CAUTION: Keep Your Digital Image (Social Media) Secure With These Tips
Last night while relying on one of my Twitter feeds, I found a series of peculiar patterns. This is where I connected the dots. The hacker's community were "conventionally" targeting influencers and anonymous (average) individual accounts.
I wondered why. Yet, it reminded me of when I had a suspicious activity with my online accounts, other than social media. The trauma and indication of losing any account are relatable.
Have you ever been a victim of any hack, mainly on social media?
Well, I have suffered from this eerie nausea. This is why I intend to write compelling practices that are easy to deploy and mitigate the risk of this unfortunate occurrence,
This is how I thought to amalgamate the standard techniques that victims discovered and learned from their past experience(s). The structure of this article would be based on:
1. What actually happened?
2. How do you figure out it happened?
3. What was wrong with my preoccupied strategy?
4. What have I learned?
Before I start...
Note: We do not incorporate any screenshots found during the Twitter search! We respect privacy and refrain from exploiting this exercise.
What actually happened?
There's nothing worse than working hard to lock that following from your account just because it got hacked! During the lockdown, social media distract us with funny videos, but it could also expose us to potential spammers, scammers and hackers.
So what are the common loopholes:
- The passwords used are based on personal information. Such as date of birth, phone numbers, etc.
- They use the frequently used word as their password, such as "Imissyou".
- The sequence is predictable, such as "qwerty" or "abcdef2341".
- The passwords are reused, such as passwords on Gmail, and social platforms are the same.
- SMS-based/ text message 2FA used.
Pro Tip: Don't PANIC yourself. Drink water. It is just a matter of common sense regarding social media branches - Twitter, Instagram, Facebook and LinkedIn.
How do you figure out it happened?
A classic example would be to consider the famous hack of Mr Dorsey's that was due to sim swapping. I won't discuss details here, but a little recap would do wonders. Sim swapping technique (a.k.a the identity theft) technique where victim's current carrier number is possessed by the hacker by transferring to a new SIM Card. They ideally imitate you or bribe the customer support staff.
This way, they blasted the tweets via SMS option. Excitingly, this is NOT the only way they hack you! Let's check more other options they could get into your account. Here is a handful of information:
1. Social Engineering
2. Misconceptions of Social Media
3. How do they do it?
4. Hacking Tactic (this is for education so YOU can prevent them)
Let's begin with the initial fancy word - SOCIAL ENGINEERING.
Social engineers recognize that individuals are knowledgeable of but are reckless in protecting such valuable information. Social engineering is a tool used by hackers who draw victims to disclose sensitive details.
That enables hackers to:
Malware infecting devices
Access sites that are compromised
The system is used by different means, such as Botnets.
Quick Question: Why do you think Mr Dorsey's account was hacked?
- Steal bucks
- Fun or Fame
- Spread out political agendas
It could be any reason; unfortunately, we can fall under this radar easily.
So it doesn't matter who you are. Hackers are always after you. The plausible reasons would be:
- Hackers are on the hunt, looking closely at our flaws within PC, devices, or networks.
- They have a sophisticated understanding of program languages.
- When it comes to hacking, it takes patience and loads of technical knowledge.
- People use common passwords and share all of them online.
- Hacker-accessible tools make it easy to crack these passwords.
- Your online footprint offers quick access for hackers.
Misconceptions of Social Media:
- Postings on social media may be absolutely removed.
- Using social media when accessing public Wi-Fi is deemed a secure network.
- Profile data makes it easier to communicate with others; therefore, it should be finished fully.
- Nobody has access to sensitive or normal data until you permit it.
- Negative statements about employees or employers. The government can not be accessed by someone without approval from you.
- Profile data for hackers provide a goldmine of information, the kind of information that lets them personalize phishing attacks.
The plausible threats arising from social media include:
- Phishing Attacks
- Fake/infected Sites
- Fake Profile and Social Engineering
- Information/ Data Leakage
- Hijack passwords and usernames
- Ruining credit score
- Request new cards and make random purchases
- Obtain cash or abuse your SSN
- Sell your information on the dark web
How do they do it?
1. They login your account using your number or email
2. They register the most common password, such as:
[Common passwords of 2k18] - 123456, football, !@#$%^&*, qwerty, admin etc.
3. The stalking/ spying process
Hacking Tactic (this is for education so YOU can prevent them)
The spying process involves:
1. Passive and Active Reconnaissance - this information gathering encompasses public records, scanning daily routines to create errors.
2. Enumeration and Scanning such as ports, host, and network, software fingerprinting.
3. points (1) and (2) provide collective information on a network, operating devices, system admin, etc.
4. With the access, they attack networks by session hijack, spoofing, sniffing, man-in-the-middle attacks, and DDOD. Furthermore, they attack hosts with malware, SQL injection, adware and buffer overflow. This way, they retrieve passwords.
5. They maintain access by hiding files (rootkits, steganography), and executing trojans and spyware, thus creating backdoors. They hide evidence by disabling auditing, manipulating or deleting logs altogether.
What was wrong with my preoccupied strategy?
This could be your possible homework, to self-audit after the lessons above and devise a plan. These preventative measures could then be matched with our following content to learn or share more.
The hints would be:
- Easy passwords
- SMS-based 2FA
- Not reading the guidelines and security measures of each social media account
- Ideally, sharing predictive acts such as locations, events, best friends, employment status, etc.
What have I learned?
Firstly, we must see what guidelines each platform has for us and how they propose securing our account.
You may have witnessed that they have little to offer if you have gone through the guidelines. The typical controls are SSL [Secure Sockets Layer] encryption, manual comments/posts review and basic 2FA methods. These default security systems have significantly less to offer.
For instance, 2FA is not available universally. It does not operate based on per user, thus making it vulnerable to multiple administrators. Similarly, SSL doesn't reduce hacking probes. SSL is designed to encrypt communication rather than prevent an unwanted "bad" actor from looping in the account. The manual content filtering is cumbersome, i.e. open to human error and highly resource intensive.
As mentioned before, the poor management of passwords is the biggest concern for social media managers. Potentially, this exposes more attraction when user accounts and simple passwords are stored in an online unsecure source and shared with colleagues overall.
Bottom line: the lack of protection on social media can all be understood by us. Before someone loses the password list (due to their negligence) or gets infected with malware that steals the saved passwords.
To avert a phishing attack, follow these steps:
1. Limit the number of administrators and applications that have your social media accounts approved for access. This helps minimize the scope of your attack. Use a password protection program to ensure that the root credentials for your social media accounts and apps are not accessible to your employees and partners.
2. Ensure that the administrators use good passwords and that their corporate or personal passwords are often unique and usernames. Consider using a secure password vault if there are too many passwords to remember, such as LastPass, OneLogin, etc.
3. Educate the account managers about phishing attacks that ask for their account details. Never click on links, emails or messages.
Cookie Attack: To hold a browser window open offers the ideal way for hackers to bypass your social media. Accounts for the media. When you join available Wi-Fi networks, these cookies are easily intercepted. If an attacker encrypts a cookie by one of the social networking sites, the same credentials of the logged-in administrator can be used to post or make changes.
To prevent it, apply these steps:
1. Ensure HTTPS connections are used when logging in
2. Ensure authorized sources for your social media accounts, e.g. a clean computer
3. The devices used for the process should run an updated anti-malware software
4. Ensure login and logout sessions, and these should only be accessed from trusted machines
Third Parties App
Applications from third parties also go hand-in-hand with the use of social media. Social networking apps connect through the authorization of an access token to your accounts.
Such tokens also provide access to comments and posts to read and write, access that is irreversible unless revoked. If the access token database of an application is unencrypted, hacked or stolen, an attacker may transfer the token onto the API of the platform.
Reduce the number of apps installed on your account and the number of users with access to mitigate this risk.
If it happens - take swift action
Although there may be no such thing as an impenetrable social media account, the steps above will reinforce your digital fortress, eliminate vulnerabilities, and help you reply to an attack effectively.
Want Guaranteed Protection Against SIM Swap? Reach Out to Us.