In an age where social media has become the top business platform for many marketing and sales teams, companies have to grapple with the dual definition of “exposure.”
To anyone on the go-to-market side of the house, the connotation is undoubtedly positive; social media has been a godsend. More followers yield more engagement, more engagement yields more conversions, more conversions yield more sales and customers.
However, “exposure” is also the age-old enemy of security teams, who struggle to keep up with a quickly eroding security perimeter. In this new paradigm, both corporate and employee activity typically occur on unregulated and unprotected channels outside the security team’s vantage point. This expanding role of the information security team requires a new approach to securing the organization. Just as they had to expand their mandate to secure the corporate website, so too must they turn their attention to the challenge of protecting the company’s social media presence, where an increasing proportion of company revenue and brand value is won or lost.
In recent years, hackers have started to abuse social media in droves for the same reasons marketing teams are investing more time and money into leveraging the platforms: unprecedented scale, access to targets, ease of use, cost effectiveness and ability to distribute content to billions of users on a real-time basis. A malicious actor with nothing more than an Internet connection can build a fraudulent profile and be up and running in minutes. In 2017, we have seen the social media hack come into its own as a sophisticated attack vector.
And so it’s no surprise that social media hacking has been in the headlines lately. It ranges from embarrassing account hijackings to full-fledged, nation-state cyber campaigns. It goes far beyond the alleged Russian propaganda and inflammatory ads you may have read about. Today, all sophisticated adversaries and government cyber teams are using social media to conduct reconnaissance and launch advanced cyberattacks at individuals, corporations and governments alike.
In the spirit of National Cybersecurity Awareness Month in the U.S., we compiled the top three worst social media attacks we’ve seen in 2017, as well as five recommendations for organizations to get their social media protection program up and running at full steam.
10,000-plus U.S. government employees spear-phished with malware-laced posts
Timeframe: Early 2017
Attack type: Targeted phishing and malware, fraudulent accounts
Summary: In early 2017, Russian operatives sent over 10,000 custom phishing messages via social media, each link laced with malware enabling the attacker to access and control the victim’s device. This attack represents a major advancement in cyber capabilities and an escalation of Russia’s cyberwar against the US. This is the most well-organized, coordinated attack at the nation-state level we’ve ever seen.
Third-party app leads to high-profile account compromises
Timeframe: March 2017
Attack type: Account takeover
Summary: A vulnerability in a third-party app for the Twitter platform allowed Turkish-language attackers to hijack controls of hundreds of high-profile accounts. They posted aggressive messages against the Netherlands after a contentious week of deteriorating relations between the Netherlands and Turkey and pivotal elections in both countries. The posts used swastikas and called the Dutch “Nazis.” The breached accounts included a number of global brands and well-followed, verified accounts, including Forbes, the official Bitcoin Blockchain account, Starbucks, the European Parliament, UNICEF, Nike and Amnesty International.
Video music service hacked via targeted phishing attack, 3.12TB exfiltrated
Timeframe: September 2017
Attack type: Targeted phishing and malware, fraudulent accounts
Summary: This streaming music video service suffered a breach when one of its employees was phished via LinkedIn. Hackers were able to obtain and publicly release 3.12TB worth of the company’s sensitive internal data. The professional social network allows attackers to rapidly identify their target at a specific organization and send them a personalized message, all under the auspices of professional networking or recruitment.
For organizations to gain visibility and control across social media, the following tips should be kept top-of-mind:
Secure your social media accounts as you would your corporate website. The most straightforward type of social media attack is hijacking the controls to a profile, be it an individual profile or a corporate one. The first step in building a social media security program is making sure the corporate accounts themselves are protected. To do this, treat social media just like you do the corporate website: Closely audit who has access, mandate robust security settings and two-factor authentication, establish privacy policies, adjust network settings accordingly, and use a monitoring tool to identify indicators of compromise or other suspicious activity.
Assess types of risks and threats. Beyond securing the accounts, organizations must address the diversity of other risks that exist outside the purview of the company’s owned accounts. This includes both business risks and security threats, including fraudulent accounts scamming customers, phishing attacks against employee and executives’ personal accounts, leaked data, credential loss, fake coupons and customer support agents, brand reputation damage, social engineering campaigns, targeted malware distribution, piracy and more. The risks will vary based on your industry, size, social media presence and nature of critical assets. A good place to start in investigating what types of risk are damaging your organization is to sit down with the marketing and customer support teams, who, as the main active social media practitioners in an organization, likely have seen encountered cyberattackers in the wild.
Build a social media protection task force. Security should lead the initiative for protection of social media. After all, the technical expertise required to manage and respond to a widespread malware campaign against company executives on social media is something best left to the information security team. The task force should include stakeholders from any department affected by or required in the identification and management of threats. This often includes marketing, corporate security, customer success, risk and fraud, and sometimes human resources and legal.
Adopt an automated social media protection solution. Social media protection platforms automate the process of finding and responding to threats. They use artificial intelligence to ingest and analyze social media data related to your brand, corporation and employees and identify threats and respond in real time. These solutions are sometimes referred to as “digital-risk monitoring” tools.
Identify and mitigate threats as they arise. Cybercrime, fraud, fake accounts, scams and more are all in stark violation of the social network’s Terms of Service. The onus to identify and flag the risk often falls to the affected organization, if for no other reason than the sheer scale of social media and the abuse contained within it. Once flagged, the networks will remove the offending content. Once again, a social media protection tool can help automate this process for your team.
Following these steps will put an organization on a path toward comprehensively addressing the risks associated with social media.