Employees easily tricked on social media prime phishing attacks

Spear phishing is one of the most effective ways to break into a corporate network, and recent studies show that employees can be easily tricked on social media to provide the information needed to launch attacks.

Spear phishing is one of the most effective ways to break into a corporate network, and recent studies show that employees can be easily tricked on social media to provide the information needed to launch attacks.

A phishing attack is only as good as the information hackers are able to gather on the intended victim, who is less likely to click on a malicious link or attachment in an email that does appear to come from a trusted sender. As a result, criminals often research their targets on the Web.

For example, Websense Security Labs recently found a fake LinkedIn profile gathering information that could be used in future attacks.

The profile summary pretends to be that of "Jessica Reinsch," a made-up employee of a real dating Web site that connects young women with older, wealthy men. The site is located in Switzerland.

While Websense did not find any malicious code on the site, the vendor did find other related domains hosting "suspicious code." In addition, the IPs used to host the site are in the same autonomous system number (ASN) as multiple exploit kit command and control URLs, including those for RedKit and Neutrino, according to Websense.

[Social media spam on the rise, says study]

The bogus profile had more than 400 connections with legitimate LinkedIn members, giving who ever was behind the account access to people's current employer, job titles and connections on the network, which has more than 250 million members.

Jeff Debrosse, director of security research at Websense, said such information would be used to build a social graph of prominent individuals that could be used in spear-phishing attacks.

"That's worth a lot of money to the buyers of that information," Debrosse told CSOonline Monday.

While reconnaissance on potential victims grows more sophisticated, corporations appear to underestimate the threat. Almost 60 percent of 300 IT executives, administrators and professionals in U.S. organizations rated phishing as a "minimal" impact threat, according to an unscientific survey by ThreatSim.

While rating phishing as a low-level threat, more than one in four of the respondents reported phishing attacks that led to a "material breach within the last year." ThreatSim defined "material" as some form of malware infection, unauthorized access and stolen data.

During a presentation at the RSA Europe security conference in Amsterdam last week, a cyberdefense specialist described an experiment that showed the effectiveness of using fake profiles on LinkedIn and Facebook to launch an attack.

Aamir Lakhani with IT service provider World Wide Technology described how the fake profile of an attractive female named Emily Williams was used to eventually get employees of an unnamed U.S. government agency to click on a link that could easily have been used to launch malware.

The bogus profile claimed Williams was a new hire at the agency with 10 years experience and a 28-year-old graduate of the Massachusetts Institute of Technology. The researchers set up information about the woman on other Web sites to make the profile seem more credible.

Within 15 hours of launching the profile, Williams had 60 Facebook and 55 LinkedIn connections with agency employees and contractors. After 24 hours, she had three job offers from other companies.

[15 social media scams]

The experiment pointed to the need for continuous training in organizations to reduce the chance of employees becoming victims of phishers.

"In the military it's called situational awareness," Lakhani told IDG News Service. "We need to develop situational awareness for this type of attack."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FacebookIDGMassachusetts Institute of TechnologyRSASwitzerlandTechnologyWebsenseWorld Wide Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place