Thanks to Mark Zuckerberg’s recent highly publicized social media account issues, most executives probably received a serious talking-to from their security chiefs about the need to frequently update and change their passwords on social media.
While losing control of an official social account is a serious matter, it may well be just the tip of the iceberg when it comes to criminal behavior online. Turns out, executives can lose control of their social domain identity in another, potentially more dangerous way: they can fall victim to a masquerade account.
Recent analysis by security firm BrandProtect found that more than 15 percent of Fortune 100 CEOs with LinkedIn accounts are represented by multiple LinkedIn profiles, and almost 40 percent of Fortune 100 CEOs on Twitter are plagued by at least one duplicate or copycat account. While not every duplicate account poses an imminent threat, the mere existence of these accounts is cause for concern, especially among this elite group of prime targets. That’s because more and more criminals are now using duplicate social media accounts—also known as “masquerade accounts”—to conduct social engineering exploits.
How does it work?
Professional networking sites like LinkedIn are a treasure trove for cyber criminals. On these sites, well-intentioned professionals provide copious details of their work and personal life. The problem is cybercriminals can then use various techniques to mine this valuable personal information for social engineering, and exploit planning. They go on to steal an individual executive’s identity, and weaponize it by using the masquerade account to potentially attack peers, partners and subordinates.
Because the barriers to making a social media impersonation account are low, it’s easy for a social engineer to assume practically any identity they want, and then work to make that identity look plausible and trustworthy.
Existing profiles of actual professionals are easily mined for the plausible work histories and key words that come to populate imposter profiles. The criminals create hives of imposter accounts to generate fictitious endorsements, recommendations and contacts. Then the criminals use these accounts to reach out to other, legitimate network users. They even create affinity pages and user groups to involve more professionals in their schemes.
As the cybercriminals build connection networks full of legitimate profiles, they gain access to a trove of social engineering information, including workgroup information, names and nicknames of colleagues and peers.
The scammers are able to deduce reporting structures, learn about projects that are in process, and sometimes even gain visibility to “inside information” such as work and vacation schedules. After a long reconnaissance, collecting and mapping social engineering data, the cybercriminals will spring their endgame, usually in the form of a carefully constructed and completely believable spear phishing email used in a targeted BEC (business email compromise), ransomware, or whaling scheme.
The attack email will seem to come from a logical and trusted source. It will talk knowledgeably and casually about company issues. Only then will it ask or demand an action of the reader—opening a malware or ransomware-laden file, network access, or even the transfer of funds. No matter what the final email seeks, the result won’t be good for the company.
These exploits are just the latest of a new class of attacks that threaten professionals and their businesses—attacks that develop entirely outside the traditional enterprise security perimeter, targeting social profiles that can be mined for future schemes.
But enterprises can do something before these potential attacks strike. Here are a few best practices that security teams can enact to minimize the operational, financial and reputational risks caused by masquerading accounts and impersonation accounts:
- Identify duplicate domains that represent real company employees. If it appears that an employee has multiple accounts, make sure you understand what is going on.
- Look for, review, and validate other LinkedIn profiles that claim an association with your company. When a rogue account of any kind is discovered, it should be reported.
- Audit and evaluate LinkedIn groups, including alumni and affinity groups that are connected to the company. When an unauthorized social domain is identified, it should be shut down.
Employees, from CEOs to individual contributors have personal responsibilities too. In a world where online connections are an essential part of a professional’s portfolio, everyone must take steps to ensure information is secure. Here are three simple ways to help protect yourself on professional or social media network sites:
- When a stranger asks you to connect online, be careful. Ask yourself, how do I know them? Do we have any common connections? Do we have many common connections? Only connect to people you are confident in.
- When a friend or colleague asks you to link online, be just as careful—were you linked to them before? Review the profile with suspicion. Does the job history of your “friend” make sense? Do their connections make sense? Search for your friend’s actual profile. You may be looking at a connection request from a scammer. If you are suspicious, report the profile to the site.
- Finally, whenever you receive an email from someone asking you to review an attachment, follow a link, or take an action (including wiring money somewhere!), ask yourself, “Is this an email that I expect, from a source that I trust?” The more urgency the email conveys, or the stranger the story, the more your threat radar should activate. Before you click, take steps to independently verify the legitimacy of the request.
And… Don’t forget to change your passwords!