Hackers Love Your Social Media Shares. Here’s Why.
Article courtesy of Hongkiat.com
Social media has become an indispensable part of our modern lives. You are most likely more connected to more online social circles now than ever before. The problem here is that you love to share, perhaps even a little too much. Yes, we were taught that sharing is caring, but oversharing will lead to privacy and security breaches.
Experts have been warning about the risks of this exaggerated information broadcasting for years. There are countless stories about how Facebook activity, for example, has caused major upheaval and destruction to people’s lives from losing employee benefits (due to beach photos shared on Facebook), to losing jobs (for a variety of reasons).
But the threats from social media aren’t limited to just bosses, potential employers and insurance companies. Hackers also prey on social media pages and use the information they find there for their own benefit. Below we discuss some of the data that hackers are after, and what they do once they have it.
Finding Your Authentication Information
When you sign up to receive services from banks, telecom companies and government agencies (among others), you need to authenticate your identity. Online, this is done by providing a username and password, or sometimes a one-time code that is sent via text message to the user’s mobile device.
On the phone, users generally authenticate their identity by answering personal questions. In the United States, authentication questions usually include the customer’s Social Security Number, date of birth, and mother’s maiden name, but may also include the name of your first pet, the elementary school you attended, or any other random information.
How hard do you think it is for hackers to come up with this sort of information about you? Well, when you’re constantly plastering pictures, dating statuses and your plans for your kids’ next birthday party on your social media pages (not to mention explicitly sharing your date of birth), you’re basically handing over your personal data directly to hackers on a silver platter.
So maybe at least your mother’s maiden name will remain private, right? Probably not. If you connect with family members online, the information on mom’s profile page is there for all to see. Figuring out that Karen is your mom’s middle name doesn’t even need serious hacking skills.
Making Educated Guesses At Your Passwords
Hackers may attempt to crack your password by systematically trying a huge number of potential passwords (a method known as “brute force“) until the right one is found. This is one of the reasons why consumers are encouraged to choose a sophisticated password with lower case, upper case, numbers and special characters – to thwart such password-guessing scripts.
To improve the chances of actually finding the right password and to reduce the number of time it takes to do so, hackers use something called a “dictionary attack.”
A dictionary attack means that the script isn’t guessing just all possible strings (including completely random letters), but is instead using various words from a dictionary. The attack is effective considering that most users don’t choose their passwords randomly, but apply familiar words and names that are easy to remember.
As depicted on shows like Mr. Robot, social media can help hackers collect words for their dictionaries. Names of pets and family members, your birthday, your kids’ birthdays and your anniversary can be easily extracted from your social profiles and added to the hacker’s dictionary.
These personal details more often than not make their way into passwords making this yet another case where the hacker doesn’t even really need to work very hard at all.
Sourcing Employee Email Addresses
Why stop at the mere individual when there are huge organizations just itching to be hacked?
While hacking into an organization’s internal network may require actual hacking sophistication and serious technical know-how, the root of the organization hacking job is not so different from the personal one: organizations and large companies also host social media pages, and they are also guilty of oversharing.
One of the most common methods used to attack organizations is to send employees emails that contain malware. Once the employee opens the attachment, their corporate computer gets infected by malware which opens a “back door” that allows the hacker to get into the organization’s internal network through the infected machine.
Naturally, some employees in the organization will be easier targets than others. For example, system administrators, the people who run and manage the entire IT network, will generally act as larger targets. If their computers get infected, hackers would then receive the keys to the kingdom and access the entire IT infrastructure.
By this point you can probably guess where the hackers begin this entire enterprise – via social media. Social networks can be used to identify the exact type of high-value employees needed for this mass infiltration.
By looking for people who hold certain positions in the target organization, the hacker can virtually handpick the employees that should receive the malware. Since most organizations follow a specific email address “scheme” (for example, the email address of an employee would be their first name, dot, their last name, at, the organization’s domain) the hacker can deduce the employee’s email address simply based on their name.
Social media can also help hackers write the email message that they’ll send to the employee with the malware. If the employee posted on their social media page that they are going to a certain conference, for example, the email message could masquerade as a message from the conference organizations. This way, there’s a higher chance the employee would not suspect the authenticity of the attachment, and open it.
Arm Yourself With Information!
There are many more risks posed by social media that involve a more proactive, social engineering approach by the hacker. We haven’t even broached the subject of what hackers can do when they actively approach a user with a fake profile or fake aviator or send out phishing attacks through those platforms.
Considering just how much social media has been embedded into your life, it would be wise to familiarize yourself with these threats. Be vigilant to what you are sharing online and become familiar with the consequences of such information sharing.