www.secureworks.com/resources/wp-make-hybrid-it-secure.
