It’s been a bad year for Facebook so far. They recently revealed that they may have improperly shared the details of 87 million users with a third-party, the now-infamous political consulting firm Cambridge Analytica. Then, on Wednesday, Mark Zuckerberg himself admitted during a press conference that “malicious actors” may have took advantage of Facebook to obtain the public data of all or most of Facebook’s 2.2 billion strong user base.
Social Engineering is becoming a larger problem for businesses and consumers alike over the past years. So what does it mean if cyber criminals have access to your public data?
This latest Facebook fiasco has come about due to malicious data scrapers taking advantage of Facebook’s search feature, which by default allows users’ public profiles to be found by searching using a phone number or email address. These cyber criminals obtain data such as phone numbers and email addresses from databases of known hacks and data breaches on the Dark Web, and piece together whatever information they can to build up a profile on as many people as possible – with the intention of manipulating them using social engineering or committing identity fraud.
Zuckerberg told the press that all of Facebook’s users should assume that their public data has been compromised. “It is clear now that we didn’t do enough, we didn’t focus enough on preventing abuse,” Zuckerberg told reporters. “We didn’t take a broad enough view of what our responsibility is, and that was a huge mistake.”
Facebook have disabled the feature since discovering the breach, however since this was enabled by default for all users, it is believed that most if not all Facebook users have had their public data compromised. “I would assume if you had that setting turned on that someone at some point has access to your public information in some way”, according to Zuckerberg himself.
Further damning information was revealed by Facebook’s Chief Technology Officer, Mike Schroepfer, who commented in a blog post, “Malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.”
What is social engineering and what does this breach mean to me?
Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, or direct contact to gain illegal access. Phishing, spear-phishing and CEO Fraud are all examples. It is often as simple as an email asking you to view an invoice, check out suspicious logins on your account, or even update your password. Cyber criminals will make these emails look as legitimate as possible, and then use social engineering to convince you to carry out the action without second-guessing the action. In more advanced attacks, such as spear-phishing, the emails may even appear to come from within your organisation. All of this is to convince you to do something that would allow hackers to infect your PC with ransomware or other forms of malware.
There are two ways that users and indeed businesses may be affected by this breach – social engineering and identity fraud. As detailed above, social engineering techniques allow hackers and cyber criminals to target individual users and larger-scale operations such as businesses, charities and government organisations with very targeted phishing emails. Phishing is the top attack vector for ransomware, which is particularly deadly due to the fact that many recent variations are designed to cripple an entire network in one go. One click from an unsuspecting user can cause all other PCs on the network to become infected, risking costly downtime, data loss and even data breach fines.
Identity fraud often goes hand-in-hand with social engineering, and has been on the rise in recent years, due to a shift in how cyber criminals operate in latter years. Rather than sending forth random destructive malware into the world (via the internet), criminals have refined their operations to make more money for their troubles. Why do cyber criminals target data? Because in the world of today, data is where the money is. The more data that criminals gather on an individual or organisation, they may be able to impersonate people by sending out emails that appear to come from them, often attempting to trick other users into transferring money to a criminal account or taking other seemingly innocuous actions that harm their organisation.
Another crucial shift in the behaviour of cyber criminals is due to the increased sophistication of next-generation antivirus, firewalls, and other cyber security software and hardware. Cyber criminals have found it much simpler and easier to take advantage of human error through social engineering and other means than to crack complex security systems. However, as WannaCry and other mass-ransomware attacks have shown, one bad click is more than enough for hackers to breach a network and make their money off the backs of legitimate businesses.
How do I protect my company against social engineering and identity theft?
As cyber criminals are increasingly targeting humans instead of systems, the best response is to make your users aware of the risks they face, train them to identify potential phishing scams and take the correct actions to prevent a breach, and develop company-wide policies that will reduce the risk of social engineering attacks being successful.
First and foremost then, all users in an organisation should be trained in cyber security awareness. Yes, all users, not just management and finance, as ALL users can be targeted by phishing scams and all it takes one bad click from ANY user to compromise your network and cause your organisation to become the next data breach headline. Training staff should not just be a once-off occurrence either, as cyber crime is constantly changing and what they have learned may get forgotten if not refreshed on a regular basis. At Tech Guard, we generally advise training at least once every six months, but preferably quarterly, and even more often in some cases.
The next step we would advise is to phish your own users. Simply put, cyber criminals are going to phish your users with malware, so if you don’t phish them yourself with harmless, simulated emails, then staff simply won’t be able to recognise a sophisticated phishing email when they get one. At Tech Guard, we typically advise running a blind baseline phishing test to assess your organisation’s risk, then continue an ongoing phishing program after they have received initial training, to keep security top of mind and ensure that any user who is still clicking can undergo remedial training. As a side bonus, if this process is properly documented, it can be very beneficial in demonstrating good cyber security practice – for example, demonstrating this is an important requirement of the GDPR.
Another step that we would recommend which particularly applies to the threat of identity theft is to develop procedures around sensitive processes such as data or money transfers to ensure that criminals are not on the receiving end of the transfer. The classic example of this is CEO fraud, where criminals spoof (impersonate) the email addresses of the CEO, CFO or other high-level exec, and request from finance that funds are transferred to a new account. An example of a simple company-wide procedure that can prevent this is to always receive vocal confirmation before processing any transfers to new accounts – when finance receives that email, they simply pick up the phone to the sender to confirm that they did indeed send the email.
I don’t have the time or resources to train and phish my users in the way described above – what do I do?
Many organisations are in this boat. They know that they probably should be doing more to combat phishing and social engineering, but they can’t afford to hire an additional staff member to manage everything effectively, and existing staff don’t have the time to upskill to the standard required. This is where managed service providers come in. Many cyber security companies (such as ourselves at Tech Guard) offer cost-effective packages for businesses and organisations of any size where we fully manage a training and phishing platform for them – freeing them up to focus on their business, knowing that their risk has been significantly reduced. We also offer a phishing risk assessment for companies, starting at just €99, to gain an accurate picture of how much risk is present in your organisation. Speak to us today for more information.