Hacking Tweeps: Twitter and LinkedIn as social engineering tools
“My internal marketing department is looking to issue a communication around Twitter account security (with a business focus).”
Use of Twitter is growing, not only between individuals connecting with their “tweeps,” but also for businesses connecting with their customers, or politicians with their constituents. Twitter has become a forum for sharing all manner of expression on all subjects.
That’s why businesses need to take special care in their security training regarding Twitter and other types of social media.
Twitter and LinkedIn are fertile sources of information for hackers preparing a social engineering attacks. By gathering benign information about a company and “name dropping” in a DM (direct message) conversation, attackers may build a level of trust with insiders and thereby gain secrets.
Employees post seemingly innocuous information on Twitter that may be gathered and assembled by an adversary easily. For example, photos of office space and co-workers, descriptions of work (My d-bag boss makes me fill in his TPS report every Friday #ihateexcel), and names of customers or clients, all reveal enough information for an attack to recruit unwitting accomplices.
I’ve used that technique in my operational penetration testing. I will call an employee claiming to be a new guy from a different office, and that my boss is yelling at me to give him a weekly TPS report, and that I’m having trouble with the macros, “could you please forward me one of yours so I could copy the formulas….”
I recommend a business have a policy that is well-“socialized” around the office with the following components.
- Encourage employees to limit posts to personal interests, and not related to their work, office, or co-workers
- Never to share information with strangers, even longtime “connections” on LinkedIn or longtime “tweeps.” Instead refer them to your corporate webpage, or say you will have someone get back to them.
- Always ask for a callback number or email address from anyone requesting information by phone, LinkedIn or Twitter, and forward the request security or to marketing.
- Twitter profiles should not indicate place of employment.
- LinkedIn profiles can be more complete, but only connect with people you actually know or who are personally introduced to you. (Social Engineers create fake, legitimate-sounding profiles on LinkedIn and connect to hundreds of people in a particular industry to appear legitimate.) Just because a person is connected to (or follows) many of the same people as you, does not mean that they are legit.
Twitter and LinkedIn are great tools for business, which, if used properly by well-informed employees, won’t be a gateway for hackers.