Social Engineering / Individual Targeting
Since SNS encourages socialization and collaboration with not only friends but with strangers, the potential for social engineering attacks is magnified. Attackers can use social engineering techniques to lure the user to take an action that leads to an adverse action to the user.
The more pieces of information an adversary can collect, the more opportunities they have to meet their objectives. An adversary may be a hacker on the other side of the world simply targeting you to obtain a good credit card or bank account number, or an adversary could be a militant, collecting data to identify members of the armed forces to either inflict harm on the member(s) or collect small pieces of data leaked by many members to consolidate a picture of our capabilities and plans. An adversary may never target you directly, rather they may use data they collect from you and others to harm other service members in the AOR.
This video clip illustrates how easy it is to gather information through social networking.
This video clip further highlights the possiblity of gathering information through several Social Networking Sites on one person, and the importance of being vigilant and safeguarding information that is posted.
It is remarkably easy to collect and consolidate information made available through public SNS profiles. Through a little work, it is possible to build a picture of an individual based solely on information made public on the Internet. In addition, it is remarkably easily to obtain information "protected" by the privacy controls of a SNS through the use of this type of social engineering.
The following screenshot illustrates a leak of Critical Information List (CIL) items on a real SNS. The names of the participants have been blocked out, but the conversation did occur.
During the development of this course, we selected 100 random people to add to our SNS site's friends list. Of the 100 random people, 30 added us as friends without contacting us or challenging our identity. An additional 5 people added us and removed us shortly thereafter, presumably because they didn't know who we were. 35% of the sample, therefore, allowed us to access data that may be personal and could be used to phish more data from the individuals. More importantly, we now had access to the user's posts and those of their friends.
Next >> << Previous