You reveal more about yourself than you think. A variation on this scam involves trying to assess a user's public profile to determine potential commercial interests. "A hacker can scan a Twitter feed to find out that a user posts constantly about her new puppy," explains Keeper Security CEO Darren Guccione. "The hacker then creates a phishing scam that looks like a product announcement for a portable puppy crate and targets that Twitter account."
Social platforms can't keep up. Even things that seem to have a platform's seal of approval—like a paid advertisement—hasn't necessarily been vetted; the ad-buying process is wholly automated and usually pretty cheap, and offers a great chance to get phishing links in front of targeted user demographics. "Up-front cost to the perpetrator pales in comparison to their ROI," says Tully. "On Twitter, advertisers pay only when a user engages with a promoted Tweet, and the average cost of each engagement ranges between $0.50 and $2. Perpetrators in successful phishing campaigns make off in some cases with thousands to tens of thousands of dollars in profit from things like credit card fraud or direct money withdrawal, so it only takes a single victim to make a spray and pray attack worth it."
Think twice even when you see someone you know. Lindsay Satmary, a blogger at Paperclips and Pacis, warns about profile cloning—scammers creating a duplicate profile for a real person in the hopes of getting that person's acquaintances to accept friend requests, giving them a trusted position in their social networks. Kevin Lee, trust and safety architect at fraud prevention software provider Sift Science, says that some attackers go one step further, compromising real accounts to spread malware and spam.
Expect social espionage. Once attackers have infiltrated a circle of friends or professional associates, they're in a perfect position to monitor networks. "Hackers can use social media to infect someone within an organization, then sit on the network and monitor their internal communications," says Asaf Cidon, VP of content security services at Barracuda Networks. "This can be carried out by impersonating a real individual, adding them as a friend on LinkedIn, or even joining an open forum or channel on a social platform like Slack."
The endgame is often a phishing attack. "Hackers can go on LinkedIn and create fake accounts posing as a current or former employee at your company," says Kurt Wescoe, chief architect at Wombat Security Technologies. "The hacker then attempts to contact multiple people at your business, collecting small amounts of data from each employee. Each bit of info on your company—location, office hours, hierarchy, email nomenclature—could potentially add up to enough info for a successful attack." Cidon describes a specific scenario: "If hackers know the exact timing of a deal that is underway and who's in charge of authorizing the wire transfer, they're able to initiate a spear-phishing attack at the most opportune time."
Sign up for Computerworld eNewsletters.