Abuse of popular online services for cyberattacks under scrutiny
Matt Webster, security researcher at SecureWorks highlights the rising use of social media in attempting cyberattacks
As the arms race between security professionals and cybercriminals continues, those with malicious intent are continuing to leverage popular online services to target business data.
Organisations face a difficult decision of how to curb the risk of these behaviours, whilst allowing employees access to the online tools they find most productive in their roles. Businesses should seek to understand and manage the risk of these behaviours, which include the abuse of social media and online file storage services.
Social media: reconnaissance made easy
Social media continues to be a powerful resource for a range of cyber threat groups, with information from these sites being used as a means to better understand and socially engineer their intended victims. Over the last 12 months sophisticated cybercriminals have used social media channels to gather supporting information for launching credible and convincing social engineering attempts. These attempts were typically in the form of spearphishing emails and were sent to individuals in specific roles within targeted organisations.
In addition, threat actors use online recruitment services and popular business networking platforms as a means to identify particular profiles of individuals within organisations they are trying to target. In some instances threat groups have cultivated relationships with their intended victims, which have subsequently been exploited as part of their intrusion attempt. For example sophisticated threat actors have posed as job recruiters online, using these profiles as a means to interact with their intended victims, and subsequently encourage them to download malware hidden in a fake CV application tool.
Adversaries are also using these sites to get the inside track on an organisation’s operations, security tools and information assets. For example, IT security professionals who post their CV online may include details on their organisation’s implementation of specific security tools and technologies, thus presenting an advantage to the adversary.
Using a few simple online searches, threat actors can build a detailed understanding of an organisation’s people and security, and as a consequence increase their chances of success. As both individuals and organisations are constantly evolving how they interact online, the associated risks to network security will evolve in turn, creating challenges for network defenders when trying to understand and monitor these risks.
Online file storage concerns
Personal data storage websites are convenient, accessible and often free of charge, which has prompted a significant growth in use of these services, both in a personal and professional context. The challenge for IT security professionals is that cybercriminals have leveraged online storage services to fulfil a variety of objectives at different stages in their intrusion. This means that the risks from allowing these services can be dynamic and challenging to manage.
Threat groups have been known to use free cloud storage websites to deliver malicious software to their intended victims. In recent examples, both remote threat actors and actors with insider access have uploaded stolen data from victim networks onto personal storage websites, where it can later be retrieved. Malicious activities on popular file storage websites can be difficult for network security systems to detect as it is not easily distinguished from legitimate traffic, whilst some automated detection technologies may also be configured to trust these popular sites.
The vast majority of popular file storage and social media channels also encrypt communications between users and the website, meaning that in some cases network defenders may have limited visibility of malicious use.
Considerations for managing these risks
Organisations should start by evaluating whether their business needs universal access to social media, professional networking and personal storage sites on their corporate systems. Where organisations do not require access to these sites to successfully operate, the associated risks can be significantly reduced by preventing access or allowing access by exception.
Other approaches to managing this risk include:
- Educating employees to avoid risky online behaviour
- Creating, and importantly regulating, policies that prevent disclosure of sensitive business information
- Monitoring the organisation’s brand on social media and business networking platforms
- Implementing end point monitoring and Data Loss Prevention technologies