The New York Times carried a story on May 28th (hat tip to Dave Ries) demonstrating that it took only one attempt for Russian hackers to make their way into the computer of a Pentagon official. But the attack didn't come through an e-mail or a file buried within a seemingly innocuous document.
A link, attached to a Twitter post put out by a robot account, promised a family-friendly vacation package for the summer. It was the kind of thing anyone might click on.
So . . . while we're all busy training folks on phishing attacks via e-mail, the bad guys have moved to a new attack vector – social media accounts.
Pentagon officials are increasingly worried that state-backed hackers are using social media sites such as Twitter and Facebook to break into Defense Department computer networks. And the human error that causes people to click on a link sent to them in an e-mail is exponentially greater on social media sites because people are more likely consider themselves among friends and colleagues.
As always, once one person is compromised, attacks can move quickly through that person's friend network, leading to what the officials described as a nightmare situation in which entire departments at the Pentagon could be targeted. And while officials know about the problem, training about how to spot an attack that comes through Twitter and Facebook remains limited.
And that is certainly true in law firms and other business entities.
Few people realize that a message on Twitter or Facebook could be spoofed or imitated so it appears that attackers are a trusted friend. This is spear phishing of a new type.
A report in Time magazine in May revealed that a Russian-led cyberattack tried to spear phish 10,000 Twitter accounts belonging to Defense Department employees, using personal messages targeted at specific users.
The Defense Department did not respond to a request for comment. Twitter says it is "monitoring" spear phishing on its platform. Facebook said it was using specialized notifications, detection systems and user education to counteract spear phishing. Cybersecurity companies said spear phishing through social media was one of the fastest-growing methods of attack.
According to a 2016 report by Verizon, roughly 30 percent of spear phishing emails are opened by their targets. But research published by the cybersecurity firm ZeroFOX showed that 66 percent of spear phishing messages sent through social media sites were opened by their intended victims.
Double the fun, eh?
In the Defense Department attack, for example, 7,000 employees took the first step toward being compromised by clicking on a link, said Evan Blair, a co-founder of ZeroFOX. "The attacks are so much more successful because they use your personal timeline and the content you engaged with to target the message to you," Mr. Blair said.
Simply by looking at public posts, attackers can easily see if an account has mentioned a certain band or sports team often, then tailor a message pointing to tickets going on sale for an event. On Facebook, an attacker can see which groups have been joined, or which public pages have been liked.
In an experiment last year, ZeroFOX created an automated program that taught itself to send spear phishing links to Twitter users. Over two hours, the program sent links to 819 people, at a rate of roughly 6.75 messages per minute. Two hundred seventy five users opened the links.
One can only imagine what a bot army is capable of.
Mr. Blair said that in the case of the Defense Department, the links had carried the malware. Once people clicked on the link, they were infecting their computer networks. In many cases, the attackers targeted members of Defense Department employees' families, who were less likely to be suspicious.
In fact, the Defense Department employee who told The Times that he had been part of the recent breach said he had been targeted through his wife's Twitter account. It was his wife who clicked on a link to a vacation package, after exchanging messages with friends over what they should do with their children over the summer. Once the hackers got into her computer, the official said, they got to his computer through a shared home network.
With four Employee Security Awareness training sessions for law firms coming up, I can see that the content of this story needs to go in the PowerPoint.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology