By: Marc Larson, LookingGlass Special Investigations Unit
The use of social media as a means for targeting victims – whether through phishing or social engineering scams – is nothing new. However, in the past month or so we’ve seen a new trend in threat actors’ tactics: hacking high-profile executives’ social media accounts with the purpose of publishing embarrassing and controversial posts. This was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
While the actual hacking of these accounts may point to a bigger issue, such as password reuse, it also brings to light social media’s place in the evolving threat landscape, and the role it plays in placing executives and the overall company at risk. Whereas previous generations of executives lived somewhat private lives, today’s executives have spent the majority of their adult lives living and working in an Internet-connected world, and have embraced this connectivity fully. However, problems start when people begin to place convenience over security.
With more than 2.2 billion users across all social networks, the use of social media has become an integral part to most business operations. Executives who participate in this means of communication hope to humanize and bring personality to their brand, connect with interested parties on a more personal level by giving “behind the scenes” looks into the company, and as a promotional tool by sharing photographs of themselves at company events and conferences. On the flip side, we also see many executives use these same accounts to post personal information, disclosing names and photographs of children, spouses, and vehicles; favorite vacation locations; and trip itineraries, which can put them, and their families, at risk for an effective social engineering attack.
In addition, many executives’ family members have their own social media accounts, but may not have had the same cybersecurity training as the executive. What they may not realize is that threat actors could also be aware of their accounts, and when they post potentially risky disclosures those could make the executives and themselves more susceptible to social engineering and malware infection.
Sharing both personal and professional information on the same social media profile can increase the risk of a leak of personal information, as well as business-related information. Malicious actors target executives via social media by sending them infected messages containing weaponized payloads that, if opened, will infect the executives’ device. This becomes especially problematic if an organization has a Bring Your Own Device (BYOD) policy, which is becoming a more common and established practice in the workplace. Actors can also gain access to the social media account itself, posting damaging or inappropriate information on behalf of the executive.
Executives can do a number of things to help minimize the risk of exploitation, including:
- Invest in a Monitoring Service: Threat actors are becoming increasingly sophisticated at creating fraudulent social media accounts that impersonate executives. These accounts can be utilized to misrepresent the individual or the company, or to establish ties with other high-ranking executives. The consequences can range from financial to reputational damage, particularly if threat actors are able to financially gain or obtain sensitive corporate information. Thus, executives should invest in a way to proactively monitor for false social presences, as well as compromises to personal identity and credit information.
- Use Multi-Factor Authentication: Multi-factor authentication (MFA) is a method of confirming a user’s identity when signing into accounts by utilizing a combination of two or more different methods of authentication. These methods leverage something that the user knows, something that the user possesses, or something that is inseparable from the user, such as a mobile device. While not impervious to hackers, MFA adds an extra step to your login procedure, limiting the chances of fraud.
- Remove Geo-Location Data: Ensure that social media posts are not disclosing location data, which could potentially be used to determine locations of frequented places or to see if an executive and his or her family is out of the country.
- Limit Personal Information Disclosure: Even seemingly innocuous information, such as where the executive is eating lunch or state they are traveling to, could be abused by malicious actors. In August 2014, the airplane of Sony Online Entertainment President John Smedley was targeted after he tweeted that he was traveling to San Diego. Knowing that Smedley resided in Dallas, the threat actors looked up the flight information and took to Twitter announcing that a bomb was on board his airplane. The flight was subsequently grounded and Mr. Smedley’s travel plans were greatly affected.
- Verify Online Content: While it may go without saying, executives should never click links or download files that are sent via social media – even if they know the sender – without verifying the message’s authenticity. Executives should contact the sender via another means (i.e. telephone or email) to make sure that the file or link posted is legitimate.
- Do Not Reuse Passwords: Recognizing that executives frequently reuse passwords across multiple platforms, hackers have begun searching hacked account dumps for information belonging to executives and other high-profile individuals, sometimes searching dumps that are years old. The bad actors are then taking those passwords and using them to gain access to executives’ social media accounts. Recently, Facebook CEO Mark Zuckerberg, Uber CEO Travis Kalanick, and former Twitter CEO Dick Costolo have all fallen victim to hacks involving reused passwords.
- Create Official and Verified Accounts: Whether the executive is active on social media or not, they should create a legitimate account on each of the major social media platforms (to include, but not limited to Facebook, Twitter, LinkedIn, and Google Plus). This practice not only protects the executives personal brand, but will also ensure that the executive has an established, legitimate presence. Moreover, Twitter and LinkedIn will verify accounts by displaying a verification marker next to the executive/account name to establish its legitimacy.
- Use Separate Accounts: Create separate social media accounts for personal and professional use. While the professional account can be public, the personal account should remain private to limit the amount of personal information released to the public. We recommend that the personal account is not attributable to the executive by using a nickname or alias for the account owner’s name and an account picture that is not a photograph of their face.
Contact us to learn about how LookingGlass threat intelligence services can help protect your organization’s executives on social media.