Successful phishing attacks via social networks
Author
Hannes HartungDue to the current situation with Corona, trade fairs, congresses, and other on-site appointments are only possible to a limited extent or not at all. For this reason, B2B networks such as LinkedIn and Xing are becoming increasingly relevant. Recent studies on phishing campaigns show that phishing emails with such a network in the subject line are treated particularly innocently. It feels good to generate new contacts via social media and be noticed by other network partners. Every new digital contact you make in the solitary confinement of the "home office" is a good contact. Or is it? Well, at least that's how I feel. For this reason, I have expanded my LinkedIn network from 10 to 1000 contacts in the last three weeks. As the reach of user accounts increases, so does the motivation of cybercriminals.
More and more phishing attacks via social media
In contrast to common phishing attacks via the email communication channel, cybercriminals are developing their own attack methods specifically targeted at social networks. Types of attacks such as so-called "account hijacking"1 (German: Kontoübernahme) follow a targeted sequence and are mainly directed at accounts that have been inactive for a while. What this helps to do is to keep the attack secret for as long as possible. These attacks are dangerous because once the account has been taken over, attackers can send harmful content and requests for confidential information to the victim's contacts. The relationship of trust makes the attacks harder to detect. Growing digital networks also means more attack surfaces. With LinkedIn accounts, which have many connections, it is possible to carry out more severe attacks. Messenger bots can be used to send automated messages to contacts, as is already common practice by salespeople.
Been caught out?
If you have entered your data on such a website, it is imperative that you act quickly. The type and scope of the captured data vary depending on the attack. Follow these steps:
- Change your password on the real LinkedIn site; if you can no longer access your profile, try resetting the password.
- Use multi-factor authentication as a matter of urgency to protect your user accounts with more than just a password.
- If you also use the password with other online services, change them as well.
- If you have provided other personal data, such as your credit card information or bank details, you should block the accounts concerned as a precaution.
- A report to the police is also possible and can now be made easily online in most federal states.
Risk for employees and companies
Social networks are now a requirement of many jobs. In contrast to the company email address, user accounts on social networks are not so easy to separate into private and business use. As such, the risk for employees in their role as private individuals increases. But this is not only dangerous for employers, but it is also usually expensive. Protecting employees' accounts who take over administrative functions on company profiles is therefore essential. A fake post initiated by an attacker on the company's website can lead to severe economic and reputational damage. Therefore, ensuring employees are aware of – and are effectively trained in – information security is more important than ever. Increase Your Skills GmbH can train your employees to handle personal data and cyberattacks correctly. Increase Your Skills’ innovative platform helps raise awareness amongst your employees and ensures your company data stays protected.
1Hijacking. in: Wikipedia, [online] https://de.wikipedia.org/wiki/Hijacking [29.04.2020].