The big news in security this week has been the hijacking of the Associated Press' Twitter account. The attackers leveraged the "bad news" atmosphere created by the events in Boston last week to gain some measure of credibility for a tweet about bombs exploding at the White House. This is not a particularly new approach: in 2007, the Storm Worm used bad news in an email subject to get people's attention (“230 dead as storm batters Europe”) and install malware on their machines.
The difference here is that the AP twitter hack resulted in 4,000 retweets within 15 minutes, and the DOW dropped 143 points. It not clear whether the latter was the motivation for the attack, but it does raise the question of whether we might see more social media attacks aimed at impacting the stock market in the future. The impact on the stock exchange may have only been momentary, but it was significant. This seems to me like it could potentially spawn a new attack trend with some pretty significant economic implications.
We have seen a number of high profile brands targeted through their social media profiles. For instance, in February, Burger King's twitter account was hacked and its photo was set to the McDonald's logo with a message stating that Burger King was sold to McDonalds. Fortunately, in addition to the merger tweet, the hacker tweeted other inappropriate things – so it was fairly obvious the account was hacked. And it is safe to say that the fast-food company's stock did not fluctuate wildly.
So the four things I would challenge individuals and organizations to consider are:
- The power of social media tools and the impact it can have on your reputation, personally or at an organizational level. Organizations might want to consider developing a security/ risk management strategy around these systems.
- The criticality of good passwords on every account, not just sensitive financial or company data. Use longer passwords (8-12 characters), don't reuse passwords across multiple sites, and use special characters. Also, don't use words obviously associated with you, your organization, or the site in question. For example, "Rapid7_Twitter_password" might be long and use special characters, but it's probably not the best bet for us!
- The entry point for the attack was a spear-phishing email. These can be really hard to spot these days, so be wary in general of emails encouraging you to click on something or open something. Always check whether the "from" address look right and don't click on the link itself - open a browser and type in what you think the link should be based on logic. Bottom line: if in doubt, forward the email to your colleagues in security or IT, or else just ignore it.
- Lastly, consider testing your users to measure their susceptibility to these kinds of attacks. to user risk testing, For example, automated social engineering testing can help you identify training and education needs.