CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
In this digital age, it is unlikely that one would not have an online presence. The Internet has transformed our everyday lives in the way we live and connect with others. We are deeply reliant on the Internet for services related to banking, utilities, transport and e-commerce, some we use on a day-to-day basis. As far as usage numbers are concerned, however, our attraction to social media platforms is even more pronounced, with half of the world’s population already users. Unfortunately, with social media virtually a staple in our lives, threat actors are also exploiting the information shared on various platforms.
This issue of CyberSense looks at the security implications surrounding social media. For the intent of this article, we consider the social media as websites and applications used for content sharing or social networking purposes (e.g. Facebook, LinkedIn, Instagram, etc.).
"OVERSHARING" ON SOCIAL MEDIA?
According to a study by security firm Tessian, 84% of social media users have posts at least once a week, with half of this group posting daily. While virtually all platforms allow users to post information in some way or form, some may possess default privacy settings that leave users more prone to sharing their information publicly. Although users have the option to control what is being shared, the majority of the users will likely leave the permission settings as default.
The prevalence of social media and the often-loose privacy settings have presented cybercriminals and other threat actors the opportunities to study targets in depth – their online profiles, behaviours and connections. This is significant as our social media posts (be they check-in locations, family photos, status updates, etc.) allows others the opportunity to glean information about our personal and professional lives. Attacks can be tweaked and tailored accordingly based on this information to increase their success rates. The vast pool of users has resulted in an immense amount of data being available to cybercriminals and other threat actors.
Even if the user profiles were kept private, their personal information is still stored within the databases of social media platforms and is very much susceptible to data exposure if the platforms were compromised.
CASE STUDY: FACEBOOK DATA LEAK
One does not have to look too far back to be reminded of the significance and scale of social media database exposure. On 4 April 2021, the personal data associated with 533 million Facebook users worldwide was leaked on a forum popular with cybercriminals for free. The leaked dataset includes personal information such as mobile numbers, Facebook IDs, names, e-mail addresses, birth dates and biographical information, including those of Facebook’s founder, Mark Zuckerberg, as well as other global personalities and luminaries who own Facebook accounts.
Facebook said that the leaked dataset was the same as a previous data leak from the company back in September 2019, in which a software vulnerability allowed data associated with more than 400 million Facebook profiles to be harvested by automated scripts. However, as personally identifiable information (PII) – such as e-mail addresses, names, dates of birth and phone numbers – are unlikely to change over time, the leak will remain relevant to cybercriminals and threat actors alike. In other words, the loss of PII may impact victims beyond the immediacy of the data breach.
DATA THEFT VS. DATA SCRAPING
Even if the personal information on social media databases were not stolen, it can still be collected and amassed through data scraping. While data theft is undoubtedly illegal everywhere in the world, the legitimacy of data scraping is less clear cut.
Data scraping is simply the process of importing information from websites (that allow it) into a database; it allows companies to optimise their needs and increase productivity through processes such as market research and business intelligence. Many tech giants have in fact been proponents of data scraping. Through their suite of products and applications, these companies have controversially been known to harvest customer data and build dossiers of individuals. This repository of data could then be monetised to the company’s advantage as they drive targeted advertising towards its users.
The legality of data scraping is inconsistent across countries, but we must understand that for social media databases, both data theft and data scraping can function only because they are fuelled by personal information that we provide. We must realise that the moment we sign up for social media platforms or other web services, we put our personal information at risk.
Data accrued from the enormous user bases of social media platforms make them obvious targets for cyber threat actors, whom covet the data for motivations ranging from cyber espionage, identify spoofing, to financial gain. Some of the key cybersecurity and cybercrime concerns are as follows:
- Cybercriminals and other threat actors would now be able to spoof entities to carry out spear-phishing and business e-mail compromise (BEC) attacks that are tailored to specific victims. The more information leaked on the victim, the more convincing the phishing lure or spoofing attempt would be.
- Threat actors may be able to commit identify theft on a grand scale, including hijacking of online accounts and SIM-swapping attacks, especially if information, such as mobile numbers and email addresses along with personal details, was divulged. In fact, hijacked accounts may be used for a variety of purposes, such as the case of more than 1,000 accounts of the online game Roblox being hacked, and allegedly used to support Donald Trump during the US Presidential Election in 2020.
- The information may be used by criminals to perpetuate scams through calls, SMS and instant-messaging services like WhatsApp. The leaked data could, for example, be leveraged for banking or “tech-support” scams, in which criminals can use a combination of PII and contact details to trick victims into revealing their one-time-pin (OTP) or other sensitive information.
CYBER SAFETY IS A PERSONAL RESPONSIBILITY
To this end, we must exercise due diligence in safeguarding our personal information. There is a need to constantly arm ourselves with information about the cyber risks and be mindful about the types of information that we share in the digital space. Tips on how we can protect ourselves on social media can be found in this SingCERT advisory.
BeyondTrust, Bromium, Cyberint, Dark Reading, Privacy Affairs, Tessian, US Cybersecurity Magazine, Versprite