Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Phishing via Social Media - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Phishing via Social Media
The use of social media as an attack vector is nothing new; We’ve all seen plenty of stories in the media of fake FaceBook profiles such as the one for American Admiral James Stavridis back in 2012 [1]. This tends to mean we’re more wary of Facebook and Twitter, but many of us still use LinkedIn as it is a great tool to build out professional networks, tap in to like-minded groups or be stalked approached by recruiters.
 
If a LinkedIn request comes from a name you recognise, do you blindly except the request or do a bit of investigating first to validate that request? Let’s say you are the cautious, security minded type and check of the profile of the sender and it looks legitimate, I’m betting most of us would then accept the request and get on with our day.
 
The last couple of Diaries I’ve written have been about breaches and one of the key components of any good attack is solid reconnaissance. An adversary with a clear understanding of a company’s staff can leverage that to get a much more complete picture than any port scan or pin-point key human targets to exploit. Plenty of penetration testers [2] use social media to devastating effect and so do real adversaries.  
 
Some of you reading this will be thinking:
A) Pah! I don’t use an form of social media so I’m safe
B) Meh, I’d never fall for any of that shenanigans, I’m too paranoid/security-minded
C) Mu-ha-ha! I use the Lynx text only browser [3] – what is this wide wide web you speak off?
 
Well, how about the person next to you or head of HR or the CEO? This blog post [4] illustrates a very smart, well thought out and executed social engineering attack using LinkedIn. LinkedIn have a very responsive security team and here’s one way to alert than of bogus profiles[5] should you ever run in to one, but would most people pick up on a fake profile?
 
I’ll leave you with this question: How would you and your security policies counter a targeted attack like that against a senior board member?
 
 
[1] http://www.telegraph.co.uk/technology/9136029/How-spies-used-Facebook-to-steal-Nato-chiefs-details.html
[2] http://pen-testing.sans.org/blog/pen-testing/2011/11/04/the-pushpin-tool-incorporating-geolocation-info-leakage-via-social-networks-in-your-pen-tests
[3] http://lynx.browser.org/
[4]http://washingtonnote.com/john-bolton-reaches-email-beware/
[5]https://help.linkedin.com/app/safety/answers/detail/a_id/146
 

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
Great article I am one that usually accepts all friend requests as I figured if they really want information about me they can always find it online through government databases ie Court cases so why worry if I get to paranoid I would have to live in a tunnel which wouldn't be very fun.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!