How Your Social Media Accounts Make Identity Theft Easier (Part 1)

security fingerprint featured image
security fingerprint featured image

Social media, e-mail, and other messaging services can be powerful tools for staying in touch with friends and family or keeping up with current events, but how can the information we share through these services be used to help fraudsters steal our identity or information? 

This post is the first in a two part series covering multiple communication services like Gmail, Facebook, and LinkedIn.  In this series, we will look at the different privacy settings available to you, how the content you share can be accessed by others, and how to reduce the risk that the things you share become part of the formula for unlocking your identity for criminals through a technique called “social engineering.”  Before we dive into how you can protect yourself from social engineering on the social media and communication platforms you use, let’s first discuss what social engineering is and how it can be used.

What Is Social Engineering?

Social engineering is a term that refers to ways hackers or other malicious actors can leverage knowledge of human psychology and societal norms to gather information that will make it easier to exploit accounts, systems, or organizations.  Hackers can use social engineering to learn more about you, people associated with you, organizations, or specific (often influential) people.  That information can help them persuade you or others to provide additional information or take actions that put you or them at risk, aiding the hacker in committing fraud.  If you want to protect yourself from social engineering, it is important to understand the different social engineering attacks and how they work, so let’s examine each one now.

ButtonUp Explains: Social Engineering

Impersonation

When an attacker wants access to something, they may use a technique called “impersonation” to try to get it.  This attack is relatively simple:  the attacker researches a person who should have access to information or resources they want and attempts to impersonate that person.  This type of attack has been used successfully against many organizations and is a growing source of risk, according to this post by Alien Vault

A common form of impersonation involves an attacker using e-mail to impersonate the CEO of an organization or another high level executive.  The attacker identifies a legitimate email address, then creates a fake but similar looking address they can control.  If the legitimate address is sam@littletechcompany.com, the attacker might attempt to create something like:

  • sam@Iittletechcompany.com
  • sam@littletechcompany.support.com
  • samuel@littIletechcompany.com

Depending on screen fonts and the knowledge the recipient has about the organization, it might not be easy to discern whether these are legitimate and, most importantly, the recipient might not even notice the differences.  The attacker uses this likelihood and exploits it by then asking the recipient to take actions or provide information that might be harmful to the individual or the organization:

  • Immediate payment to a new vendor
  • Copies of sensitive product documents
  • Financial records
  • Details about upcoming business activities like acquisitions, mergers, or research and development
  • Systems information

The attacker can use this information to narrow the scope of other attacks or, in many cases, exploit what they receive or learn for their financial advantage either through direct sale of the information or through extorting the organization.

Phishing

Phishing techniques involve attempts to get a person to divulge information to someone they would otherwise not want to provide with personal information.  These attacks occur when an attacker uses e-mail messages to trick the recipient into clicking links, opening attachments, or calling phone numbers that will encourage them to share their personal information including credit card numbers, sign in credentials, or other personally identifiable information (PII).  

In a typical phishing attack, the attacker might create a fake e-mail address like customerservice@microsoftsupporteam.com, then draft a message using logos, fonts, designs, and information that would appear in a legitimate message from Microsoft.  The attacker will attempt to pressure the recipient into engaging with them by creating a sense of urgency.  In a phishing attack, the attacker might:

  • Claim the user’s account has been locked because of suspicious activity and the user must click a link or call a number to unlock the account, but failing to do so in a short period of time will result in account closure
  • Say the user’s account has “a problem” that must be remedied by phone within 72 hours
  • Explain that an order the user placed has been delayed because of payment processing problems and the user must call to provide a new payment method immediately
  • Tell the user they owe money to an organization or government entity and failure to make an immediate payment will result in the account being sent to collections or some form of civil or criminal proceedings
  • Send an attachment that contains malicious code that can capture keyboard inputs, install other applications, or send information back to the attacker
  • Send the user what appears to be personal information and make extraordinary claims about knowledge of their browsing history or habits in an attempt to blackmail the user into paying to keep that information private

When the user clicks the link or calls the number, they may be prompted to provide sensitive account information: full credit card numbers on file, usernames and passwords, or personal information like date of birth, social security number, or other items the attacker can collect in an attempt to commit identity theft or other financial fraud.  The user, being concerned about loss of an account, might not realize that the email is fraudulent or question why they need to provide so much sensitive information to resolve the account issue.  Without knowing the signs of a phishing attack, the attacker is at a notable advantage and may be able to get the information or access they need to steal the user’s identity or accounts.

Smishing

When an attacker leverages SMS messages to trick unsuspecting message recipients into clicking dangerous links or sharing information, that is an example of smishing.  This mobile-centric attack comes in a variety of forms, but shares many similarities with impersonation or phishing.  Common elements of a smishing attack include:

  • Messages may come from a known number like a friend or colleague
  • May include links to insecure sites or request the recipient to send money using a trustworthy app or service, but to an unknown number or account
  • Often creates a sense of urgency by suggesting links must be clicked, funds must be transferred, or information must be shared quickly or immediately upon receipt

SMS messaging is an imperfect platform.  Phone numbers can be faked using a process called spoofing.  This means an attacker can send you a text message that appears to be from a number you know, such as a parent, sibling, or close friend.  On the surface, the recipient might not be able to identify that the messages are illegitimate.  In other cases, an attacker might leverage short codes like 53421, which are used by many companies to simplify message services, to add another level of legitimacy to their attack.  Since few people know the SMS short codes associated with a business, they probably will not notice when a fake sending address is being used.

Vishing

Vishing attacks leverage phone systems to collect information from a person or organization.  A common form of vishing is when a person receives a call, claiming to be from their financial institution, which informs the person that their account has been compromised or frozen and that they need to provide information to verify the account or have it restored.  Vishing attacks leverage the same techniques as other social engineering attack vectors, but can be especially dangerous because many people feel more comfortable sharing information by phone than through e-mail or by websites.

A few examples of common vishing attacks:

  • Calls that claim to be from a bank or other financial institution that have a matching Caller ID line, which then ask the person to share personally identifiable information like their full name, social security number, debit or credit card numbers, or bank account numbers
  • Calls claiming to be from the IRS, often with matching or anonymous Caller ID lines, asking the recipient to make a payment by phone to settle an outstanding tax debt; the attacker might apply additional pressure by threatening to involve the police or send the case to court if the payment is not made immediately
  • Calls where the recipient is told they are due for a refund or have won a prize or trip and must provide credit card or bank account information to verify their identity or to pay only a small fee ahead of receiving their prize; these may seem legitimate at first, but the promised refund, prize, or trip may never materialize and the account may receive additional, unexpected charges or other targeted attempts to take over financial accounts
  • Calls claiming to come from the support department of a well-known organization like Microsoft, Apple, Google, or Facebook alleging that the recipient’s computer or phone has a virus and that the recipient needs to share their screen or provide a payment to fix the problem; the attacker might even send information attempting to convince the user that they can prove a problem exists, but that information is incorrect or fake

Social Engineering Recap

All of the techniques mentioned above can be methods used by a social engineer to convince unsuspecting people that they need to share personal information, make payments, or cooperate with a social engineer.  Impersonation, phishing, smishing, and vishing can be combined together to make an attack more effective and to create the illusion of credibility.  Understanding how these attacks occur, the information that makes them successful, and where to look for them can help you avoid falling victim to them.  

In the coming posts, we will explore how information from multiple communication platforms, including e-mail and social media, can be used in social engineering attacks, how to identify a potential attack, what to do in response to them, and, finally, how to configure your accounts to reduce the likelihood of becoming a victim.

Join us in the coming weeks for more — if you have questions or comments, send those our way through the comments below, through Facebook, or through Twitter.

One thought on “How Your Social Media Accounts Make Identity Theft Easier (Part 1)

Add yours

  1. Pingback: How Your Social Media Accounts Make Identity Theft Easier (Part 2) – ButtonUp Technology

Share Your Thoughts:

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: