Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

What Hackers Can Learn About You From Your Social-Media Profile

That post you ‘liked’ on Facebook? Your alma mater on LinkedIn? They are all clues that can make you—and your company—vulnerable. What Hackers Can Learn About You From Your Social-Media Profile

That cute photo of your fluffy Lagotto Romagnolo on Instagram. The TikTok video of your team finally back together in the office. An alma mater highlighted on your LinkedIn page.

Armed with all that publicly available intel, a cybercriminal can cobble together a profile of you—and use it in countless ways to break into your company’s network.

They might craft an email tailored to your interests (“Hello fellow dog lover!”) that gets you to click on a dubious link, inadvertently giving them access to the network, or insider details about service providers like your health-insurance company, so they can launch a ransomware attack.

Or they might pretend to be you to trap somebody else at your business (“Hey, it’s Cindy’s birthday next week, click on this link to accept the invite to her party.”). And so on.

“About 60% of the information I need to craft a really good spear phish is found on Instagram alone,” says Rachel Tobac, chief executive officer of SocialProof Security, a hacker-led vulnerability-assessment and training firm. By scouring somebody’s social-media accounts, she says, “I can usually find everything I need within the first 30 minutes or so.”

It isn’t just things that you post, either. “Every ‘like’ you make on Facebook and heart you tap on Instagram can be aggregated together to paint a fairly clear picture of who you are and what you are into,” says Carrie Gardner, a cybersecurity engineer and leader of the Insider Risk Team at Carnegie Mellon University’s Software Engineering Institute.

The potential for attack is even greater given data breaches like the recent hacks at Facebook and LinkedIn, which exposed hundreds of millions of users’ personally identifiable information. Then there’s the fact that so much of this criminal snooping is done automatically: Hackers can use powerful AI and software tools to scan social-media accounts at incredible speeds looking for details.

“We can actually automate all that reconnaissance using AI, which criminals are increasingly doing at scale in hopes of finding a lucrative victim,” says Aaron Barr, chief technology officer of PiiQ Media, a social-media threat-intelligence and risk-analytics company.

We asked security experts what social-media users can do in terms of what they post online to keep from compromising their companies’ networks. Here is what they had to say.

Think Twice About What You Post. Then Think Again

This is a classic piece of advice for protecting your online security, but it bears repeating. Stop posting private information on public platforms—things like travel plans, personal interests, details about family members or specific news about a work product.

All of that information can be used to gain your trust or deceive your co-workers. For instance, a hacker might find out personal histories from your social media, then send a phishing email that says things like: “I’m sorry about your parents’ passing. I feel like I remember you wore sweaters your Mom made at school.”

Even the smallest details, which malicious actors will certainly aggregate from more than one platform, may be unintentionally revealing. Take off your employee ID in photos so hackers can’t use yours as a model to create their own, says Ms. Tobac.

Don’t tag images: Geotags alert threat actors as to where you have recently been, which is just the sort of kernel needed to send a malware-embedded survey about last week’s hotel stay, and they can search on Twitter for tags like “#LifeAtCompany” to get intel on you or your business.

And, in photos, “move a bit away from the workstation,” Ms. Tobac says, which easily reveals which software you’re using so bad guys can customize phishing attempts. Also, she adds, “You’d be surprised how often I see a Post-it Note with a username and password hanging there. Then I’m in.”

Stop Sharing Your Work Email

One of the easiest ways for hackers to do mischief in a company network is to compromise your email account to send phishing messages. And one of the easiest ways to stop these crooks is to make sure they don’t get your address in the first place.

That means using your work email for work only and never openly on your social-media profiles. In theory, this is easy: On sites like LinkedIn and Facebook, users can keep their emails invisible to anyone but themselves. But most people continue to make them public, thus leaving personal contact information open to data-mining firms or malicious actors.

The consequences can be alarming. Furnished with your email, an attacker can use spear phishing to infect other employees, exploit the company’s defense perimeter and potentially gain access to other employees—or spy on a company’s internal communications.

In one common type of attack, called a payment-diversion-fraud scam, criminals get access to the email of an executive who approves invoices and then keep an eye on his or her message traffic, says Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, the research arm of the cybersecurity solutions firm Fortinet.

When a juicy invoice comes through, “they can change the wire-transfer instructions to go to an offshore account. And social media played a starring role in that,” he says.

Mr. Barr suggests that people have at least four email addresses—one for personal messages, one for work, one for spam and one just for social media—and, furthermore, that they never use their work email for anything else. (Of course, you shouldn’t use the same password for all of them, and change those passwords frequently—preferably using multifactor authentication to make it even tougher for crooks.)

Use Different Profile Pictures On Different Platforms

AI and powerful software programs can quickly search social-media accounts looking for profile-picture matches, as well as other common characteristics (username, friends, interests) across accounts, says Mr. Barr.

For instance, if someone uses the same profile picture on Instagram and Pinterest, the AI can tell that the accounts belong to the same person, even if the usernames are different. Hackers can then build up a huge trove of information about you to impersonate you more effectively to your co-workers.

Fortunately, there’s one simple line of defense: Whenever possible, don’t use photos of you or people you know in profile pictures.

“If your profile image is not a photo of your kids or your spouse or you, then it makes it difficult for an attacker to make a positive correlation across platforms,” says Mr. Barr.

Keep Your Cool On Dating Sites

It is completely normal and even expected to share intimate details through dating apps. So, users typically don’t consider what could happen should that information fall into the hands of malicious actors.

It is a good idea to limit your share group and do a gut-check to decide whether or not what you are posting today might be leveraged against you later—say, using blackmail to coerce you into releasing sensitive information, such as your work credentials.

Cyber attackers are patient and persistent, says SocialProof Security’s Ms. Tobac: “They might hold back, quietly continue to try to get more and more access, and wait months for the right time and attack.”

If you’ve posted anything that could come back to haunt you, take it down—but best not to post it in the first place, since everything on the internet lives forever. And once you’ve made a connection, consider vetting your suitor through some online searches and then continuing the conversation over a different channel.

“The pictures we share, the descriptions we give, the conversations we have when we think it’s just the two of us…it’s worth thinking about when the right moment is to move all that over to a more secure place like Signal or even a phone call,” Ms. Gardner says.

Sanitize Your Online CV

Information you post on a job-search site can be valuable to criminals looking to get intel on you or a company. So, if you can get away with it, don’t do things like list a former employer or school by name, says Mr. Barr.

“Unless I’m trying to find a job, I’m not sure it’s critical that people know I went to Old Dominion University, so I just make it generic and say ‘Major University,’ the years I attended, and my major.” Along with that, you should remove phone numbers and email addresses, while displaying skill sets and types of jobs you’ve held.

Should you be on a quest for a new gig, Mr. Barr suggests posting a fully loaded CV for a period, then taking it down once the job hunt is completed. What’s more, don’t send any information to people who ask for it unless you confirm their identity.

Mr. Manky advises job seekers to go through what is called a “zero-trust model.” That includes looking up the person who contacted you, going to their company website to make sure it is legitimate and that it links back to the correct domain, and trying not to fall prey to flattery.

“A cybercriminal will try to excite a candidate, saying that this is a perfect fit,” Mr. Manky says. “Oftentimes, the recruiter is pushy or a job is offered without an interview. Those are big red flags.”

Vet People Before Accepting Requests

Likewise, not everyone who reaches out with a friend request or invite on social media is who they claim to be. The request may be coming from someone looking to worm into your professional network to pilfer trade secrets, disrupt your systems, steal your identity or just harm your public reputation or brand. That’s why it pays to do some due diligence on that person.

PiiQ’s Mr. Barr remembers doing a security test for a tech company’s chief technology officer. With a little homework, he figured out where the executive went to high school.

“Then I got onto, and I found one or two peers who didn’t have Facebook accounts,” Mr. Barr says. He posed as one of those high-school peers, created a fake account and sent the victim a friend request—which he accepted.

Mr. Barr then had access to every breadcrumb available on the CTO’s Facebook profile. All of that could help him gain enough intel and trust to launch a well-crafted spear-phishing attack.

“Vulnerabilities can come from anywhere,” says Mr. Barr. “Social media is still the Wild West.”

Related Articles:

Biden Administration Blames Hackers Tied To China For Microsoft CyberAttack Spree

US Fights Ransomware With Crypto Tracing, $10 Million Bounties

Faces Are The Next Target For Fraudsters

Russia ‘Cozy Bear’ Breached GOP As Ransomware Attack Hit

Advertising Company Will Use Its Billboards To Track Passing Cellphones

REvil Ransomware Hits 200 Companies In MSP Supply-Chain Attack

What It Will Take To Protect Cities Against Cyber Threats

Home Security Company ADT Betting On Google Partnership To Build Revenue

Carnegie Cyber Kids Academy. World’s Most Prestigious Cyber Defense Training Facility

How To Opt Out Of Amazon’s Bandwidth-Sharing Sidewalk Network

Carnival Discloses Breach of Personal Data On Guests And Crew

UK Cyber Chief Cameron Says Ransomware Key Online Threat

The FBI Secretly Ran The Anom Messaging Platform, Yielding Hundreds Of Arrests In Global Sting

Federal Reserve Hacked More Than 50 Times In 4 Years

All of JBS’s US Beef Plants Were Forced Shut By Cyberattack

It Wasn’t Until Anonymous Payment Systems That Ransomware Became A Problem

How To Use Ian Coleman’s BIP39 Tool For Finding Bitcoin Addresses And Private Keys From A Seed Phrase

A New Ransomware Enters The Fray: Epsilon Red

This Massive Phishing Campaign Delivers Password-Stealing Malware Disguised As Ransomware

Biden Proposes Billions For Cybersecurity After Wave of Attacks

Mobile Crypto ‘Mining’ App Possibly Connected To Personal Data Leak

Ireland Confirms Second Cyber Attack On Health System

US Unveils Plan To Protect Power Grid From Foreign Hackers

Hackers Breach Thousands of Security Cameras, Exposing Tesla, Jails, Hospitals

A Hacker Was Selling A Cybersecurity Exploit As An NFT. Then OpenSea Stepped In

Clubhouse And Its Privacy & Security Risk

Using Google’s ‘Incognito’ Mode Fails To Prevent Tracking

Kia Motors America Victim of Ransomware Attack Demanding $20M In Bitcoin, Report Claims

The Long Hack: How China Exploited A U.S. Tech Supplier

Clubhouse Users’ Raw Audio May Be Exposed To Chinese Partner

Hacker Changed Chemical Level In Florida City’s Water System

UK Merger Watchdog Suffers 150 Data Breaches In Two Years

KeepChange Foils Bitcoin Theft But Loses User Data In Sunday Breach

Hacker Refuses To Hand Police Password For Seized Wallet With $6.5M In Bitcoin

SonicWall Says It Was Victim of ‘Sophisticated’ Hack

Tor Project’s Crypto Donations Increased 23% In 2020

Read This Now If Your Digital Wallet Which Holds Your Crypto-currencies Can Be Accessed Through Cellular, Wifi, Or Bluetooth

Armed Robbers Steal $450K From Hong Kong Crypto Trader

Is Your iPhone Passcode Off Limits To The Law? Supreme Court Ruling Sought

Researchers Warn 3 Apps Have Been Stealing Crypto Undetected For A Year

Ways To Prevent Phishing Scams In 2020

The Pandemic Turbocharged Online Privacy Concerns

US Treasury Breached By Foreign-Backed Hackers

FireEye Hack Portends A Scary Era Of Cyber-Insecurity

How FinCEN Became A Honeypot For Sensitive Personal Data

Apple And Google To Stop X-Mode From Collecting Location Data From Users’ Phones

Surge In Physical Threats During Pandemic Complicates Employee Security Efforts

Imagine A Nutrition Label—for Cybersecurity

Cybercriminals Attack GoDaddy-based Cryptocurrency Platforms

Biden Team Lacks Full U.S. Cybersecurity Support In Transition Fracas

Nasdaq To Buy Anti-Financial Crime Firm Verafin For $2.75 Billion

Mysterious Software Bugs Were Used To Hack iPhones and Android Phones and No One Will Talk About It

Dark Web Hackers Say They Hold Keys To 10,000 Robinhood Accounts #GotBitcoin

Hackers Steal $2.3 Million From Trump Wisconsin Campaign Account

Crypto Scammers Deface Trump Campaign Website One Week From Elections

Telecoms Protocol From 1975 Exploited To Target 20 Crypto Executives

With Traders Far From Offices, Banks Bring Surveillance To Homes

Financial Systems Set Up To Monitor Unemployment Insurance Fraud Are Being Overloaded (#GotBlockchain?)

A Millionaire Hacker’s Lessons For Corporate America

Container Shipping Line CMA CGM Says Data Possibly Stolen In Cyberattack

Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History

Hacker Releases Information On Las Vegas-Area Students After Officials Don’t Pay Ransom

Russian Troll Farms Posing As African-American Support For Donald Trump

US Moves To Seize Cryptocurrency Accounts Linked To North Korean Heists

These Illicit SIM Cards Are Making Hacks Like Twitter’s Easier

Uber Exec Allegedly Concealed 2016 Hack With $100K BTC ‘Bug Bounty’ Pay-Off

Senate Panel’s Russia Probe Found Counterintelligence Risks In Trump’s 2016 Campaign

Bockchain Based Surveillance Camera Technology Detects Crime In Real-Time

Trump Bans TicToc For Violating Your Privacy Rights While Giving US-Based Firm Go Ahead (#GotBitcoin?)

Facebook Offers Money To Reel In TikTok Creators

How A Facebook Employee Helped Trump Win—But Switched Sides For 2020

Facebook Rebuffs Barr, Moves Ahead on Messaging Encryption

Facebook Ad Rates Fall As Coronavirus Undermines Ad Spending

Facebook Labels Trump Posts On Grounds That He’s Inciting Violence

Crypto Prediction Markets Face Competition From Facebook ‘Forecasts’ (#GotBitcoin?)

Coronavirus Is The Pin That Burst Facebook And Google Online Ads Business Bubble

OpenLibra Plans To Launch Permissionless Fork Of Facebook’s Stablecoin (#GotBitcoin?)

Facebook Warns Investors That Libra Stablecoin May Never Launch (#GotBitcoin?)

FTC Approves Roughly $5 Billion Facebook Settlement (#GotBitcoin?)

How Facebook Coin’s Big Corporate Backers Will Profit From Crypto

Facebook’s Libra Is Bad For African Americans (#GotBitcoin?)

A Monumental Fight Over Facebook’s Cryptocurrency Is Coming (#GotBitcoin?)

Alert! 540 Million Facebook Users’ Data Exposed On Amazon Servers (#GotBitcoin?)

Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users (#GotBitcoin?)

Facebook Says Millions of Users’ Passwords Were Improperly Stored in Internal Systems (#GotBitcoin?)

Advertisers Allege Facebook Failed to Disclose Key Metric Error For More Than A Year (#GotBitcoin?)

Ad Agency CEO Calls On Marketers To Take Collective Stand Against Facebook (#GotBitcoin?)

Thieves Can Now Nab Your Data In A Few Minutes For A Few Bucks (#GotBitcoin?)

New Crypto Mining Malware Beapy Uses Leaked NSA Hacking Tools: Symantec Research (#GotBitcoin?)

Equifax, FICO Team Up To Sell Your Financial Data To Banks (#GotBitcoin?)

Cyber-Security Alert!: FEMA Leaked Data Of 2.3 Million Disaster Survivors (#GotBitcoin?)

DMV Hacked! Your Personal Records Are Now Being Transmitted To Croatia (#GotBitcoin?)

Lithuanian Man Pleads Guilty In $100 Million Fraud Against Google, Facebook (#GotBitcoin?)

Hack Alert! Buca Di Beppo, Owned By Earl Enterprises Suffers Data Breach Of 2M Cards (#GotBitcoin?)

SEC Hack Proves Bitcoin Has Better Data Security (#GotBitcoin?)

Maxine Waters (D., Calif.) Rises As Banking Industry’s Overseer (#GotBitcoin?)

FICO Plans Big Shift In Credit-Score Calculations, Potentially Boosting Millions of Borrowers (#GotBitcoin?)

Our Facebook Page

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.


Go back

Leave a Reply