Social media by its very nature is meant to be social. That is part of its appeal and, in particular Twitter and Facebook, social media websites are the perfect mediums for the spread of news and gossip in the 21st century.
Who could forget the rolling coverage of the Arab Spring by Twitter users on the ground, or the speculation surrounding MH17? This instant connection and access to information, while useful and highly addictive, can be easily turned against the masses. Facebook and Twitter, as unarguably the most used, are particularly easy to appropriate for nefarious uses.
Psychological triggers are a good way of understanding behavior on social networks, and the one exploited most often by attackers is known affectionately as “the strong effect.” This is an emotional trigger that plays on a victim’s mental state, heightened by fear, panic, excitement or grief, to get them to take action. Current events that impact on large numbers of people (for example the previously mentioned Arab Spring and MH17 events) are the best lures for this type of attack.
One of the best and most-studied examples comes from the death of Whitney Houston in 2012. Quickly, trending hashtags such as ‘#RIPWhitneyHouston’ or ‘#RIPWhitney’ were targeted by scammers jumping on the information bandwagon with “shocking” or “exclusive” videos about the event. These links often contained malware or led the unsuspecting victim to sites that leave the user open to survey scams or click-fraud.
Given the emotional state of some of her fans, as well as the public’s general appetite for new information, criminals were able to earn advertising revenue and compensation for the theft of information from visitors. The type of exposure for victims can range from simple inconvenience to the unsuspected installation of all kinds of viruses and malware.
It is precisely by targeting an information vacuum that develops in the wake of breaking news, or just by taking advantage of people’s morbid and/or lustful curiosity, that the scammers and criminals can easily manipulate victims into clicking dangerous links.
It is hard to think of ways that this kind of attack surface can be mitigated because the cause of the problem is just “humans … acting like humans, links are clicked, information is freely given away, and files are downloaded and installed.” Awareness programs can help, but they can only do so much. “As long as there are people who are willing to click on links, these types of attacks will remain valid points of entry.”
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”