The way users interact with brands is changing. There are 3.03 billion active social media users worldwide, and according to Yahoo’s Flurry, in 2016 time spent on social apps increased by a whopping 394% year over year. With an average user spending 2 hours and 15 minutes daily on various social media platforms, social media is an exciting frontier for brands. Companies of all sizes are leveraging platforms like Twitter, Facebook, LinkedIn for customer engagement, support, and monitoring customer sentiment.
However, as the salience of social media platforms in our daily lives increases, social media has become an important attack vector that enterprises can no longer ignore. Although social media sites themselves are largely out of control of enterprise security teams, they provide a perfect gateway into your networks through social engineering, malware and phishing attempts. As company operations continue to undergo a digital transformation, new risks related to social media usage by your employees and customers emerge. In fact, 13% of large organizations had experienced a breach relating to social media sites in 2016, and this number is likely to grow going forward.
What Are the Most Popular Types of Social Media Attacks?
- Reconnaissance: An attacker can glean useful information by reading the social media posts of a brand, as well as the posts by its employees. This information can then be used to create fake social media profiles impersonating someone from your organization or a known public figure to distribute malicious links from. The information gathered from social media can also be used by cyber criminals to craft phishing emails that look more authentic, and thus more likely for included links to be clicked or attachments downloaded, both of which can install malware on the endpoints used by your employees. People are 74% more likely to open an email when it comes from someone within their organization, making social engineering tactics very valuable for the attackers. Combined with the fact that 50% of top 500 Alexa websites are spoofable, organizations can no longer ignore the potential damage that can be inflicted through sophisticated social engineering tactics on social media.
- Technical exploit delivery: Social media is a very effective malware delivery mechanism. Malicious links can be rapidly distributed through social media posts, comment threads and via private messages. We analyzed social media profiles by 25 Fortune 500 companies and discovered that 1.92% of all posts, comments and tweets were malicious or attempted attacks.
- Brand Hijacking: Digital brand hijacking can make or break your business. In the age of digitalization, intangible assets such as the brand name and your brand’s reputation comprise as much as 88% percent of enterprise market value. Cybercriminals can easily hijack your online brand by creating fake company pages and online communities, abusing your brand and it’s reputation for personal gain. Attackers can use these pages to distribute malicious links to mislead your customer's and cause reputational damage.
- Weaponization of social media profiles. Complete and convincing fake accounts are created and then linked to many other phony profiles in order to boost their credibility. Often, these accounts adopt the persona of talent recruiter (headhunter), to entice users to connect with them.
- Malicious bots. Social media bots are often used to mass distribute malicious content. Bots can generate fake likes, retweets and views to fake user profiles to boost credibility and reach. Tens of millions of malicious bots infest social media platforms, many of them used deceptively for political purposes or malicious gain.
- Distributed denial of service (DDoS) attacks against company pages. Attackers can launch a DDoS-like attacks against a brand’s official Facebook page, for example, and flood it with bot-generated comments, which are too numerous for the brand to respond to, and come in faster than the company can delete. This makes the site useless for the intended customer engagement or brand promotion.
- Social engineering: As we explained above, attackers can gather information from public-facing social media accounts which can then be used to construct convincing phishing emails and BEC attacks. With BEC attacks totalling over $5 billion in damages worldwide, enterprises should pay close attention to the role of social media in planning and executing sophisticated social engineering attacks.
Digital Risk Requires Digital Defense
Given all the ways that social media can be used to attack your brand, how can organizations protect themselves? One way is to treat social media with the same level of scrutiny as other channels. Just as you teach your team about scanning email attachments before opening, reporting suspicious emails, and other security essentials, you also need to train your personnel about these common social media attacks. However, awareness, while important will not be able to stop all the attacks. It is important to have a coordinated social media and digital brand protection plan in place.