By Eder Ribeiro
From the vast array of things I’ve seen working in commercial digital forensics and incident response, a cybercriminal gaining control of an organization’s social media accounts can be one of the most insidious. While we’re distracted by deep fakes and the potential for sophisticated new deceptions driven by artificial intelligence, today’s average cybercriminal isn’t bothering with those tech advances. There are simpler ways to infiltrate and exploit a business.
Why Business Social Media Accounts are a Target
Social media channels are a prime way for most businesses today to build awareness, engage with customers and drive revenue. Recent statistics show the vast majority of small businesses are using social media to market themselves, and for good reason. Consumer behaviors are influenced greatly by digital research and interactions with brands. Cultivating these valuable online relationships takes time and effort for businesses.
Trust and credibility are currencies bad actors seek to exploit. There are a variety of destructive acts they can carry out with illicit access to a business’s social media accounts. These include stealing sensitive information, launching phishing and social engineering attacks that appear legitimate, and posting links from the account used to spread malware, leading to the acquisition of more targets/victims. Most threat actors are ultimately seeking financial gain, but there are some, sadly, who simply enjoy creating chaos and reputational damage.
The bad guys know that once they’ve subverted a business’s social media accounts, regaining control is easier said than done, and many businesses are willing to pay to regain access. Getting help via the social media platform’s customer service can be an uphill battle and if you do catch someone’s attention, you’ll likely have to find a way to prove you’re the true account owner. This step can be particularly challenging, as I’ve seen criminals set up security features like two-factor authentication after gaining account access in order to weaponize it against the rightful owner. In some incidents I’ve witnessed, businesses have had to take extraordinary measures – like getting the attention of a prominent global media outlet – to find resolution or pay thousands of dollars in exchange for access to their accounts.
Gaps in SMB Security Practices
If all of this sounds dire, there is a bit of good news. The average business compromise happens through means that can be prevented. Here are some common scenarios.
Email phishing. We’re all busy and we all get a lot of email – and that’s made email phishing scams a tried-and-true tactic. Threat actors and cybercriminals will put a modest amount of effort into creating an email appearing to come from a legitimate source, often asking the recipient to click on a link and provide login information.
Fake authentication requests. Threat actors can flood employees with fake multi-factor authentication requests. Employees who aren’t aware of this tactic think the company system is glitching and eventually grant the request, hoping to stop the barrage of messages.
Re-using credentials. Threat actors often find account credentials in forums or compilation lists on the dark web, then use the username and password combinations they’ve obtained to access your accounts. Password sharing/reusing passwords greatly increases the chances they will be successful.
Social engineering. Cybercriminals use social engineering tactics to trick employees into revealing sensitive information, such as login credentials or other data that can be used to gain access to social media accounts.
Your defenses can be strengthened greatly against attacks by solid – and often simple – security measures, such as employee training, strong password policies, geo restrictions and multi-factor authentication. Employees with access to the business’s social media accounts should follow additional security precautions.
One tool I often recommend for any organization is something called phish-resistant multi-factor authentication. It can be implemented in many ways, including via a physical token or device. This small piece of hardware enables a form of identity authentication that employees can’t be tricked into revealing and can’t be intercepted by threat actors from the outside. It’s affordable and effective. I have no financial interest in these products; they just offer greater protection. Many commercial hosts, social media entities and tech giants already provide FIDO and Phish Resistant MFA compatibility as an MFA option for users — so the setup is already there for you to use.
Most businesses aren’t worried about their social media accounts until they’re in the unfortunate position of trying to wrest back control. But with a proactive approach and vigilance, you can continue to enjoy the benefits of social media for your business with fewer sleepless nights.
Eder Ribeiro is a senior cybersecurity program manager for TransUnion. Learn more at www.transunion.com.