I’ve covered the use of social media in social engineering attacks a number of times. Statistically, social media continues to be a starting point for crafting elaborate social engineering or phishing attacks. Let’s run through a refresher.
- Sharing too much private information on social media is dangerous. If you’re not sure what to share, follow the golden rule: If you wouldn’t share it with a stranger, don’t share it on social media. Both personal and professional social media accounts have settings you can configure to monitor content, including private or public visibility and the ability to share with certain groups or friends (colleagues).
- A federated login is convenient but less secure. We talked about OAuth, a term for federated authentication. You may have seen where a website invites you to log in with Facebook, Gmail or LinkedIn instead of creating a local account. While that’s super convenient, because you don’t have to remember yet another password, it does have its downside. The first-party site will store some artifacts of your login to Facebook or of your other accounts. It won’t store your username and the password, but if improperly coded and secured, it can lead to impersonation attacks. Secondly, the third-party site (Facebook) will know about every move you make on the first-party site. For example, if you used your Facebook credentials to sign into an e-commerce website, every search or purchase you make on the site will be known by Facebook.
- Social media is an open platform. Outside of email accounts, which you can create in less than two minutes, they perform zero verification. Consequently, there are dozens of social media impersonators of Steve Jobs, Elon Musk, and Warren Buffet. These fake accounts are often used to spread misinformation and to distribute phishing links and malware. Take anything you see or get through social media with a grain of salt, and keep a close eye on accounts you follow.
- Social platforms exploded exponentially through a friend-of-a-friend concept. We inherently trust people our friends know or trust. But if your friends or their friends are not careful (i.e., use weak passwords, install suspicious software or don’t safeguard their credentials), you are at risk. Suddenly, you can’t trust the authenticity of your friend’s profile. Look for any behavior changes and anything that looks suspicious. And always have other ways, to contact your friends outside of social media,
- Keep in mind that your phone knows your location unless you turn it off. Be aware that any photo you are uploading from your phone may have a geolocation tag. Here is something else you may or may not know: Your iPhone now has “Live Photo” mode. Unfortunately, it is on by default. When the camera is used in that mode, it records live stream 1.5 seconds before and after you press the button. Not only does it record a three-second video, but it also records audio. So be careful what you say or opt-out of this setting.
- Unfortunately, what happens in Vegas doesn’t always stay in Vegas. There are many services today that crawl and enumerate websites, including social media. The most well-known and popular of these services is Wayback Machine (https://web.archive.org). It goes way back to 1996, takes daily snapshots of every webpage and stores it. It works better with services that don’t require authentication, but then again, if thieves know your social media credentials, they can look back through your profile. It’s much easier not to put the information you care about on the Internet in the first place.
And remember, when in doubt just use the good old rule of thumb: If you wouldn’t share it with a stranger, don’t share it on social media.