Think twice before you snap and share that office selfie, #firstday badge pic, or group photo at work.
Hackers are trolling social media for photos, videos, and other clues that can help them better target your company in an attack. I know this because I’m one of them.
Fortunately, in my case, the “victim” of these attacks is paying me to hack them. My name is Snow, and I’m part of an elite team of hackers within IBM known as X-Force Red. Companies hire us to find gaps in their security–before the real bad guys do. For me, that means scouring the internet for information, tricking employees into revealing things over the phone, and even using disguises to break my way into your office.
Social media posts are a goldmine for details that aid in our “attacks.” What you find in the background of photos is particularly revealing–from security badges to laptop screens, or even Post-its with passwords.
No one wants to be the source of an unintended social media security fail. So let me explain how seemingly innocuous posts can help me–or a malicious hacker–target your company.
The first thing you may be surprised to know is that 75% of the time, the information I’m finding is coming from interns or new hires. Younger generations entering the workforce today have grown up on social media, and internships or new jobs are exciting updates to share. Add in the fact that companies often delay security training for new hires until weeks or months after they’ve started, and you’ve got a recipe for disaster.
Knowing this weak point, along with some handy hashtags, allows me to find tons of information I need within just a few hours. Take a look for yourself on your favorite social apps for posts tagged with #firstday, #newjob, or #intern + [#companyname].
So, what exactly am I looking for in these posts? There are four specific kinds of risky social media posts that a hacker can use to their advantage.
Posting a photo of you and your office besties, whether it’s on a lunch break, doing some sort of social activity, or otherwise, may be revealing more than you imagine. Think about the types of posters or whiteboards that are up in shared areas of the office. A poster about “Team Softball League Starting Soon” means you be won’t be suspicious if I send you an email with a link to the latest team schedule. Trust me, the link I send you won’t be one you want to click.
New badge, who dis?
This may seem obvious, but you’d be shocked to know how many times I see new employees posting close-up shots of their company security badges, particularly on the first day or last day at the office.
Knowing what a company employee badge looks makes re-creating one a breeze. I can copy, paste, and print myself an identical one with my own face swapped in within just a few minutes. While this badge may not work for access, you’d be surprised how easy it is for me to simply flash a badge and a confident smile to tailgate my way through the doors of a company.
Day in the life
When an employee decides to video-blog their entire day at a company, you’ve hit the hacker jackpot. From knowing the building layout and badge-protected areas to whiteboards revealing company plans, this type of view is almost as good as breaking into the company in real life.
Not only that, but laptop screens reveal the types of security tools and software being used, which we can use to tailor an attack by creating custom malware disguised as a fake software update.
In today’s review-driven culture, even your own company is on the chopping block. Whether through Glassdoor, job boards, or social media sites, learning what issues are currently making employees tick can help me craft a phishing email that plays to their complaints and desires.
For example, one company I tested had many employees complaining online about a lack of parking spots, so I crafted an email explaining a newly assigned parking policy and warning all parked outside of their assigned spot would be towed. The excitement of finally having an assigned parking spot, plus the fear of being towed, led to tons of clicks on the fake (malicious) parking map attachment included on the email.
After hearing some of these examples, you may wonder why a hacker would want to get into your office in the first place. In short, being within the four walls of an office gives you the keys to the kingdom for gaining trust and access. From shared credentials on whiteboards to Wi-Fi passwords posted in plain sight, being onsite breaks down the walls that divide us from your company data and secrets. Social media posts can even reveal enough that we don’t need to actually visit your company to get the information, since you’ve already let us peek inside the walls, virtually.
So, before you click share that next work-related post, think to yourself, “What’s in this post that I wouldn’t want Snow to know?”
Stephanie “Snow” Carruthers (@_sn0ww) is chief people hacker at IBM X-Force Red, an elite team of hackers who companies hire to find their security gaps before the bad guys do. Stephanie has won coveted “black badges” for her social engineering prowess at major industry conferences such as DEF CON and has tested the security of clients ranging from startups to Fortune 100 companies and government agencies.