There is a lot of information about us that criminal hackers can discover from our social media profiles and use to strike us with dangerous attacks aimed at data theft or damaging our web reputation and the company we work for. Here are some helpful safety tips. Social media is one of the main targets of cybercriminals, and the reason is soon said: from our profiles, it is, in fact, possible to discover many more things about us than you can imagine.
It is no coincidence that Social Media Day is celebrated today, a world day whose goal is to raise awareness among users on the importance of a conscious and informed us of the many social platforms and warn them of the danger represented by attacks that aim to steal. Accounts, due to the great value that the information recorded on them holds for cybercriminals. It may seem strange, but our data and personal information posted on social media can become a threat to be used against us. For this reason, it is essential to know the different techniques used to be able to take control of social accounts.
What Data Leaks On Facebook And LinkedIn Teach Us
The potential for attack is even more significant thanks to frequent personal data breaches, such as the data leak that recently hit Facebook: the phone numbers and much other personal information of about 533 million users of the social network around the world have been disclosed for free on a popular hacking forum; among these users. A short time later and again these days. Another similar data leak hit LinkedIn.
It was not the theft of credentials following the compromise of the servers of the two social media. More simply, personal identification information of the users was collected and obtained automatically with “scraping” techniques. The personal information that users spontaneously publish on their social profiles (mobile phone number, gender, city and date of birth, work profile, romantic relationships, email addresses, etc.) has been collected and aggregated. With such a wealth of information, an attacker will be able to craft a targeted attack, effective because it is highly credible.
Let’s try to understand how this is possible and the risks that we tend to underestimate. It is essential to become aware that social media is one of the primary sources of information gathering for the activities of OSINT (Open Source INTelligence), which are preparatory to an attack. We are not talking about passwords stolen from us with more or less sophisticated techniques, but about the data we “give” to the Internet.
Let’s Think Twice Before Posting Anything
Many people expose their date of birth on Facebook to have many greeting messages via social media on their birthday and letters from people who barely know each other. But a targeted spear-phishing or phishing campaign will be much more convincing in making us click on the infected or fraudulent link if the attacker knows our date of birth or our social security number (which can be quite easily reconstructed by knowing the date of birth, in fact, and little other information).
We Do Not Publish Private Information
And again, we stop posting private information on public social platforms: travel plans, personal interests, details about family members, or news about our work. This information can be used to gain our trust and deceive us or our colleagues or friends. For example, a criminal hacker could uncover personal stories from our social media, then send a phishing email that says something like: “Congratulations on your new job” Or even: “I’m sorry about your parent’s death. I knew him well “. Even the most minor details, which malicious people will surely be able to aggregate from social platforms, can reveal things in our lives.
We Avoid Tagging Photos
We also avoid tagging the images we publish: geotags display the GPS coordinates of the places taken. These coordinates can then be read from the PC (or through special applications) and will let you know where a photo was taken, delivering helpful information to the threat actors. They may send us a (fake) survey of our hotel stay with embedded malware.
As a minimum security measure, it is always advisable to check the privacy settings of the Facebook profile and raise the level of confidentiality of the data we expose: set the profile in “private” mode or, in any case, reduce the number of personal information that a visitor can view. This can be done in the profile’s “Privacy settings and tools.” In this way, an attacker will not be able to see our information (or, in any case, will see it minimally) to decrease data collection during social engineering activities.
Never Share Our Work Email
One of the simplest and most popular ways to attack a corporate network is to compromise a corporate email account to send spear-phishing messages. We, therefore, always adopt the rule of using the work email only for work and never openly on our social media profiles. The consequences can be severe. Knowing our email, an attacker can use spear phishing to attack other employees (it is straightforward, for example, to reconstruct the email address pattern of the company where one works and then retrieve different addresses of colleagues as well).
With these techniques, it will be easy for cybercriminals to get to an executive’s email who approves invoices and carry out a CEO fraud or BEC (Business Email Compromise). We recommend having (at least) four email addresses: one for personal use, one for work, one for registering new accounts on those websites that could generate spam (and there are many), and one to use. Exclusively for social media.
We Use Different Profile Pictures On Social Platforms
The activities of OSINT and the acquisition of information through the web are done automatically, with software tools that also use AI (Artificial Intelligence) and thus quickly manage to correlate the various social media accounts in search of matches between the profile images. As well as other common characteristics (username, friends, city, interests).
For example, if someone uses the same profile picture on Instagram and Facebook, the AI will infer that the accounts belong to the same person, even if the usernames are different. Attackers can then aggregate an enormous amount of information about us, which can be used to attack us or impersonate us more effectively. So, we try to use different photos on different social profiles. In the same way, we avoid posting photos of other people, family members, children, or anything else that could give important information about us and facilitate the construction of our “social graph.”