SoS Musings #40 - The Need for Stronger Social Media Security

SoS Musings #40 -

The Need for Stronger Social Media Security

Social media has changed the way we communicate in the personal and professional realms of our everyday lives. According to Statista, an online portal for statistics, an estimated 3.6 billion people are using social media worldwide in 2020, with the number projected to reach 4.41 billion by 2025. Statista has also revealed that Facebook is the most popular social media platform worldwide, as the platform has more than 2.6 billion monthly active users. Other highly popular social media platforms include Instagram, Twitter, and LinkedIn. Using social media can help people build relationships, share their expertise, increase brand visibility, and learn about current events. Social media networks could also be beneficial to the security community in that they could be used to find information about newly-discovered software vulnerabilities and raise awareness about such vulnerabilities so researchers, organizations, or governments can fix them before threat actors exploit them. Though there are benefits to using social media, its continuous existence in users' lives has the potential to negatively impact security and privacy in many different ways.

One issue is that social media networks could be a breeding ground for malware. Research from Bromium has shown that high-traffic social media sites such as Facebook, Twitter, and Instagram have become massive centers for the distribution of malware and the performance of cybercriminal activity. Not only are individual users at risk of their personal systems being infected by malware distributed via social media sites, but organizations must also pay attention to the threat posed by social media sites to the security of their customer data and intellectual property as more than 12% of businesses revealed that they had experienced a security incident because of the use of these platforms by employees. A report published by Bromium, titled "Social Media Platforms and the Cybercrime Economy," highlights the various techniques applied by cybercriminals to abuse the social media ecosystem and spread malware infections. The tactics used to lure users into downloading malware include inserting malicious code or links into ads, plug-ins, apps, and posts with news, friend updates, photos, and videos. The wide variety of content that can be accessed on social media platforms also leave users vulnerable to drive-by downloads, which in the case of social media, refers to inadvertent malware downloads by visiting a website recommended in a post that contains a piece of malicious code or redirects users to another page infected with malware.

Social engineering attacks like phishing are prevalent on social media platforms as well. Arkose Labs' analysis of over 1.2 billion transactions across industry segments including social media, technology, financial services, travel, and retail, revealed that more than half (53%) of all social media logins are fraudulent, and 25% of all new social media accounts are fake. These findings suggest that social media platforms can easily be abused by cybercriminals using any form of the social engineering method phishing. In 2018, PhishLabs found that social media abuse through phishing attacks increased significantly, with the number of such attacks against these platforms continuing to grow. There are several forms of phishing that cybercriminals can perform on social media networks for fraud, stealing information and more. Threat actors can befriend a targeted user and gather more information about them to create personalized posts containing infected links to websites where their credentials can then be captured via a login-page. Using these credentials, threat actors can access the user's account to launch more attacks against new targets. Impersonation plays a significant role in the success of phishing attacks on social media—by posing as someone with authority, one could easily gain a targeted user's trust to push them into performing a specific action such as revealing personal information or clicking a malicious link. Some of Twitter's employees were recently targeted in a coordinated social engineering attack, which was later revealed to have involved another form of phishing called "phone spear phishing," also known as "vishing" or "voice phishing." The employees received phone calls from hackers posing as IT staff to deceive them into giving their passwords for internal Twitter tools. Access to these tools led to the compromise of 45 accounts belonging to CEOs, celebrities, politicians, and other high-profile users. Their accounts were used to promote a bitcoin scam. Elected officials have expressed major concern about the incident, as the compromise of an account belonging to a world leader could impact national security in the U.S. and other countries, as well as crash markets and create political conflict.

Social media bots could also facilitate the execution of phishing attacks on social media networks. These bots are social media accounts that use artificial intelligence to automate news aggregation, customer assistance for online retailers, and more. As these bots continue to become more advanced at mimicking human behavior, it is getting more difficult to detect them. Not only can social media bots help perform phishing scams, but they could also be used to spread disinformation. The security community is encouraged to continue developing solutions to reduce phishing attacks on social media and raise awareness among users on how to avoid falling victim to such attacks.

Social media users should limit the amount of information they share about themselves on social media. According to Joseph Turow, a Professor of Communication at the Annenberg School for Communication, photos and other personal information shared on social media leave users' accounts vulnerable to being accessed by unauthorized entities. Attackers can use photos shared on Facebook and other social platforms to gain more insight into the context of an individual and their relationships with others. Shared photos with hashtags can reveal information about a user, such as where they went to high school, when they graduated, what type of car they have, their favorite shows, and more. This information could provide answers to the most common security questions for bank accounts and other financial online accounts. Sharing too much about yourself on social media could increase the success of online scams, hacks, or spear-phishing attacks.

Social media puts one's privacy and security at risk, whether they have an account on such platforms or not. A team of scientists from the University of Vermont and the University of Adelaide found that information in Twitter messages from 8 or more of a person's contact can be used to predict what that person will tweet later. The study also showed that even if a person has left a social media platform or never had a social media account, that person's future activities and identity could be predicted based on their friends' online posts and words. This finding also suggests that information gathered from other people's social media accounts and posts can be used to track and potentially help facilitate the execution of phishing attacks against users on other types of platforms.

Incidents have highlighted issues with the social media platform systems and features that could impact users' privacy, security, reputation, and safety. Facebook experienced a massive security incident that impacted almost 50 million user accounts. Attackers exploited a series of bugs associated with a Facebook feature, called "View As," which is designed to let users see how their profile would appear to another user when they have their privacy settings enabled. The set of bugs related to this feature enabled Facebook's video upload tool to appear on the "View As" page and caused the uploader to generate an access token, which hackers then used to access the affected user's account. A bug in Facebook's software led to 14 million users' posts being publicly viewable to anyone even if they were meant to be private. Another vulnerability associated with the Facebook App caused iPhone cameras to activate when the app is opened, potentially allowing users to be recorded. Instagram faced a security slip-up due to a vulnerability in its contact importer feature that could have been exploited using a brute-force algorithm and automated bots to link users' phone numbers to their accounts.

It has also been demonstrated that attackers can abuse certain functions of social media platforms to incriminate or physically harm users. Security researchers at the Ben-Gurion University of the Negev identified weaknesses in the management of the posting systems of Facebook, Twitter, and LinkedIn, that could be exploited by an attack in which mechanisms implemented to prevent posts from being changed or indicate when a post has been identified can be overridden. The Online Social network (OSN) attack, dubbed "Chameleon," can change the way a user's content is displayed publicly without indicating that any change has occurred until the user logs back in. For example, a user could watch and click "like" on a post displaying a video with a kitten only to log back into their account and find that the same post that they 'liked' is an ISIS execution. The Chameleon attack can destroy one's reputation and even incriminate a user. Such an attack could also facilitate the creation and management of fake profiles on social media platforms as well as the circumvention of censorship and monitoring. Attackers sent GIFs and videos to followers of the Epilepsy Foundation's Twitter account during National Epilepsy Awareness Month using the account's handle and hashtags. The GIFs and videos displayed flashing strobe lights, which could have caused those with Epilepsy to have seizures. Although this incident does not resemble a traditional cyberattack since the Twitter account was not hacked and users were not tricked into clicking malicious links, it is still considered a cyberattack designed to cause physical harm. Security researchers must explore the untraditional ways in which attackers can harm users on social media platforms because of certain features.

There are efforts to bolster social media security. Researchers at the University of North Georgia (UNG) are working to provide Facebook, Twitter, and Instagram users with tools to protect their sensitive data. They conducted controlled experiments to see how information is stored on social media account holders' computers and web browsers, and how easy it is to extract personal data when those users are logged into their account on a certain machine. Their research also looks for security flaws in popular social media platforms and news ways for people to secure their accounts and information. Researchers at ZeroFox investigated 40,000 fake social media accounts using honeypot accounts to better understand how social engineering attacks such as impersonation work on social networking sites. More research is needed in the development of social media security solutions.

As social media usage continues to grow, especially during the COVID-19 pandemic due to stay-at-home recommendations, there are more opportunities for executing cyberattacks. The security community is encouraged to develop and improve techniques for securing social media users and the information they share on such platforms.