May 3, 2019

The rise of social media data breaches

Falling Through Cracks in the Social Network

Hacks are not new. Internet users are all too used to sidestepping known phishing landmines. With a new attack on businesses and individuals every 39 seconds, we have become battle-hardened in the war against the black hat. Most of us are alert to malicious emails and know what actions to take when we come across them. Now, however, attackers are hitting us where it hurts the most, where we feel safest, where we are supposed to be among friends - now they’re violating our social media lives.

Mobile has created an effective channel for attackers to mine our social data and the variety and reach of the onslaught is breathtaking.  Social engineering is a particularly cynical approach that builds ‘friendships’ and establishes trust, all the while extracting operable personal information. ISIS has employed this type of attack, sharing personal information, home addresses, family photos and more, all gathered from the social media accounts of defense forces personnel.

Targeted phishing, known as spear phishing, are attacks directed at individuals and organizations to extract money and valuable data. In these scenarios, attackers exploit users’ fears to get them to part with their money, rather than by exploiting any vulnerability in a system. When directed at high-level business executives, this form of attack is evocatively termed, whaling. Spear phishing is insidious and unfortunately, highly effective.

Social media websites themselves may not be the bastions of data integrity that they would have us believe. LinkedIn bled out approximately 6.5 million user passwords in 2012. Facebook’s famous 2016 hack exposed the personal information of 50 million users. Instagram’s 2018 breach saw users locked out of their own accounts. The most consequential beach to date was in the Google+ network that exposed the private unshared data of 52.5 million users. This attack was so serious, it effectively ended the social media platform and heralded a series of widespread reform measures.

These attacks are just the tip of the iceberg. With 44 records stolen per second, the issue is increasingly pervasive. The safeguards aimed at preventing these attacks have an uphill battle to fend off a dizzying array of threats to social media stability. Intrusion Prevention Systems (IPS), are not yet smart enough to cut dangerous connections based on content or syntax. It took only one attempt for hackers to infiltrate a Pentagon official’s computer, disguised as a Twitter link to a family friendly vacation. No alarms were raised by the seemingly innocuous link. Nothing in the makeup of the message alerted officials to the reality that the sender of the link was a Russian bot. The concern in the wake of this attack is that social media now represents a weak spot for national security. The threat to safety posed by social networks is exponentially greater due to the widespread perception that we are communicating only with our own close networks. Clearly, this is not always the case, and with a Statista report showing 81% of the US population with at least one social media account, it’s not at all surprising.

Bad Actors and the Abuse of Trust

As we discussed, we are more likely to trust the content we see on our social media feeds,  We more readily click dangerous links on Facebook or Twitter than we might if they arrived by email or appeared on a website. A Zerofox study shows that 66% of spear phishing links are opened by their intended users. Most of us view social media as a means to connect with friends and family and underestimate the value of our profile information and network connections beyond simple mechanisms for relationship maintenance. Most of us don't appreciate that once our social media feed is compromised, an attack can move through our friends and extended connections with relative ease. From here, hackers use our contact lists to connect to new unsuspecting victims. They can use our personal data, browsing and shopping histories, and even our political opinions to develop targeted/spear phishing attacks with wide-reaching consequences.

The situation is particularly alarming for companies reliant on social media to fuel business growth. Bad actors are damaging brand identity by setting up fake ‘branded’ accounts and carrying out fraudulent activities with the data shared with them.  Targeted phishing scams, doxxing attacks, and bot redirects can expose data security vulnerabilities, while a perceived inability to thwart these attacks leads to a perception of weakness and undermines brand value.

Sorry Not Sorry

A security system of revelation and regret is no system at all. Mark Zuckerberg’s fifteen-year apology for breaches in his social network is a worrying reminder that the onus is on us—their users—to shore up our social media defences. A robust framework comprising awareness training, social media usage policies, stringent authentication, and a healthy skepticism are more likely to maintain our social media data integrity than the naive belief that our social networks protect it for us.