The growing popularity of social networking sites such as Facebook and its professional equivalent LinkedIn is proving to be a weapon in the hands of cyber criminals. Many are using a process known as ‘social engineering’ to garner enough information to enable them to hack into corporate networks.
Around 12 per cent of the quarter of a million complaints of cyber crime received by the US Federal Bureau of Investigation (FBI) in 2014 included a social networking dimension - up from three per cent in 2009.
According to the FBI's Internet Crime Complaint Center's annual report: "The increased use of social media has provided a quintessential goldmine of personal data for perpetrators. More victims are submitting complaints documenting how social media was utilised to perpetrate frauds or indicating the perpetrator initiated a relationship through social engineering."
The way organised criminal gangs (OCGs) typically turn social media into a weapon is by using it to garner a vast amount of personal data on individuals working for organisations they wish to target. As organisations become more security conscious, it becomes harder to break undetected into their IT systems. OCGs are, therefore, increasingly targeting employees with access to those systems.
Websites such as Facebook with their open profiles, numerous photographs and vast numbers of Facebook 'friends' makes it simple to gather vast amounts of data on a specific individual. The growing popularity of LinkedIn, a website that is similar to Facebook except that is aimed at people who wish to network within their profession, also provides OCGs with treasure troves of information.
The information garnered via social networks can be used in a simple Internet con called "spear phishing". This involves sending an email that appears to come from a known and trusted source but which is sent by the OCG. This could take the form of an email sent by the company secretary while on holiday requesting an urgent transfer of funds to an overseas bank account.
Another way in which the personal data gleaned from social media can be utilised by OCGs is through blackmail. False flag profiles in the form of a fictitious but seemingly attractive and genuine individuals can be used by the OCGs to lure senior executives or staff with privileged access to the corporate IT system into indiscreet online conversations. In the past, this has been proven to be a highly effective way of blackmailing individuals. Many individuals have been lured into online flirtations which have included activities such as 'sexting', the posting of sexually explicit messages, leaving married individuals and those with respectable careers vulnerable to blackmail.
But there is now growing evidence that the OCGs have realised it can be highly profitable to continue to blackmail a member of staff working for a target organisation into providing access to their corporate IT systems. The future silence of blackmailed employees can be guaranteed by the threat of exposure.
However, in many cases the OCG need not go to such lengths. Often poorly trained staff create their own passwords based on personal details such as the names of their pet. Social media is filled with such disclosures and software is now available on the Dark Web that will generate likely passwords to try and breach the target organisation's firewall.
The growth in the weaponisation of social media by OCGs is evidenced by 49 arrests made by Interpol earlier this month (June 2015) in a joint international takedown of an OCG with members in Spain, Portugal, Italy, Georgia Poland, Belgium and the UK.
“Once access to companies’ corporate email accounts was secured, the offenders monitored communications to detect payment requests,” says a statement from Europol. “The company’s customers were then requested by the cybercriminals to send their payments to bank accounts controlled by the criminal group. These payments were immediately cashed out through different means.”
The suspects are alleged to have breached corporate email accounts to commit financial fraud worth €6 million. According to Interpol, social engineering, the misuse of information gleaned from social media, played a key part in the alleged fraud.
According to Stewart Rowles, a well-established source in the Signals community: "By allowing staff unrestricted and frequently wholly unmonitored access to social networking sites, a larger number of companies are sleepwalking into a cyber crime nightmare.”
The weaponisation of social media can also be harder to counter than a more direct cyber attack. Once a member of staff has been tricked or blackmailed into revealing passwords accessing the system, the breach may not be apparent for some time. The organisation concerned may not even be aware that its most confidential data may be for sale on the Dark Web.
Ordinarily, we in the UK have for the most part have not understood the Dark Web or the numerous forums in which cyber hackers, cyber criminals members of organised crime and State actors trade and operate. To operate here you need embedded sources, trusted operatives to provide the level of information to forward and advise clients of possible attacks. However, the corporate world is in denial over the scale of the threat and in most cases doesn't see the need for such support.
This attitude will only change when enough companies go public and admit to the damage caused to their business by confidential data such as confidential customer records, financial details, business strategies and product designs are auctioned off to the highest bidder.
Many will have little choice once their client base and customers become aware their own security has been seriously breached.
By then it may be too late to rescue the organisation(s) concerned from liquidation.
Stuart Poole-Robb is the chief executive of business intelligence and cyber security adviser, the KCS Group.