Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Epidemic: Hackers Insert Cyber Attacks in Social Media Posts

June 8, 2017

The New York Times carried a story on May 28^th (hat tip to Dave Ries) demonstrating that it took only one attempt for Russian hackers to make their way into the computer of a Pentagon official. But the attack didn't come through an e-mail or a file buried within a seemingly innocuous document.

A link, attached to a Twitter post put out by a robot account, promised a family-friendly vacation package for the summer. It was the kind of thing anyone might click on.

So . . . while we're all busy training folks on phishing attacks via e-mail, the bad guys have moved to a new attack vector – social media accounts.

Pentagon officials are increasingly worried that state-backed hackers are using social media sites such as Twitter and Facebook to break into Defense Department computer networks. And the human error that causes people to click on a link sent to them in an e-mail is exponentially greater on social media sites because people are more likely consider themselves among friends and colleagues.

As always, once one person is compromised, attacks can move quickly through that person's friend network, leading to what the officials described as a nightmare situation in which entire departments at the Pentagon could be targeted. And while officials know about the problem, training about how to spot an attack that comes through Twitter and Facebook remains limited.

And that is certainly true in law firms and other business entities.

Few people realize that a message on Twitter or Facebook could be spoofed or imitated so it appears that attackers are a trusted friend. This is spear phishing of a new type.

A report in Time magazine in May revealed that a Russian-led cyberattack tried to spear phish 10,000 Twitter accounts belonging to Defense Department employees, using personal messages targeted at specific users.

The Defense Department did not respond to a request for comment. Twitter says it is "monitoring" spear phishing on its platform. Facebook said it was using specialized notifications, detection systems and user education to counteract spear phishing. Cybersecurity companies said spear phishing through social media was one of the fastest-growing methods of attack.

According to a 2016 report by Verizon, roughly 30 percent of spear phishing emails are opened by their targets. But research published by the cybersecurity firm ZeroFOX showed that 66 percent of spear phishing messages sent through social media sites were opened by their intended victims.

Double the fun, eh?

In the Defense Department attack, for example, 7,000 employees took the first step toward being compromised by clicking on a link, said Evan Blair, a co-founder of ZeroFOX. "The attacks are so much more successful because they use your personal timeline and the content you engaged with to target the message to you," Mr. Blair said.

Simply by looking at public posts, attackers can easily see if an account has mentioned a certain band or sports team often, then tailor a message pointing to tickets going on sale for an event. On Facebook, an attacker can see which groups have been joined, or which public pages have been liked.

In an experiment last year, ZeroFOX created an automated program that taught itself to send spear phishing links to Twitter users. Over two hours, the program sent links to 819 people, at a rate of roughly 6.75 messages per minute. Two hundred seventy five users opened the links.

One can only imagine what a bot army is capable of.

Mr. Blair said that in the case of the Defense Department, the links had carried the malware. Once people clicked on the link, they were infecting their computer networks. In many cases, the attackers targeted members of Defense Department employees' families, who were less likely to be suspicious.

In fact, the Defense Department employee who told The Times that he had been part of the recent breach said he had been targeted through his wife's Twitter account. It was his wife who clicked on a link to a vacation package, after exchanging messages with friends over what they should do with their children over the summer. Once the hackers got into her computer, the official said, they got to his computer through a shared home network.

With four Employee Security Awareness training sessions for law firms coming up, I can see that the content of this story needs to go in the PowerPoint.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Epidemic: Hackers Insert Cyber Attacks in Social Media Posts

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer