Social media is giving cybercriminals a way around your IT-security defences

Forget scattershot malware attacks: today's cybercrims are using your social network against you – and it's working

Think your employees are too smart to fall for a targeted email scam? Think again. Recent figures from the US FBI suggest that fraudulent emails – sent by cybercriminals impersonating CEOs and other key executives – costed US businesses $US2.3 billion between October 2013 and February 2016, during which time the FBI received some 17,642 reports of such scams.

And that's just the fraud that the FBI knows about. The true extent of financial losses to targeted attacks is likely to be much larger – but their victims either don't know about it, or are too embarrassed to front up with the truth. They may also be unaware that one of the key reasons cybercriminals are getting so good at extracting money has nothing to do with programming skill – and everything to do with social media.

Simple mathematics suggest that most if not all of your employees have a presence on Facebook – which with well over 1.25 billion users theoretically represents nearly 18 percent of the earth's population – as well as LinkedIn, Twitter, Instagram, and other social networks.

Regular use of such networks fills them with a cornucopia of personal details that cybercriminals use to fake familiarity with their targets. Individuals with particular job functions can be identified with a few clicks, and their social connections mapped out to develop frighteningly detailed organisational charts showing reporting structures as well as details of recent trips to conferences, shared posts, individual interests, and the like.

Once this information has been collected, it's a small step for cybercriminals to craft emails with enough personal detail to be convincing. Spoof the sender's name and email, mention a few recent shared experiences to lessen scepticism, and concoct a story about needing a wire transfer to be executed urgently – and you've got a successful 'whaling' attack of the type that is rapidly showing that the ' human firewall' still cannot protect businesses from harm.

“Most people have seen this in some incarnation,” says Ben Adamson, APAC technology lead with email-security firm Mimecast, which recently released a tool to ferret out whaling emails as they are received.

Such attacks have “definitely hit the radar pretty hard,” he says, citing a recent customer survey that found domain spoofing was rife: 72 percent of attackers pretended to be the CEO and 35 percent of respondents had impersonated the CFO to target key finance and other executives.

“There are really massive, tangible amounts of money changing hands on the back of this. And once it happens, it's nearly impossible to get back because of the number of countries involved and the mobility of the people who are perpetrating these sorts of attacks.”

Anecdotal reports cybercriminals' increasing whaling success came in Symantec's recent Internet Security Threat Report (ISTR) 2016 – which noted that the average number of email attacks per phishing campaign had dropped from 122 in 2012, to 25 in 2014 and just 12 last year. This coincided with a surge in the number of campaigns, from 408 to 1305 over the same time period.

Cybercriminals wanting to spread ransomware and targeted malware are launching fewer, more detailed attacks than ever before – and the approach is working, with carefully-worded emails routinely tricking staff into initiating dodgy wire transfers or opening malicious attachments. Ethical hackers with FireEye's Mandiant Red Team Operations recently peppered a client organisation with a carefully-worded email and found that 400 of 600 employees clicked on the attachment; just one would have provided access to the network.

“This is all about end-user training,” says Adamson. “We're seeing this taken with a great deal of seriousness, and having a human firewall is quite important – especially when you've got these emails coming through and they look absolutely legitimate.”

More-convincing email fraud isn't the only emerging consequence of broader social media usage – and the concomitant tendency of many employees to implicitly trust what they read online. This all-too-human trait leads many employees to fall prey to scams or malvertising campaigns perpetrated through social-media platforms themselves; the result can be a local malware infection, a ransomware lockout, or worse.

Symantec's ISTR found that Australia is the top ransomware target in the southern hemisphere, with a 141 percent jump in the volume of ransomware attacks per day over a year earlier. Many older scams were coming back into fashion, notes Symantec senior principal systems engineer Nick Savvides, who warned that marketing-savvy cybercriminals were reviving tech-support scams and offering early-payment discounts to push victims into paying to unlock ransomware-infected computers.

“They're taking the best experiences that you have from marketing and applying those to their criminal enterprises,” Savvides says, noting that small businesses are particularly vulnerable to attacks fuelled by intelligence garnered from social media.

“The attackers' intelligence is getting a lot better, and the reality is that these attacks are very well crafted, very convincing, and people do fall for them.”

Attacks fuelled by exploitation of social media information are likely to get worse before they get better – and they present an even bigger obstacle to user training because they do not rely on obvious mistakes on users' part. Combatting such attacks can be helped by an emerging category of anti-whaling technologies, but in the longer term companies worried about their vulnerability to such attacks need to look well beyond the simple threat posed by social media.

Instead, they should be considering how internal controls can be tightened to fight the types of activities that whaling involves. This includes processes that restrict the flow of funds to new accounts, approval processes necessary to action funds transfers, and methods to evaluate out-of-routine instructions that can often be confirmed or denied with a simple phone call.

These types of controls have little to do with security staff directly; rather, CSOs should take the initiative to start engaging with business leaders to identify potential weak spots where funds transfers, customer details, sensitive business data and other corporate assets may be exfiltrated.

Even then, however, the human element – represented by the unpredictability of social media and its increasing availability to cybercriminals as a form of conceptual blueprint – mean efforts to contain the issue will take time. “If documentation and checklists and compliance regimes were the answer, than you would have solved this 20 years ago,” says Chris Pogue, senior vice president for cyber threat analysis with security-intelligence firm Nuix.

“What's missing is this almost cognitive bias that we as human beings have against implementing those things holistically at scale. We know how these attacks are going to take place, but we're collectively not even really putting up a good fight. All attackers need is one single point of entry and they can gain access to your data.”

A good place to start, says Savvides, is not only in educating employees about smarter use of social media – but also changing cultural attitudes so that targets of such focused attacks can actively work with IT-security planners to minimise corporate risk. This includes reconsidering institutionalised tendencies towards victim-shaming – which is becoming less and less helpful as ever-stealthier attacks no longer rely on employees clicking on something they have been told not to.


“There is a tendency in the technology community to blame the victims,” he explains. “A lot of victims don't admit that they've been done by ransomware because they do feel ashamed – but there's no point telling the poor victims that they should have known better. The bad guys will continue to do this because it continues to bring in significant revenue.”

Join the CSO newsletter!

Error: Please check your email address.

More about APACFacebookFBIFireEyeMimecastNuixSymantecTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place