Introduction (James Saunders, CISO)
Social media enables people to communicate, share, and seek information at an accelerated rate. In recent years, social media became the pinnacle of news consumption through its rapid dissemination, low costs, and its accessibility to consumers worldwide.[1] Often breaking and sensitive news is first made available on social media. Whether the information is fact-checked or not, it disseminates around the globe within minutes. Social media provides users the ability to exchange thoughts and ideas with people from corners of the worlds they might not have visited, enables strangers to collaborate and positively impact our collective society, and increase awareness to help grow our businesses and communities. However, social media is a double-edged sword, for all the good we intend to accomplish, social media is also an adversary breeding ground for subverting social media use for their illicit gain.
In this blog, the United States Small Business Administration (SBA) Cybersecurity team members explain common social media risks posed by misinformation campaigns, phishing and scams, malware, and account takeovers. Along with tips to protect businesses, home networks, and individuals.
Social Media Threats
Social Media Misinformation Campaigns and Measures to Fact-Check (Elizabeth Iskow, Cyber Threat Intelligence )
Quick dissemination and viral posts allow adversaries to spread misinformation and “fake news” through deepfake accounts, bots, big data, and trolls to create circumstances to benefit their agendas.[2] Misinformation campaigns are stories presented as if they are legitimate.[3] In 2016, “fake news” emanated on social media as the deliberate presentation of typically misleading or false news claims.[4] Deepfakes evolved the past couple of years as a subset of Artificial Intelligence (AI) that leverages neural networks to manipulate videos and photos while maintaining an authentic presence.[5]
Deepfake video (right side) of Robert de Niro from iFake in The Irishman: https://www.youtube.com/watch?
To identify misinformation and check against deepfakes, users can scrutinize and exercise skepticism when reading about divisive and emotionally charged topics;[6] verify the information or claims online through reliable sources; search for additional social media accounts for the person to verify their identity; and inspect the content posted. For example, many adversaries push an old image out of context to fit their current narrative. Users can reverse image search to verify if the image was previously posted from a different story.[7] Lastly, if a user identifies what they believe is information, the following social media platforms have options to report posts and accounts, to reduce the spread of false information: Facebook, Instagram , LinkedIn, TikTok, Twitter, WhatsApp, and YouTube.[8]
Phishing & Scams (Ben Frost, Cyber Threat Intelligence Analyst)
Phishing scams are one of the most common forms of social engineering tactics used by adversaries to fraudulently acquire a recipient’s personally identifiable information (PII). Examples of PII include credit card and bank account numbers, debit card PINs, and account credentials.[9] Phishing emails often include a malicious attachment or link and the sender may appear to be legitimate, coming from a recognizable or reputable contact – whether it is the recipients bank, phone company, a frequented store, or even a friend or coworker.
Phishing can also take place on social media platforms such as Facebook, Instagram, Twitter, and LinkedIn through posted links or direct messages. Adversaries utilize hidden or shortened URLs to masquerade malicious URLs and leverage clickbait content to entice users to click a link.[10] It’s important to properly manage your privacy settings on these platforms to provide minimal personal information on your profile and to utilize Multi-Factor Authentication (MFA) reduce the risk of adversaries from successfully taking over your account.
Ways to identify phishing emails or messages can include links/attachments, poor spelling and grammar, threats requiring a false sense of urgency, spoofed websites, domains, or company logo and imagery. To prevent becoming a victim of phishing, avoid clicking a link if it doesn’t match the proper address of the purported sender and if an email looks suspicious, forward it to your IT Security team for verification and block the sender and send the email to spam.
Malware (James Saunders, CISO)
Adversaries treat social media as a golden opportunity to spread malware to unsuspecting individuals. Links from untrusted or unsolicited social media accounts, profiles, and messages can be boobytrapped to deliver malware to your devices. As such, malware poses a serious threat that homes, businesses (of all sizes), and individuals. The following are common types of computer and mobile malware:
- Virus – Malicious code designed to harm or interrupt confidentially, integrity, and availability of computing and mobile devices. Viruses require human interaction, such as downloading unverified applications and programs from the internet or clicking links from untrusted sources to initiate.
- Worms – Take advantage of weaknesses and vulnerabilities in a system to self-replicate and automatically infect other systems without human intervention.
- Spyware – Monitors devices to collect and transmit information about your activities and data – usually without your knowledge or consent.
- Adware &ndash Similar to spyware where its often installed without your knowledge or consent, adware is designed to interrupt expected device usage to display ads.
- Ransomware – Designed to encrypt your data without your consent and knowledge of the decryption keys. Once decrypted you are contacted to pay a ransom to regain access to your data.
Protecting yourself from malware on social media requires constant diligence. Here are a few tips:
- Leveraging and updating your anti-virus/endpoint protection software
- Install reputable security applications on your mobile devices
- Always keep your browser and applications updated
- Be wary of applications and links from untrusted or unsolicited sources
- Use hard token (such as FIDO based keys) or soft token (such as Google Authenticator wherever possible
- Backup your data
Account Takeovers (Micah Batchelder, Security Operations Lead)
Sharing photos with the latest filters, commenting on current events, or keeping in touch with friends and family can make Email and Social Media a fun way to stay connected and current. But losing access to these accounts can cause embarrassment, financial loss, or permanent loss of the account involved. A reported 22% of internet users in the United States had their online accounts hacked at least once, and 14% have had their accounts hacked more than once. [11]
Account Takeovers can result in losing control of accounts from Email, Social Media, Banking, etc. Malicious adversaries can perform these takeovers for a variety of reasons, but a surprising takeaway is how cheaply sold accounts can be exchanged for, typically for only a few USD.[12] The key to taking over these accounts is commonly through your most popular form of online identity, your email address. To protect against account takeovers, ensure that your Email and Social Media accounts have extra precautions in place, such as MFA. It is also recommended to use a separate email address for your finances from what you use for your social media accounts and to never reuse passwords between your accounts. [13]
References:
[1] University, K., Shu, K., University, A., Analytics, A., Sliva, A., Analytics, C., . . . Authors: Kai Shu Arizona State University. (2017, September 01). Fake News Detection on Social Media: A Data Mining Perspective. Retrieved September 30, 2020, from https://dl.acm.org/doi/10.
[2] Levush, R. (2019, September 01). Comparative Summary. Retrieved September 30, 2020, from https://www.loc.gov/item/2019713404/
[3] Pennycook, G., & Rand, D. (2019, February 12). Fighting misinformation on social media using crowdsourced judgments of news source quality. Retrieved September 30, 2020, from https://www.pnas.org/content/
[4] Gelfert, A. (2019, March 08). Fake News: A Definition – Informal Logic. Retrieved September 30, 2020, from https://www.erudit.org/en/
[5] Taulli, T. (2019, August 12). Deepfake: What You Need to Know. Retrieved September 30, 2020, from https://www.forbes.com/sites/
[6] Parks, M., & Douglis, S. (2019, October 31). Fake News: How to Spot Misinformation. Retrieved September 30, 2020, from https://www.npr.org/2019/10/
[7] Calabrese, E. (2-2-, May 29). 5 ways to spot disinformation on your social media feeds. Retrieved September 30, 2020, from https://abcnews.go.com/US/
[8] How to report misinformation online. (n.d.). Retrieved September 30, 2020, from https://www.who.int/campaigns/
[9] CISA Publications. (2020, August 25). Staying Safe on Social Networking Sites. Retrieved October 01, 2020, from https://us-cert.cisa.gov/ncas/
[10] CISA Publications. (2019, March 15). Staying Safe on Social Networking Sites. Retrieved October 01, 2020, from https://us-cert.cisa.gov/ncas/
[11] Clement, J. (2019, December 11). U.S. consumers who have personally experienced hacking 2018. Retrieved October 1, 2020, from https://www.statista.com/
[12] Krebs, B. (2013, June 13). The Value of a Hacked Email Account. Retrieved October 1, 2020, from https://krebsonsecurity.com/
[13] Wang, J. (2016, April 29). Why I have a secret, classified email account — and you should, too. Retrieved October 1,2020, from https://www.businessinsider.