Cyber security experts warn firms about dark side of social media use as hackers hunt data
Networking sites LinkedIn and Facebook are mined by scammers in a sophisticated bid to steal identities and emails, writes Simon Rowe
Employees who use social media and post work-related information on networking sites such as LinkedIn are making their firms more vulnerable to sophisticated hackers, a leading Irish cyber security expert has warned.
Mike Harris, who heads up the cyber security team at consultancy firm Grant Thornton in Dublin, said hackers are increasingly using social-engineering techniques to scam companies out of millions of euro by using fake emails and stolen identities culled from online personal data.
"This type of attack is incredibly common," said Harris. "I know of many Irish companies who have suffered losses, ranging from €25,000 to €2.5m, from these attacks in the past year alone. We are seeing a lot more of them."
As firms invest in ever more sophisticated IT security, cyber criminals are changing their tactics too, said an industry expert.
"Cyber criminals know that the easiest way to penetrate a system is to go after the user, not the computer, so they target vulnerable users with 'spear phishing' emails that are crafted to look like they come from someone known and trusted. The messages might also appear to come from banks or businesses, and can include full names, usernames, and other personal details," he said.
"It's an old-fashioned confidence trick," said Harris, "but cyber attackers are deploying it with more sophistication.
"For example, imagine I send you a fraudulent email. You might work in the finance department and I send you an email that looks like it comes from your boss requesting you to make a payment urgently into a certain bank account. Or I might send you an email that comes from one of your suppliers asking for payment of an invoice. But I give you new bank account details. I would then ask you to make a payment, but not into the standard bank account.
"I've seen this kind of scam in Irish companies, ranging in value from €25,000 to €2.5m. This is incredibly common and it's happening to organisations of all shapes and sizes," warned Harris.
But more sophisticated cyber scammers are now using popular networking site LinkedIn, he said.
"Cyber criminals are using social media and LinkedIn for information-gathering in the commercial sense and they use it to build and target these attacks.
"These attacks are getting more sophisticated. When you get an email requesting payment, it won't be from a random person, but it will come from an organisation you already know, or from someone in the organisation that you trust," said Harris.
"You might have a situation where the scammer knows who the CFO is and they have their email address. They also know from the news that the firm has made a recent acquisition, so there are loads of new people in that organisation and the hacker does a search on LinkedIn and finds out that the company's finance guy is new to the role. So the scammer then forwards an email from the firm's CFO purporting to come from the CEO to the firm's new finance director asking him to make a payment," he said.
What has changed is that hackers are targeting the vulnerabilities of users, not systems, said cyber security strategist Joseph Carson, who will be in Ireland to address the country's first annual cyber security conference, Dublin Info Sec 2016 at the RDS on November 15.
"Cyber criminals increasingly conduct 'reconnaissance' on employees' social media usage and cull personal information and passwords to commit identity theft in order to bypass the traditional security perimeter undetected," said Carson, who echoes many of Harris' concerns.
"We are sharing more information, ultimately causing ourselves to be much more exposed to social engineering and targeted spear phishing attacks with the ultimate goal to compromise our systems for financial fraud or to steal our identities in order to access the company we are entrusted with protecting," he warned.
"When our identities are stolen it provides the attacker with the ease of bypassing the traditional security perimeter undetected, and if that identity has access to privilege accounts, they can easily carry out malicious attacks."
Carson, a cyber security advisor based in Estonia, says social media provides a treasure trove of data for cyber criminals.
"With more than two billion smartphones, one billion Apple users, one billion Gmail accounts, 1.7bn Facebook accounts, and 300 million Twitter accounts who tweet 7,350 times per second, send 2.5 million emails per second, and transfer 1.5bn GB of data per day, hackers have a lot of data to exploit," he said.
"Everyday, when using services like social media, you are sharing more and more of your personal identifiable information about your physical and digital identity with information like full name, home address, telephone numbers, IP address, biometric details, location details, date of birth, birthplace, and even family members. The more information that you make available online, the more a cyber criminal can use that personal information to easily target you as the next victim of cyber crime."
For more information: www.independent.ie/infosec2016
Sunday Indo Business