At some point in the day, most of us share the same guilty pleasure; when we have a minute of downtime, we check personal email, take a quick ‘peek' at what relatives are doing on their Twitter or Facebook profiles, and even slip in some online shopping. But, while scrolling through endless feeds and threads or clicking on a URL to read the joke a colleague sent you, do you ever stop to ask, "What if that link I just clicked on is malicious?" It is likely not a frequent question you ask yourself. For many individuals, it is even a difficult question to answer, especially if you are unaware of the potential threats within social platforms.
Many individuals think they will never be a target because they don't see themselves as a high-value target. This is a misnomer. Malicious actors aren't specifically targeting you for any particular reason other than the fact that they can. Most individuals are not singled out; they happen to fall into the current spread or canvas of attack a malicious actor may be examining.
But why social media platforms, you may ask? The answer is straightforward—sheer mathematics. The number of active users on social media is extraordinary. Facebook has over a billion users, followed by Instagram and then Twitter. This makes social media platforms an attractive target for malicious actors to leverage. Consider this; If just 0.1% of Facebook users were successfully targeted or ‘hacked,' that equates to one million user accounts that a malicious actor could leverage for additional abuse. The odds are that in that pool of one million users, the malicious actor would have been successful at performing whatever action(s) they intended.
In addition to maintaining high user counts, the main goal of any social media platform is to, well, be a social media platform. The idea is to share and share alike amongst ourselves. Many people on social media have developed a trust for the platform and their relatives, friends, and followers. Unfortunately, this "trust" provides a false sense of security for the user, making them more inclined to click a link or believe the validity of what they are accessing. The truth is, if a friend, follower, or colleague accidentally shares a link to a malicious resource, you may be more apt to click the link unknowingly because it came from a trusted source. Malicious actors aim to exploit the user's willingness to trust social media profiles and content.
So how are users so often tricked into accessing something malicious? Well, there are a couple of standard methods, but phishing is one of the most popular techniques. Phishing is a social engineering tactic where the attacker seeks to gather personal or sensitive information from an individual using deceptive emails, malicious links, or spoofed websites. Phishing is one of the most common attack vectors used by malicious actors.
This main tactic commonly uses a fake account to impersonate someone the target would know (known as spear phishing). This could be a family member, co-worker, distant friend, etc. After all, if you are familiar with the user of that "account," you are more likely to access the information they are sharing.
Some of the more popular impersonation accounts are generally attempting to masquerade as someone famous, a customer service account from a vendor, or even a fake account created specifically to target the individual based on public information in their profile.
These fake accounts typically have URLs and links in them. These URLs can send you to a malicious site or a website that looks legitimate and asks you to register for access. Unknowingly to the user, whatever information they submit goes to the malicious actor after creating an account on the ‘fake' site. Usernames, passwords, and dates of birth are often captured in this manner.
Taking steps to protect yourself from falling victim to cyber-attacks on social media is simpler than you may think. So simple, we often overlook what we can do to protect ourselves better.
Review the information in your own social media profile. Ask yourself questions like:
Do these questions seem familiar? These security questions are commonly asked by reputable websites like banks or online shopping sites to confirm your account information before granting access or allowing you to reset your password. If you have this information on your social media profiles, a malicious actor could use it to build a specific profile on you that allows them to change your passwords elsewhere and then access your account.
Keep any applications you use to access social media up to date. Don't make the mistake of believing that just because something this installed and working, it is secure. If the platform is not through an app on your device and you are accessing a site directly, make sure the address starts with HTTPS and not HTTP. HTTPS establishes secure communications from your browser and over the internet.
If you are following a link or clicking on something an individual sent you, ask yourself these questions:
If none of your answers make rational sense, you're better off not clicking it. Or, at the very least, verify by asking the individual in person, over the phone, or through other reliable means to confirm the validity before clicking, accessing, or performing an action being requested, such as purchasing gift cards. Also, show extra caution with shortened URLs, such as Bit.ly or t.co. Malicious actors often use these services to mask the actual link they want you to click on.
For all of its many complexities and flaws, at its best, social media can be used to connect families from around the world, provide platforms for like-minded individuals to express themselves and support each other, and serve as a platform for education and learning. With such a large community of users, malicious actors are constantly seeking to exploit user information to gain personal and financial data. Staying vigilant and carrying a healthy dose of skepticism will help keep your information safe while still enjoying the benefits that social media platforms have to offer.
RedTeam Security can help your organization test its existing security defenses against real-world cyber attacks. Email us at email@example.com or schedule a free consultation to speak with one of our security experts on your unique security project needs.