In a detailed experiment, Stephanie "Snow" Carruthers, the chief people hacker at IBM X-Force Red, attempted to enter a secured work area of a company using a counterfeit employee badge. What helped her achieve this? She took help from a social media post by one of the company interns.
Social media platforms are goldmines for hackers. It acts as a data delivery mechanism for user’s contacts, location, and even business activities. Hackers often use this to gather critical information about the company or individual, develop targeted advertisement campaigns, or spear phishing attacks.
Interns and new hires on the radar
The present young generation, or Gen Z (between the ages of 18 and 24), is a prime user base of social media. According to Pew Research, 75 percent of Gen Z people use Instagram, 73 percent use Snapchat, 76 percent use Facebook and 90 percent use YouTube.
Life events like internships and new jobs easily find their place on different platforms in image or video formats. Selfies and videos made inside the company premises exposed sensitive company information in the background that goes unnoticed by the rest of the crowd. Their tendency to frequently share on social media is often combined with lax security training during onboarding. It acts as a recipe for imminent disaster.
However, not only new hires and interns can be the sources of leaks, it could also be the social media team or senior member of companies sharing team pictures. Likewise, badges, video-blogs, Glassdoor reviews, job boards, selfies are some of the common sources where hackers look for information.
Let’s have a look at various social media platforms and the data they may contain that is valuable for attackers.
Instagram, Facebook, and Twitter: Hackers observe activities by interns or new employees from targeted organizations and find relevant information using hashtags such as #NewJob, #Firstday, #internship, #FirstDayatWork, etc.
What information can images disclose? Internal office layouts, desktop applications, digital files, badge pictures, Outlook calendars in the background of a quintessential coffee cup post, passwords openly written over whiteboards and desks, etc.
Glassdoor: A range of information is being shared by the present or previous employees of respective organizations on this platform, which includes suggestions to the management team, salary ranges, typical interview questions, and other pros and cons.
Hackers can gain access to these without dropping a sweat and craft a social engineering attack on the interns new employees or existing employees. Employees who end up falling for a well-crafted phishing email may end up submitting credentials into a fake form or application.
YouTube: If a picture is worth a thousand words, then a video surely tells much more than that. A short video by an employee about a day in the office may contain check-in procedures, building layout, parking structure, weak door controls, credentials, employees' dress code/ trappings, premise security arrangements, operating systems, antivirus choice, phone numbers, and much more.
If a hacker finds just the right video, compromising the organization’s security would become an easier task.
What can you do?
Employers should train employees and interns on keeping the company assets secure to prevent social media breaches. Ask them to be mindful of company policies when posting on any social media website or other platforms that requires company information. Educating them through common scenarios on protecting personal information and securing company data is essential to enterprise security.
Here’s what you may consider doing:
- Don’t skip the security training even if it is for a single person
- If you haven’t yet, rethink your social media security policy
- Train managers and social teams to identify and report the risk
- Work with ethical hackers to look for existing blind spots