Social information is more valuable to cyber-attackers than you think.
Social media is experiencing explosive growth with millions of people worldwide opting to share and communicate personal and private information with acquaintances in the virtual online world. But danger is lurking, growing, and gaining momentum from attackers who will seek to leverage this data in order to improve their success and commit more heinous acts.
Social sites are regularly targeted to harvest email addresses and for portals to inject malware onto vast numbers of systems. But soon these repositories will be targeted for something more dangerous, the social data itself. The ability to identify like-minded groups is a powerful targeting tool.
A combination of factors is contributing to a critical failure point. The tidal wave of information being generated and aggregated by social networks, threat agents seeking to conduct better targeted attacks, and the ease in which data is available, will combine to improve the success of malicious attacks and change what types of acts are possible.
We all accept certain risks when connecting to the Internet. As long as we believe the benefits outweigh the risks, we should continue. This is simply good risk management, which we do as part of our everyday lives. But knowing the risks is crucial to this decision process. As an online society we have become aware and even comfortable with traditional computer attacks, ploys, and distractions. Alerts for viruses, spam, malicious links, bank card fraud, and pop-up ads to name a few, have lost their shock value. People recognize most attacks they will face are opportunistic, targeting the masses and preying on those not applying digital common sense. These are little concern as malicious emails from people you have never met are easily discarded, patches happen magically in the background, and regularly updated anti-malware applications warn and clean known viruses and worms. So why will social information be targeted and why should anyone be more worried in the future?
Information is power. The more accurate, plentiful and specific, the more valuable it is. Sadly, we are the source of our own dilemma. As a digital society, we provide the greatest wealth of personal data, in a timely manner, and make it easily accessible. The aggregation sites no longer hide in the shadows. Instead, they compete to provide the masses ways to continually feed and share more information. People ravenously consume these services without much thought and voluntarily contribute massive amounts of personal data every day.
The aggregation of data shows an individual’s scope of influence, economic standings, consumer trends, social circles, as well as political and religious positions. Combined with physical location, purchasing, and browsing habits creates a detailed profile. In exposing work, friends, and associates it is possible to derive clusters of people with similar beliefs, lifestyles, fears, and motivations.
New attacks are on the horizon.
Ideological, political, and personal attacks become very possible. In locations where people who express their view are potentially persecuted, oppressive organizations could leverage the constantly updating well of social information to harass, prosecute, coerce, threaten, or inflict harm on people who have made unacceptable opinions, travelled to forbidden areas, made friends with suspicious people, or supported ideas and groups not perceived as friendly. It can give hostile agents of such activities the means to expand their scrutiny, to friends and associates of distrusted people. Guilt by association. Will social data and connections be scrutinized when crossing borders, offered a job, or granted a benefit?
There are many organizations, groups, and individuals which look for ways to target people who do not align to their religious, ideological, or political beliefs. One of the most significant barriers to oppress others is the inability to determine who believes what. Social media solves this problem, giving those who wish to discriminate an undeniable source of a person’s alignments, through their very own words and social connections. Additionally, there are predators seeking to commit crimes against people, who are looking for way to select their victims. Social media data may become the ultimate tool to empower their efforts.
This will open doors for other aggressors targeting social targets as well. Social insights make it easier to target supporters of rival sports teams, gaming guilds, social cliques, and people with differing political views. It is now possible to target employees of a disliked company or government, people who live in a specific area, supporters of a political party or social cause, or those who are away from home.
In many ways, it is easier to act decisively against an individual who is known to commit acts or hold beliefs which are deemed offensive, rather than a group which may contain a mix. Human history is filled with gruesome examples. In the recent digital times, we are already witnessing cyber bullying, online gaming retributions which manifest in the real world, and political prosecution for voicing digital opinions among friends.
Let's not forget our current cyber attackers who are always looking for better ways to accomplish their nefarious objectives. The application of social intelligence simply enhances longstanding attacks. In the past, attackers lacked the means to target precise groups of potential victims and the ability to establish a false sense of trust. Social media data is the equivalent to marketing demographics for people with malicious intent.
Imagine a 419 internet scammer who successfully bilks money from an unsuspecting victim. One victim is good, but what if they could target the community of likeminded individuals at the same time. From a social perspective, people with similar personalities, backgrounds, and interests tend to flock together. These clusters become evident in social sites. In this example, the victim’s online friends are perfect targets. Why waste time on people who will not easily be fleeced when focus can be directed to a community who are most likely to fall for a scam. Credit card fraudsters may target the wealthy, fake aid organizations may target the affluent or people who have friends/family in affected areas, while bot herders may prey on communities new to the internet or groups less inclined to see the value of security controls. Cross referencing location, affiliation, and employment data can reveal a targets bank, investment broker, or credit handlers. Such information is the first step in sophisticated discrete spoofing attacks, to encourage victims to reveal login and transaction credentials. The opportunities for the malicious are almost endless.
Social networks also give some level of inherent credibility. Most savvy web users would never follow a suspicious link in an email sent to them from an unknown sender. However, using information gathered from social sites, an attacker could craft a message which appeared from a friend, referencing a discussion that occurred just moments before. Even the most paranoid user would likely fall victim. Taking it a step further, the attacker could recreate the banter between two friends, say chatter about a football game, and broadcast to the friend’s community, with instructions to visit a tempting malicious link.
Our private data is everywhere and easily accessible.
It is shared by the very entities we provide it to, to improve our experience and empower our social reach and influence. Many of these service providers are upstarts, with little motivation, experience, or capabilities to adequately protect our data. Privacy policies can be paper dragons without any tangible controls to support them. Security functions tend to fall far behind the pursuit of profitability, leaving data exposed. In the end, aggregated social information is not well protected and easy to obtain. It is inevitable it will become a juicy target for attackers who desire intelligence and an inside advantage on prospective targets.
Once the data is lost the security industry's capability to thwart follow-on attacks is nearly nonexistent. It is an immature field where technology is poorly adaptable. Attacks which leverage social information take advantage of human nature and our desire to be a part of our communities. Security controls rarely can stop an empowered user from making poor decisions when they believe it is safe.
We are a victim of our own social desires.
Humans are after all, highly complex social animals. Without a doubt, social platforms on the internet are very attractive and incredible communication tools. They will continue to evolve to meet the desires of users and will rush to deploy new features for people to communicate, share, and play active roles in the lives of others. But it is important we do not ignore the simple fact such devices are tools and can be wielded for both positive and disruptive means. The landscape of digital security is about to change again. We must be cautious with the most precious data we possess in this age of digital insecurity.