Analytics

8/23/2016
10:00 AM
Mike Raggo
Mike Raggo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Anatomy Of A Social Media Attack

Finding and addressing Twitter and Facebook threats requires a thorough understanding of how they're accomplished.

Social media threats are at an all-time high, ranging from account hijacking to impersonation attacks, scams, and new ways of distributing malware and executing phishing attacks. Sophisticated attacks target organizations of all sizes. For example, Microsoft was the victim of a series of social media hacks by nation-state threat actors. The attack campaign was extensive, affecting multiple Twitter accounts (principally Skype’s) and exposing corporate passwords and emails for dozens of Microsoft employees.

Because social media exists outside of the network perimeter, social media threats can manifest long before network perimeter and endpoint security detect malicious behavior. Detecting and mitigating these threats requires a thorough understanding of this new threat landscape. If we compare these tactics, techniques, and procedures to traditional network attack methods, we can draw some important contrasts.

Adversaries traditionally target a corporate network using two phases: reconnaissance and exploitation. Reconnaissance involves footprinting (for example, gathering information about an organization’s IP address and domains), scanning (identifying what systems are using what IPs), and enumeration (identifying the services and ports available on these target systems). When attackers use social media, their strategy is similar, but the methods of attack are quite different. In social media, targeting an organization and corporate network involves footprinting, monitoring and profiling, impersonating or hijacking, and, finally, attacking.

In a social media context, footprinting involves gathering information to identify employees, typically executives, as well as brand accounts owned by the target company. Names, email addresses, and phone numbers can be acquired from the company’s website and publications, the news media, and other sources to identify target social media accounts.

Next, the adversary seeks to establish a social media fake trust network to monitor and profile activities, behaviors, and interests across the social media accounts mapped to the organization. Keywords, hashtags, and @ mentions are also analyzed and used to establish trust when communicating with an impersonator account. Using relevant lingo establishes credibility and makes other employees less aware of an impersonator, making them more vulnerable to engaging in conversations. 

Now that the organization has been footprinted, monitored, and profiled across the social networks, the adversary can set up one or more impersonating accounts. Impersonation is one of the most common techniques used by attackers on social media, particularly when targeting enterprises. Our sample of approximately 100 customers shows more than 1,000 impersonation accounts are created weekly by perpetrators. By impersonating a key executive, an attacker can quickly establish trust to befriend other employees.

The adversary may use the actual profile image and bio from the legitimate account to build the impersonation account. The figure below shows a Twitter account impersonating Berkshire Hathaway CEO Warren Buffett, complete with @ mentions and relevant keywords. To weaponize an account like this in an attack campaign, the attacker must do a fair amount of social engineering, all made much easier by social media. (Note that attackers made easy-to-miss changes in the spelling of the target’s name.)  


Image Source: Twitter
Image Source: Twitter

Hijacking an account is more difficult than impersonating it but yields quicker results if successful. The most effective social media attacks on an organization occur when an attacker is successful in finding a method to hijack an account and use that to further infiltrate a network. Numerous social network data dumps have made account hijacking much easier.

Whether trust is established through an impersonation account or hijacked account, the adversary begins an attack by sending a direct message with malware or a phishing link to harvest credentials or infect a machine inside the network. This can be difficult to detect, as many of the social networks use URL shorteners that obfuscate the actual URL and may include multiple redirects. The following diagram depicts the anatomy of the attack. At this point, the internal beachhead has been established, the network has been compromised, and the adversary can expand their infiltration of the network. 

Source: ZeroFOX
Source: ZeroFOX

As social media threats continue to evolve, enterprises can fortify their detection and defenses by using additional countermeasures. The following is a list of some of key actions an organization can take to shore up their social media and network defenses:

  • Identify your organization’s social media footprint (companies, accounts, and key individuals).
  • Document responsible individuals for the corporate and brand accounts. These accounts should have strong passwords and two-factor authentication enabled (available from many social networks today).
  • When available, use verified accounts. Social networking companies such as Twitter and Facebook offer an option for verified accounts or profiles to ensure authenticity.
  • Monitor for impersonation accounts and, when you find them, arrange for takedown.
  • Enhance your perimeter security by leveraging a solution that feeds additional context, such as social media malicious URLs, into protection such as firewalls, intrusion detection, malware protection systems, proxies, or security information and event management systems.
  • Augment your incident response plan and process to encompass social media and include a takedown process. 

Related Content:

Michael T. Raggo has over 20 years of security research experience. His current focus is social media threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding: Exposing Concealed Data in Multimedia, Operating ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/25/2016 | 9:19:08 PM
Re: Buffett example
@Whoopty: It's not even about always being seen as a good guy.  It is a fact of business that people are going to dislike you for whatever reasons they decide to come up with -- whether deservedly so or not.

The point is to not go out of your way ticking off the wrong people unless the benefit exceeds the risk and cost factors.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/25/2016 | 7:32:18 AM
Re: Buffett example
Agreed, being seen in the public as a "good guy," is a must, though in Sony's case not having juvenile level security would have helped a lot too! 

I wonder sometimes if it's worth cultivating relationships with international security companies too, as we've seen U.S. firms defending U.S. firms and the same in Russia in recent years. Being on good terms of all sorts of security companies so you have a good reputation in different circles is likely to be a postive step too.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/24/2016 | 8:48:09 PM
Re: Buffett example
@Whoopty: Yep.  The number one way to protect yourself -- that most people don't think about -- is to make yourself not a target (or, at least, to make yourself as less attractive a target as possible).

The first big aspect of that is exactly what you said: Don't be the easy pickings -- the low-hanging fruit.  Do the basics, which a lot of companies don't.  All it takes is one minor slipup combined with shoddy policy.  (TJX, I'm lookin' at you.)

The second big aspect is to do what you can in terms of how you do business to not actively motivate people.  Sony is a great example of a "don't" in this way -- when they sued a 13-year-old hacker for modifying his own Playstation.  OBVIOUSLY they were going to get hit super hard and super often by the hacktivists of the world for that move.  (A good lawyer will tell you when you can sue and for what.  A great lawyer will tell you all that and also tell you the risk-benefit analysis of all of your options.)
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
8/24/2016 | 7:51:03 AM
Re: Buffett example
That's the thing though isn't it? No one is vigilant all of the time. All it takes is a slip up when you're tired, or not paying attention and you are compromised. Ultimately, it's about not being the lowest hanging fruit and doing your utmost to remain safeguarded as best you can.

If someone wants to hack apart you they are likely going to do it. You need to make yourself more of a time or money sink when it comes to cracking and that way they're likely to focus on someone else instead. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/23/2016 | 1:57:32 PM
Buffett example
If an employee at Berkshire Hathaway would fall for that sample Warren Buffett spoof -- with the name spelled incorrectly twice, and only 40 followers -- then that employee may well be too darn stupid to work for B.H. in any capacity.

That said, I realize that there are (slightly) more convincing spoofs out there than this.  But still.

In any case, a little training can go a long way.
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Cloud Security's Shared Responsibility Is Foggy
Ben Johnson, Co-founder and CTO, Obsidian Security,  9/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.