A recent paper titled ‘The dark side of Web 2.0’ by CSIR researchers Aubrey Labuschagne and Namosha Veerasamy, and Mariki Eloff of the University of South Africa outlines how seemingly insignificant data become valuable to social engineers in their targeting of victims for cyber-attacks. This article summarises the research.
As social networking exploded around the world, communities have been created on platforms such as Facebook, Twitter and LinkedIn. From expansive photo albums, to threads of inane details of daily activities, to opinionated rants about any bugbear of the time, millions of people have eagerly been adding to their cyber playpen and shop window. But to ‘like’ or ‘poke’ someone on Facebook, is not the only type of engagement happening. Not all participants in these forums are out there to chat.
People who frequent these sites generally do not realise the value of the information they divulge. They are even less aware of the tactics social engineers with malicious intent use to harvest the perceived ‘worthless’ profile data they make available on social networking platforms or that these platforms have become a hunting ground for terrorist organisations to identify potential recruits or infiltrate critical infrastructure.
How digital footprints expose people
Social media sites, including online news sites that invite users to comment on articles or posts created by other users, create digital platforms from which social engineers harvest data.
These sites are effective in communicating the personalities of users to other users. Men, it seems, are more likely than women to disclose political views and social engineers, always on the look-out, use this information as emotional triggers or to build trust with their targets.
Social engineers convert the posts and comments from users on social news sites to text and use linguistic analysis software to identify the emotional dimensions, such as anger words and positive and negative emotions. These can determine personality traits and even gender, as males tend to use more articles (a, the), nouns, prepositions, numbers, words per sentence and swear words than females.
Cyber criminals also use writing styles, language and function words to gain insight into people’s honesty, stability and self-image and identify their social relationships, emotions and thinking styles to help them determine their personalities.
Negativity and anger are two emotional states most often used during a social engineering attack, as anger affects the user’s ability to think rationally and make logical decisions. Users on social networking sites who are prone to anger could identify themselves to social engineers on the prowl by repeatedly using negative words.
Social engineers have also bought into using ‘The Big Five’ of personality traits – openness, extraversion, conscientiousness, agreeableness and neuroticism – to profile their targets. Neurotic people, for instance, are easily stressed and upset – a trait that social engineers exploit with ease.
Unwittingly, people leave their digital footprints across many platforms that provide cyber prowlers with lucrative sources of reliable and valid data about their potential victims – information that undoubtedly improves the success rate of a cyber-attack.
Clearly, many users do not understand or use the privacy control measures on social networking sites such as Facebook, where these measures are constantly updated. With no security measures to bypass, attackers easily harvest personal data. Cyber criminals combine data collected from different platforms to create cyber-attacks.
Users who make the list of their friends public, are also more prone to ‘evil twin attacks’ from social engineers who use rogue profiles that impersonate legitimate profiles to make friend requests. Often users implicitly trust profiles as they appear like legitimate people. Victims trust the familiarity of the ‘friend’ and provide information, such as the name and photograph of a trusted friend.
The threat of a cyber-attack can be mitigated through security awareness training about the dangers of divulging personal information in the public domain. Knowledge about the techniques cyber criminals use to identify victims and create attacks could provide individuals with mechanisms to protect themselves against threats from cyber space.
Awareness about the purpose and use of privacy setting controls on social networking sites, such as Facebook, can prevent social engineers from gathering information. Facebook and similar sites continuously update their control measures to protect their users, but only a few use them. Users should not implicitly trust communication from other contacts in social networking sites as the platform inherently provides for a high degree of anonymity. This implies that a user cannot always verify the identity of the source of the communication.
Users need to be aware of the digital footprint created with every post, reply or comment made in cyberspace. Furthermore, if multiple profiles are created on different social networking platforms, information could also be linked together. Users should thus evaluate the information created within this space as this could be used to profile them. This includes location, interests, activities as well as personality traits.
There is no doubt that people’s digital footprints on social networking sites can be used to create attack vectors that can get into computer systems to cause harm. Naïve users with a false sense of security are especially exposed to the nefarious intent of social engineers.
While social media have its advantages, there is a lot more happening in cyber space than linking and tweeting.