How often do you allow unfamiliar “friends” on social media to join your trusted network? You may think that cybersecurity experts would be careful about who they allow into their social networks and how much information they share with those connections. However, as we just learned from cyberdefense specialist Aamir Lakhani, simple attacks that rely on fake profiles to penetrate social networks are alive and well.
Lakhani, a penetration tester for World Wide Technology, recently repeated the famous “Robin Sage” study done by security expert, Thomas Ryan. In 2009 Ryan tricked hundreds of defense specialists into giving him sensitive information by crafting the fake online persona “Robin Sage.” Four years later, Lakhani created a fake social media account under the name “Emily Williams” and was successful in tricking government cybersecurity professionals at an unnamed government agency into accepting his friend requests.
Through this, he successfully obtained access to passwords, sensitive documents, and even the computer of the agency’s head of information security. It took only 15 hours for Lakhani to gain over 55 connections to his targets via Facebook and LinkedIn. After a short time, male employees offered to help “Emily” get a laptop, and, most surprisingly, offered her a job. They also allowed her early access to their network.
This latest example shows how vulnerable our data networks are to these types of attacks and underscores the value of comprehensive cyber security training programs such as the Social Media Security Professional (SMSP) certification training powered by CompTIA.
So, how can you protect yourself and your organization from attacks like these? Here are three ways:
1. Don’t accept friend requests from people you’re not sure you know.
It’s important to be certain that the friendship requests you’re accepting are from actual friends. Studies show that 78 percent of all Facebook users use the number of connections they have in common with their current friends as proof that the incoming friendship request is credible.
Use Google image search to validate social media connection requests.
You’ve probably used Google’s search engine millions of times, but are you familiar with Google’s reverse image search engine? It’s a service that allows users to search by images: you input an image URL or upload an image, and then Google finds similar-looking images based on the architectural and background features in the photo.
Let’s say you received a friendship request from a person and you’re unsure if you really know her/him. To verify that they are who they claim to be, simply save their picture to your desktop and upload it into the Google image search field. Google will then search for other images on the web that match the photo you uploaded. Google will either verify their identity, or it may find that the photo is of a lesser-known celebrity or a model, which means that you may be in the middle of a catfish attack. A catfish attack is when an individual pretends to be someone they’re not, like in the case of “Emily Williams.” We can use Google image search as a quick countermeasure to those attacks. It is a great tool for confirming someone’s identity on Facebook, LinkedIn, social dating sites, and any other venue in which a friendship is established based on a profile.
2. Be careful when allowing “friends of friends” to view your information.
A social network is only as strong as its weakest link. Be aware of connections in your current network that may be fake—even real associates or friends may be allowing fake personas into their network. From there, it’s easy for them to view your information, such as posts, photos, comments, and more. If your friend hasn’t checked the authenticity of the friend request prior to accepting it and you’re approached by the same person, you could be dealing with a hacker.
3. Stay updated on the different types of social media attacks.
Due to the blend of social engineering and technical attacks in the social media space, there are no technologies out there that can provide comprehensive protection from social media threats. Security training is the best way to protect your private information and your organization’s confidential information and to prevent costly and potentially embarrassing attacks. Everyone can fall prey to social media attacks—even the cybersecurity experts, as evidenced by Lahkani’s research.
About the Author
Scott A. Wells, Ph.D. is the cofounder of Ultimate Knowledge Institute (UKI) and the chief architect of the Social Media Security Professional (SMSP) certification powered by CompTIA. He is a world-renowned instructor known for his breadth of knowledge in IT and information security. Dr. Wells achieved his doctorate in applied mathematics (cryptology) and has worked for and consulted industry-leading corporations, such as Microsoft, Digital, and Cisco, as well as many other Fortune 100 companies. For the past 12 years, Dr. Wells has developed and taught hundreds of IT and cybersecurity training programs for the Department of Defense, Federal Agencies, and Fortune 500 enterprises.