One of the most popular exploitation methods used by hackers when targeting social media users is social engineering. Using confidence tricks, a hacker can manipulate his target into performing actions or disclosing confidential information. If pulled off successfully, a social engineering attack could result in a hacker gaining complete access to its target’s social media account with little effort.
One method a hacker could use exploits Facebook’s account recovery policies. To gain access to your Facebook account when you forget the password, you can have Facebook send a password reset link to your email. If you no longer have access to your email, you have the option of contacting Facebook and asking them to change the email on the account. For Facebook to accept a request to change the email on an account, the person requesting the change must confirm their identity as the account owner.
There are two main ways to confirm your identity, a picture of a government-issued ID or two non-government options. Once the user has supplied this information, Facebook checks to see if the photo, name, and birthday of the supplied forms of ID match what is on the Facebook account. All other information on the ID is not needed and is asked to be covered up before sending to Facebook. If the photo, name, and birthday match what is on the account, then Facebook will approve the email change request. A hacker can exploit this by simply downloading a photo of their target and researching their targets name and birthday. Given the nature of social media accounts, this information is not hard to obtain. Once the hacker has this information, he can simply photoshop his way into gaining complete access to his target’s Facebook account.
Through various phishing attacks, hackers can trick social media users into downloading and distributing malware. Common attacks use enticing posts, content sharing, and tagging on social media sites to trick users into visiting a website that prompts them to download malware disguised as an Adobe Flash update. Agreeing to download the Flash update results in the installation of malicious hidden programs that can monitor keystrokes and govern web traffic. Additionally, the malware infects the user’s social media account, forcing it to post and share malicious content.
With recent data breaches disclosing account credentials from large social media sites such as LinkedIn and Myspace, everyone who uses social media should be changing their passwords. One of the largest reasons social media accounts are being compromised today is due to users reusing passwords that are easily found in recent data breaches online. Another reason as to why social media accounts are being compromised, especially Twitter, is due to unmonitored access for third-party applications. Because third-party programs like news and photo-sharing applications can post to your Twitter account after you authorize them, they become a security risk. If that application gets hacked, your Twitter account may get compromised as well.
Jonathan is President & CEO of SystemExperts Corporation, a network security consulting firm specializing in IT security and compliance. Jonathan started the company in 1994. He plays an active, hands-on role advising clients in compliance, technology strategies, managing complex programs, and building effective security organizations. Jonathan brings a business focus to this multifaceted work balancing all technical initiatives with business requirements and impact.