The massive global influence of social media platforms such as Twitter and Facebook is testing our personal privacy to the limits. This is perhaps not surprising. The platforms have mass appeal, attracting everyone from the average person in the street to the President of the United States of America.
With wide-scale adoption comes privacy and security issues. As users flock to a platform, cybercriminals follow.
Perhaps the most infamous privacy breach on a social media platform in recent years was the Facebook/Cambridge Analytica scandal. Data breaches, however, can take many forms, and more recently, cybercriminals have reached new heights of innovation in misusing social platforms for fraudulent purposes.
In July 2020, hackers performed a series of account takeovers involving several high-profile users of Twitter, including Barack Obama. Once the fraudsters had control of the accounts, they used them to promote a bitcoin scam. Because the accounts were of well-known celebrities, trusted by the general public, many Twitter users fell victim to the scam. Losses accrued are estimated at around $250 million.
The investigation into the attack continues, but Twitter announced at the end of July that social engineering and ‘phone spear-phishing’ were the techniques used to take control of accounts. The fraudsters targeted individuals within Twitter’s admin team who had privileged access to administration tools. Once the cybercriminals gained access to privileged credentials, they were able to gain access to internal systems and processes.
Socialized apps, in general, have come under the media spotlight because of a variety of privacy concerns. Covid-19 ‘track and trace’ apps are a case in point. In the UK, an attempt to build an app to help in Covid-19 tracking resulted in numerous privacy concerns. Concerns included the app storing personal data for up to 20-years and the data not being subject to the GDPR requirement of the ‘right to deletion’.
“We also collect information you share with us from third-party social network providers, and technical and behavioral information about your use of the Platform. We also collect information contained in the messages you send through our Platform and information from your phone book, if you grant us access to your phone book on your mobile device.”
TikTok is no stranger to privacy issues. In 2019, the FTC issued a $5.7 million fine to TikTok for violating the requirements of the privacy act, COPPA (Children's Online Privacy Protection Act), for illegally collecting personal information from children.
By its very definition, social media is widely used. This is a draw to anyone trying to carry out criminal activities -- lots of people means lots of opportunities to commit fraud. Also, social media platforms are built on the premise of ‘trust’. One of the reasons why the Twitter hack was so successful was because the accounts used to perpetrate the cybercrime were ‘trusted’ or verified accounts. On Twitter, accounts with a ‘blue tick’ are proof of identity. That is the person behind the account has been checked (verified) as being who they say they are. This helps to build further trust between the Twitter account and the followers of the account. A fact not lost on the cybercriminals behind the Twitter hack. The fraudsters took full advantage of verified accounts to make the scam feel legitimate.
Many other types of scam use the medium of social networking as an ideal playground for fraud. Here are 3 examples of the most common ones:
According to Javelin Strategy, social media platform users have a 46% increased risk of account takeover and fraud. Social media accounts require a registration. During registration personal data that is part of your digital identity make-up, is collected. But many social media platforms also collect other data including selfies, friend and family data, and highly personal details such as holiday dates, workplace information, etc. These data are very attractive to cybercriminals who can use it to create synthetic identities or to impersonate a person directly. Stolen login credentials or database hacks can provide the method of entry to the account.
Social media platforms can become hosts to impersonation accounts, the fraudsters setting up an account that replicates a user’s personal page. The fraudsters then use social engineering and threats to extort money from victims.
It is not just individuals that are at risk from social media hacks. Bromium, in their report “Social Media Platforms and the Cybercrime Economy” describes social media as “a global distribution center for malware.”
The report describes how employees inadvertently click on malicious content via social media posts and similar. This provides a mechanism for malware installation enabled by vulnerabilities in unpatched software; hackers then having backdoor access to enterprise assets.
The Bromium report also points out that “70% of ransomware attacks that were successful in 2017 originated from phishing attacks via emails or social media platforms.” Social media provides a perfect conduit for phishing campaigns. Phishing depends on social engineering tricks to encourage users to click malicious links or download infected attachments. Social media is built on trust between users. If a person trusts a link, they are more likely to click on it.
Privacy laws, such as the EU’s GDPR (General Data Protection Regulation) and the U.S. regulation, CCPA (California Consumer Privacy Act), can go some way to help alleviate the issues around social media-based data breaches and privacy violations. Having a framework that recognizes consumer rights in terms of data privacy provides a mechanism to put protective measures in place. However, these protective measures need to be augmented. Regulations alone are not enough. Enterprises and individuals must become knowledgeable about the threats that social media poses. Cybersecurity policies should incorporate protective measures that take social platforms into account. A holistic approach that de-risks social media platform threats can help ensure that this prolific, and often enjoyable medium, can remain safe.