This week’s Cambridge Analytica scandal has pulled social media privacy into focus – but data-harvesting is just the tip of the iceberg.
Trust in social media has plummeted at the same accelerated pace as Facebook stock this week, following the Cambridge Analytica data-harvesting scandal that has called for users’ online habits to be taken more seriously.
This, at least, is what cybersecurity expert Philip Tully is hoping.
As the principal data scientist at ZeroFox, Tully has long been drawing attention to the security threats emerging on platforms like Twitter, Facebook, and LinkedIn.
“Social media has, traditionally, always been a tool in the attacker’s arsenal,” said Tully, speaking at yesterday’s Infosecurity Spring Virtual Conference during a session on social media and cybercrime.
“It’s the first point that they go to do reconnaissance on their victims,” he said.
The sheer volume of personal information available on social media has made these networks an easy target for attackers, with fraudulent activity appearing as early as 2011, according to the security firm RSA.
“It’s the same old threats you see popping up again and again on these platforms,” said Tully, noting how an attacker’s aim to steal information is amplified due to the interconnectedness of social media.
“But we tend to be our own worst enemy,” he said.
Users, Tully explained, often inadvertently disclose personally identifiable information through their posts, be it a location, credit card number, or data pertaining to others in their network.
This allows attackers to create convincing profiles impersonating an individual from an organization, for example, to manipulate others into believing they’re interacting with a colleague.
Fraudsters then use phishing tactics to gain access to sensitive information with particular success as people, in general, are 75% more likely to open an email from someone they know, CyberInt reports.
While now users can likely identify a malicious Russian porn bot for what it is, the high traffic and widespread usage of social media presents detection challenges for both identifying and taking action on constantly evolving threats.
Last year, for instance, one phishing attack tricked more than 50,000 Snapchat users into handing over their login details by mimicking the site’s login screen through a compromised account. A number of Snapchat employees had their identities stolen as a result.
Popular social accounts, more recently, have also been impersonated by scammers who try to trick a celebrity’s following into sending them small amounts of cryptocurrency.
The attacker mimics an individual’s profile, such as Elon Musk, and then post a nefarious reply to one of their genuine tweets so that it looks like the person is replying to their own message.
“As users and employers navigate through these networks and communicate with each other, organizations are being put at more risk,” said Tully, who noted that the development of Artificial Intelligence (AI) would allow attackers to launch increasingly targeted and more effective campaigns.
Rogue social apps are another concern – third-party apps used to authenticate social accounts can provide attackers with an abundance of personal information, much like what occurred between Facebook and Cambridge Analytica.
“I think the event serves as a reminder that the data you put up on social networks is available,” said Tully, highlighting the need for companies to perform social media training and implement a security policy regarding online use.
“You should think what information would be useful to an attacker and keep that personal information offline as much as possible,” he said.
Click here to learn about how to better protect your personal data on Facebook.