#BHUSA: Increase Social Media Awareness With Active and Passive Testing
Speaking on “Testing Your Organization's Social Media Awareness” at Black Hat USA, Jacob Wilkin, network penetration tester and application security consultant, Trustwave SpiderLabs, said that social media phishing is on the rise and is now the “preferred vector for attackers” who now spread more malware via social media than on email.
“You’re three times more likely to get click-throughs on social media, and this is important as companies move to BYOD models and people have devices at home and use social media and bring them into work environments,” he said.
Wilkin highlighted a passive testing tool that he released last year at the Black Hat Arsenal called “Social Mapper,” which allows you to “feed in a LinkedIn company name and it releases names and images of people at the company.” This will then deliver the names of employees who have been found online.
“This is less intrusive as you don’t interact with profiles, you identify them but not testing them and you don’t know if they accept connection requests or clicked on links,” he said. Instead, you get a report detailing people who are recognized as working at a company, and their corresponding social media accounts via facial recognition.
To follow up, this week he released an active testing tool called “Social Attacker,” which requires a fake social media account to be created, and log into a social media site, feed in Social Mapper results and send connection or friend requests to those people to send a phishing test message. This gives you a report at the end to see which profiles have accepted and who clicked on what, with a timestamp.
Wilkin recommended that social media users not use the same name across websites to better protect themselves, as well as not accept connections or messages from people you don’t know and, in a more extreme case, not putting a picture on your social media profile.
“As attackers pivot, it is important to raise awareness and encourage social media sites to prevent and detect attacks and review laws to consider permitting security testing,” he concluded.
Source: Information Security Magazine