What Hackers Can Learn About You From Your Social-Media Profile
That post you ‘liked’ on Facebook? Your alma mater on LinkedIn? They are all clues that can make you—and your company—vulnerable.
That cute photo of your fluffy Lagotto Romagnolo on Instagram. The TikTok video of your team finally back together in the office. An alma mater highlighted on your LinkedIn page.
Armed with all that publicly available intel, a cybercriminal can cobble together a profile of you—and use it in countless ways to break into your company’s network.
They might craft an email tailored to your interests (“Hello fellow dog lover!”) that gets you to click on a dubious link, inadvertently giving them access to the network, or insider details about service providers like your health-insurance company, so they can launch a ransomware attack. Or they might pretend to be you to trap somebody else at your business (“Hey, it’s Cindy’s birthday next week, click on this link to accept the invite to her party.”). And so on.
“About 60% of the information I need to craft a really good spear phish is found on Instagram alone,” says Rachel Tobac, chief executive officer of SocialProof Security, a hacker-led vulnerability-assessment and training firm. By scouring somebody’s social-media accounts, she says, “I can usually find everything I need within the first 30 minutes or so.”
It isn’t just things that you post, either. “Every ‘like’ you make on Facebook and heart you tap on Instagram can be aggregated together to paint a fairly clear picture of who you are and what you are into,” says Carrie Gardner, a cybersecurity engineer and leader of the Insider Risk Team at Carnegie Mellon University’s Software Engineering Institute.
The potential for attack is even greater given data breaches like the recent hacks at Facebook and LinkedIn, which exposed hundreds of millions of users’ personally identifiable information. Then there’s the fact that so much of this criminal snooping is done automatically: Hackers can use powerful AI and software tools to scan social-media accounts at incredible speeds looking for details.
“We can actually automate all that reconnaissance using AI, which criminals are increasingly doing at scale in hopes of finding a lucrative victim,” says Aaron Barr, chief technology officer of PiiQ Media, a social-media threat-intelligence and risk-analytics company.
We asked security experts what social-media users can do in terms of what they post online to keep from compromising their companies’ networks. Here is what they had to say.
Think twice about what you post. Then think again
This is a classic piece of advice for protecting your online security, but it bears repeating. Stop posting private information on public platforms—things like travel plans, personal interests, details about family members or specific news about a work product. All of that information can be used to gain your trust or deceive your co-workers. For instance, a hacker might find out personal histories from your social media, then send a phishing email that says things like: “I’m sorry about your parents’ passing. I feel like I remember you wore sweaters your Mom made at school.”
Even the smallest details, which malicious actors will certainly aggregate from more than one platform, may be unintentionally revealing. Take off your employee ID in photos so hackers can’t use yours as a model to create their own, says Ms. Tobac. Don’t tag images: Geotags alert threat actors as to where you have recently been, which is just the sort of kernel needed to send a malware-embedded survey about last week’s hotel stay, and they can search on Twitter for tags like “#LifeAtCompany” to get intel on you or your business.
And, in photos, “move a bit away from the workstation,” Ms. Tobac says, which easily reveals which software you’re using so bad guys can customize phishing attempts. Also, she adds, “You’d be surprised how often I see a Post-it Note with a username and password hanging there. Then I’m in.”
Stop sharing your work email
One of the easiest ways for hackers to do mischief in a company network is to compromise your email account to send phishing messages. And one of the easiest ways to stop these crooks is to make sure they don’t get your address in the first place.
That means using your work email for work only and never openly on your social-media profiles. In theory, this is easy: On sites like LinkedIn and Facebook, users can keep their emails invisible to anyone but themselves. But most people continue to make them public, thus leaving personal contact information open to data-mining firms or malicious actors.
The consequences can be alarming. Furnished with your email, an attacker can use spear phishing to infect other employees, exploit the company’s defense perimeter and potentially gain access to other employees—or spy on a company’s internal communications. In one common type of attack, called a payment-diversion-fraud scam, criminals get access to the email of an executive who approves invoices and then keep an eye on his or her message traffic, says Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, the research arm of the cybersecurity solutions firm Fortinet.
When a juicy invoice comes through, “they can change the wire-transfer instructions to go to an offshore account. And social media played a starring role in that,” he says.
Mr. Barr suggests that people have at least four email addresses—one for personal messages, one for work, one for spam and one just for social media—and, furthermore, that they never use their work email for anything else. (Of course, you shouldn’t use the same password for all of them, and change those passwords frequently—preferably using multifactor authentication to make it even tougher for crooks.)
Use different profile pictures on different platforms
AI and powerful software programs can quickly search social-media accounts looking for profile-picture matches, as well as other common characteristics (username, friends, interests) across accounts, says Mr. Barr.