Introduction: Twitter, Facebook, Instagram. What do all these and many other social media networks have in common? The all have functionality to show your location, give personal “tid-bits,” show pictures and generally create a public profile . These can all be a great way to stay in contact with friends and family despite long distances. They can also be a great way to get hired or show your talents and professional abilities. These social media networks can end up causing security catastrophes. This essay aims to discuss various technologies and methods used to socially engineer social networks. It will accomplish this by using resources from various experts, firsthand accounts and social experiments. Following these discussions, a conclusion will summarize the findings of this essay and provide contemplation topics for the reader. Social engineering may seem like a conspiracy theory, but despite what one may think it is a prevalent method currently in use by many organizations. It happens... Big organizations get targeted for social-engineering. In 2013 the New York Times fell victim to their website being defaced and this is accredited to a social-engineering attack. Countless organizations are victims to this prevalent hacking technique. Social engineering is usually done through emails or even face-to-face contacts. Those techniques can be easier to mitigate for many companies because they can enforce policies and procedures that protect themselves and their employees. A not so easy tactic to prevent is when attackers turn to social media for social-engineering.
Nearly everyone has a Facebook, LinkedIn or Twitter account . Many organizations have “Employees [that] are on Facebook, LinkedIn, Twitter and Quora, and they are adding personal information to the Web every single day” . This can be a big concern for companies because many employees will use these accounts to explicitly or implicitly state where they are, where they might be or what they are doing. A simple social-engineering attack may be simpler than people may think.
An attacker might begin by desiring the data and records from a specific organization. They can begin by getting on the internet and going to LinkedIn. From this website they can search for that specific organization. This will allow them to have the possibility to acquire many contacts. Then they may acquire “Job titles, employment histories, education history, affiliated organizations, business contacts and in some cases their [employee] pictures” . Based off this information the attacker could now get an idea of the hobbies they like, family relations and Facebook accounts. After this information is acquire a slightly technologically savvy attacker could spoof a text message from a business associate to the targeted victim. This text message could be the beginning of the end for an organization's security measures. This is just one of countless ways an attacker could use a social network for nefarious desires.
The scary stuff… It is fun to be able to update friends and family concerning one's whereabouts even safety can come from this, but widely available software might get the attention of individuals against streaming constant updates. Social networks love giving members the opportunity to inform others what is currently happening in their lives'. Social engineers also love this prevailing capability. Geolocation profiles are essentially dossiers containing as much information as possible about a targets' daily routine. These profiles are created by going through Facebook updates, Twitter updates and any other social media the target might be subscribed to, in order to obtain location updates. This information is used to find the target's physical location on the earth. Then, a "routine" is essentially written out that shows where the target is during the specified parts of the day.
A potential target might leave their house on their way to work and grab a coffee from Starbucks every morning. When they get to Starbucks they might take a picture of their morning coffee with some clever comment and post it to Facebook. An attacker might target their Facebook and be able to map out the days of the week that individual works and when they work based on these status updates. They may also be able to see what Starbucks location the individual goes to every work day. This is how an attacker can begin to build a geolocation profile.
Cree.py is a well-designed easy to use program used for creating geolocation profiles . This software comes with a neat tutorial and can install on just about a Linux or even Windows distribution. This software allows one to simply type in the user name of the social media account that the target subscribes to, and the software begins looking for any location updates. From here one can export the file to Google Earth and then the magic happens. The software will gladly create an entire map with times and dates of where the target was when they made a status update. This software is available for anyone, it is free and easy to install for nearly anyone that knows a little bit about technology. How does one protect themselves from such social media engineering techniques?
Robin Sage The Robin Sage experiment was a social-engineering experiment that used social media as the primary method . This social experiment was conducted for 28 days. During the course of these 28 days a profile was created for a fictitious female “security analyst” that happened to have an attractive profile picture. Thomas Ryan conducted this experiment as a way to draw attention and concern to this type of attack. Over the 28 days Ryan used this profile to gather “hundreds of connections through various social networking sites” . The most concerning part of the study was that Ryan was able to obtain “information revealed to Robin Sage [that] violated OPSEC procedures” . Ryan's fictitious profile was even asked to come and “speak at a variety of security conferences” . The conclusion of this case study show that one needs to beware of seemingly friendly unknown business connections.
Psychology Social engineers are essentially applying basic well known techniques from human psychology. “The trigger most often used by an attacker is called 'the strong affect.' This trigger uses a heightened sense of emotional state, such as fear, panic, excitement, or grief in order to get the victim to take an action” . This theory is often used in combination with breaking news and malicious links via social media. An attacker will wait until a news story becomes mainstream such as a celebrity dying or a plane crash. Once this has happened the attacker might take advantage of a social media technology like Twitter. They can Tweet a comment with the Hashtag that links to the mass event with a link in the Tweet stating something like, “Get the full story here” or some seemingly promising title. Any victim that clicks the link might get malware installed on their device. The best ways to thwart a social engineering through social media attack is usually education.
Conclusion Perhaps, after reading about all the dangers of using the internet one might want to stay as far away from it as possible. Although this would be a viable technique to avoiding social engineer networking techniques it is not very achievable in the information age in which society operates. There was a time when society was positive the earth was flat, and even put people to death if they disagreed. Thankfully, education tends to enlighten the minds of many.
As with most things in life education is the key to success. Whether this is success in marriage or success in avoiding scams and malicious schemes, the more an individual is educated and knowledgeable on the given subject the greater their chances are of survival. It is important to never stop learning about new technologies and their benefits and downfalls. If one does this they will avoid most hardships and heartaches that can come from being ignorant.
The best way to prevent social engineer networking is to stay educated on the topic. It is best to remember that, generally, if it is too good to be true it probably is not true, Also, do not put information on any social media network that would compromise the security of your home, family or workplace. Finally, one needs to be smart with the exchange of information, i.e., one should always be constantly vigilant with regards to personal information sharing. Following the previous suggestions will likely increase one's personal security and help detour any social engineering attacks through social networking.