Happy Humpday, my fellow readers!
Last night while replying to one of Twitter feeds, I found a series of peculiar patterns. This is where I connected dots. The hackers community were “conventionally” not only targeting influencers but anonymous (normal) individuals accounts as well.
I wondered why? Yet, it reminded me of the time when I had a suspicion activity ongoing with my online accounts, other than social media. The trauma and indication of losing any account is relatable.
Have you ever been a victim of any hack, especially social media?
Well, I have suffered from this eerie nausea. This is why I am intending to write compelling practices that are easy to deploy and mitigate the risk of this unfortunate occurrence(s).
This is how I thought to amalgamate the common techniques that victims discovered and learned from their past experience(s). The structure of this article would be based on:
1. What actually happened?
2. How do you figure out it happened?
3. What was wrong with my preoccupied strategy?
4. What have I learned?
Before I start ….
NOTE: We do not incorporate any screenshots found during the Twitter search! We respect privacy and refrain from exploiting this exercise.
What actually happened?
There’s nothing too worse when you work hard to get that following and locked from your account, just because it got hacked! During lockdown social media distracted us – well, yet keep distracting – with funny videos, but it could also expose us to potential spammers, scammers and hackers.
So what are the common loopholes:
- The passwords used are based on personal information. such as date of birth, phone numbers, etc.
- They use the frequently used word as their password, such as “imissyou”, etc.
- The sequence is so predictable, such as “qwerty” or “abcdef2341”.
- The passwords are reused, such as passwords on Gmail and social platforms are the same.
- SMS-based/ text message 2FA used.
Pro Tip: Don’t PANIC yourself, drink water. It is just a matter of common sense when it comes to branches of social media – Twitter, Instagram, Facebook and LinkedIn.
How do you figure out it happened?
A classic example would be to consider the famous hack of Mr. Dorsey’s that was due to sim swapping. I won’t go into details here but in a little recap would do wonders. Sim swapping technique (a.k.a the identity theft) technique where victim’s current carrier number is possessed by the hacker by transferring to a new SIM Card. They ideally imitate you or bribe the customer support staff.
This way they blasted the tweets via SMS option. Excitingly, this is NOT the only way they hack you! Let’s check more other options they could get into your account. Here is a handful information:
1. Social Engineering
2. Misconceptions of Social Media
3. How do they do it?
4. Hacking Tactic (this is for education so YOU can prevent them)
Let’s begin with the initial fancy word – SOCIAL ENGINEERING
Social engineers recognize the fact that individuals are knowledgeable of but are reckless to protect such valuable information. Social engineering is a tool used by hackers who draw victims to disclose sensitive details.
That enables hackers to:
Malware infecting devices
Access sites that are compromised
System used by some different means, such as Botnets
Quick Question: Why do you think Mr. Dorsey’s account was hacked?
- Steal bucks
- Fun or Fame
- Spread out political agendas
It could be any reason and unfortunately, we can fall in this radar so easily.
So it doesn’t matter who you are, hackers are always after you. The plausible reasons would be:
- Hackers are on the hunt, looking closely on our flaws within PC, devices, or networks.
- They have a sophisticated understanding of program languages.
- When it comes to hacking, it takes patience and loads of technical knowledge.
- People use common passwords and share all of them online.
- Hacker-accessible tools make it easy to crack these passwords.
- Your online footprint offers quick access for hackers.
Misconceptions of Social Media:
- Postings on social media may be absolutely removed.
- Using social media when accessing public Wi-Fi are deemed as secured networks.
- Profile data makes it easier to communicate with others and therefore, it should be finished in full.
- Nobody has access to sensitive or normal data until you permit it.
- Negative statements about employees or employers, the government can not be accessed by someone without approval from you.
- Profile data for hackers provides a goldmine of information, the kind of information that lets them personalize phishing attacks.
The plausible threats arising from social media include:
- Phishing Attacks
- Fake/infected Sites
- Fake Profile and Social Engineering
- Information/ Data Leakage
- Hijack passwords and usernames
- Ruining credit score
- Request new cards and make random purchases
- Obtain cash or abuse your SSN
- Sell your information on dark web
How do they do it?
1. They login your account using your number or email
2. They register the most common password, such as:
[Common passwords of 2k18] – 123456, football, !@#$%^&*, qwerty, admin etc.
3. The stalking/ spying process
Hacking Tactic (this is for education so YOU can prevent them)
The spying process involves:
1. Passive and Active Reconnaissance – this information gathering encompasses public records, scanning daily routines in order to create errors.
2. Enumeration and Scanning such as ports, host, and network, software fingerprinting.
3. The point (1) and (2) provides collective information available on network, operating devices, system admin, etc.
4. With the access they attack networks by session hijack, spoofing, sniffing, man in the middle attacks, and DDOD. Furthermore, they attack hosts by malware, SQL injection, adware and buffer overflow. This way they retrieve passwords.
5. Here they maintain access by hiding files (rootkits, steganography), executing trojans and spyware, thus creating backdoors. They hide evidence by disabling auditing, manipulating or deleting logs altogether.
What was wrong with my preoccupied strategy?
This could be your possible homework, to self-audit after the lessons above and devise a plan. These preventative measures could then be matched with our next content to learn more or to share more.
The hints would be:
- Easy passwords
- SMS-based 2FA
- Not reading guidelines and security measures of each social media account
- Ideally sharing predictive acts such as locations, events, best friends, employment status, etc.
What have I learned?
Firstly, we have to see what guidelines each of the platforms has for us and how do they propose to secure our account.
If you have gone through the guidelines you may have witnessed that they have very less to offer. The typical controls are SSL [Secure Sockets Layer] encryption, manual comments/posts review and basic 2FA methods. These default security systems have very less to offer.
For instance, 2FA is not available universally. It does not operate on a basis of per user, thus making it vulnerable to multiple administrators. Similarly, SSL doesn’t reduce hacking probes. SSL is designed to encrypt communication rather than preventing an unwanted “bad” actor to loop in the account. The manual filtering of content is a cumbersome task i.e. open to human error and highly resource intensive.
As mentioned before, poor management password is the biggest concern for social media managers. Potentially, this exposes more attraction when user accounts and simple passwords are stored in an online unsecure source, and shared with colleagues overall.
Bottom line: the lack of protection on social media can all be understood by us. Before someone loses the password list (due to their negligence) or gets infected with malware that steals the saved passwords, it is only a matter of time.
To avert a phishing attack, follow these steps:
1. Limit the number of administrators and applications that have your social media accounts approved for access. This helps minimize the scope of your attack. Using a password protection program to ensure that the root credentials for your social media accounts and apps are not accessible to your employees and partners.
2. Ensure that the administrators use good passwords and that their corporate or personal passwords are often unique passwords and usernames. Consider using a secure password vault if there are too many passwords to remember, such as LastPass, OneLogin, etc.
3. Educate the account managers about phishing attacks that ask for their account details. Never click on links, emails or messages.
Cookie Attack: To hold a browser window open offers the ideal way for hackers to bypass your social media. Accounts for the media. When you join Wi-Fi networks that are available, these cookies are easily intercepted. If an attacker encrypts a cookie by one of the social networking sites, the same credentials of the logged-in administrator can be used to post or make changes.
In order to prevent it, apply these steps:
1. Ensure HTTPS connections are used when logging in
2. Ensure authorized sources for your social media accounts, e.g. a clean computer
3. The devices used for the process should run an updated anti-malware software
4. Ensure login and logout sessions and these should be only accessed from trusted machines
Third Parties App
Applications from third parties also go hand-in-hand with the use of social media. Social networking apps connect through the authorization of an access token to your accounts.
Such tokens also provide access to comments and posts to read and write, access that is irreversible unless revoked. If the access token database of an application is unencrypted, hacked or stolen, an attacker may transfer the token on to the API of the platform.
Reduce the number of apps installed on your account and the number of users with access to mitigate this risk.
If it happens – take swift action
You can regain control by the following:
1. Facebook: https://www.facebook.com/hacked
2. Twitter: https://help.twitter.com/forms/signin
3. Instagram: https://help.instagram.com/
4. LinkedIn: https://www.linkedin.com/help/linkedin/answer/
6. YouTube: https://support.google.com/youtube/answer/
Although there may be no such thing as an impenetrable social media account, the steps above will reinforce your digital fortress, eliminate vulnerabilities, and help you reply to an attack effectively.Source