Beyond phishing: Hackers now hiding cyber attacks in social media messages
It took only one attempt for Russian hackers to get into the computer of a Pentagon official.
But the attack did not come through an e-mail or a file buried within a seemingly innocuous document. A link, attached to a Twitter post put out by a robot account, promised a family-friendly vacation package for the summer. It was the kind of thing anyone might click on, according to the official hit by the attack, who was not authorised to speak publicly about it.
That is exactly the problem, Pentagon experts said. While corporations and government agencies are training their staff to think twice before opening anything sent by e-mail, hackers have moved on to targeting social media accounts, where people are more trusting.
Pentagon officials are increasingly worried that state-backed hackers are using social media sites such as Twitter and Facebook to break into Defence Department computer networks. And the human error that causes people to click on a link in an e-mail is exponentially greater on social media, the officials said, because people more likely consider themselves among friends.
Once one person is compromised, attacks can move quickly through that person's friend network, leading to what the officials described as a nightmare situation in which entire departments at the Pentagon could be targeted.
And while the problem is known, training about how to spot an attack that comes through Twitter and Facebook remains limited.
Another official, who spoke on the condition of anonymity, said it means teaching an entire department to be wary of anything sent to it - even if the message appeared to come from family or a friend.
While last year's hacking of senior Democratic Party officials raised awareness of the damage caused if just a handful of employees click on the wrong e-mails, few people realise that a message on Twitter or Facebook could give an attacker similar access to their system and that accounts can be spoofed or imitated so it appears that the attacker is a trusted friend.
"Spear phishing" - the act of sending a malicious file or link through a seemingly innocuous message - is hardly new. But Pentagon officials said the current scale of spear phishing attacks is unlike anything they had ever seen.
Spear phishing attackers could gather intelligence too. By watching soldiers posting online, attackers could watch location changes to discern troop movements or engage directly in conversations to try to ferret out military decisions.
Simply by looking at public posts, attackers can easily see if an account has mentioned a certain band or sports team often, then tailor a message pointing to tickets going on sale for an event. On Facebook, an attacker can see which groups have been joined, or which public pages have been liked.
(A version of this article appeared in the print edition of The Straits Times on May 30, 2017, with the headline 'Hackers now hiding cyber attacks in social media messages')
For professional assistance dealing with Cyber Security, Governance, Policy, Risk Management, Security Technology or related education and training matters, contact us at: www.abclive.ca