In the part two of this article, we take a look at the ways in which different types of information provided on social media sites are exploited by attackers. First of all, it worth mentioning that Social networking sites are open to everyone and there are no barriers for attackers to access the public pages of accounts created on such sites. Attackers may take advantage of this to gather sensitive information from users either by browsing through users’ public profiles or by creating a fake profile to pose as a genuine user and use social engineering techniques to lure the victim to reveal more information. For example, the attacker can send a friend request to the target person from the fake account; if the victim accepts the request, then the attacker can access even the restricted pages of the target person on that website etc.
Examples of activities of users on social networking sites and the respective information that an attacker can collect is shown in the following table.
| What Users Do | What Attacker Gets |
| Maintain profile | Contact info, location and related information. |
| Connect to friends, chatting | Friends list, friend’s info and related information. |
| Share photos and videos | Identity of a family members, interests and related information. |
| Play games, join groups | Interests |
| Creates events | Activities |
Credit: (EC-Council)
Like individuals, organizations also use social networking sites to connect with people, promote their products, and to gather feedback about their products and services. The activities of an organization on the social networking sites and the respective information that an attacker can collect is shown in below table.
| What Organizations Do | What Attackers Get |
| User surveys | Business strategies |
| Promote products | Product profile |
| User support | Social engineering |
| Recruitment | Platform/technology information |
| Background check to hire employees | Type of business |
Credit: (EC-Council)
The above activities result in arming the adversary or the attacker with lots of information which creates the problem of safety because of our love to share more. Yes, we believe sharing is caring, but oversharing leads to privacy and security breaches. The threat with this medium of communication is that there is lesser control, and a bad post, a hack, or an improper statement can make the organization look amateurish and offensive at worst.
There are myriad of stories about social networking or media activities that has caused significant disruption and disturbance in the lives of people and organizations from losing employee benefits to losing family, loss of huge sums of money, identity theft, damaged organizational reputation and organizational data leakage etc.
Hackers have been hunting information on social media pages and social networking sites and selling the data collected on the dark web for profit. A trillion of hackers are hard at work and are after your social security information, bank account, and social media accounts, information about your family and their identity etc. for sale on the dark web.
The below are some of the information the hackers or attackers can harvest from the social media through the information users and organizations supply when signing up for social media access and through our activities on these platforms.
Date of Birth and Location
The majority of social networking sites asks you for a good deal of data about yourself to make it effortless for other users to find and get connected with you. Perhaps the biggest exposure this gives to hackers is the possibility for identity fraud, which is becoming more and more common. Besides, the more information about yourself you reveal online, data such as your DOB and place of birth, which makes it easier for the hackers to know you and keep an eye on your activities.
Contact Number
Who would dare to broadcast their phone number to complete strangers? No one, right? Then, why share your digits on social media? Although you may be thinking that you’re just casually sharing with friends, but the social media hackers want your phone numbers, too. Hackers can type your phone number into a Facebook search and find your profile page if you have it registered. This could lead to break-in, scam, and falsification. Whether you, believe it or not, hackers can also bypass security and make use of your contact number as a caller I.D. to send text messages asking recipients to click unknowingly on a malware link.
Email Address
Did you know that one of the most common methods used by hackers to attack organizations is by sending employees emails that contain malware? Once the operator opens the attachment, their company computer gets impaired by malware which opens a back door letting the hacker into the organization’s internal network through the compromised PC. The email addresses are usually collected from social media, as many of us update our email id on the social media page, in cases where we are going to a particular business conference. They can also send an email message to impersonate as news from the conference organizers. In this manner, there is a higher probability that the target would not doubt the authenticity of the attachment, and inevitably open it.
Author : John Dadzie, Member, Institute of ICT Professionals Ghana, Network Engineer, (National Health Insurance Authority (NHIA)
For comments, contact author johnny.dadzie@live.com
Phone No: +233 244 503 883
