Around 12 percent admitted adding anyone to their list – regardless
of whether they know them or not. Nearly a third (31 percent) will
accept connections from people they don't know, if they have mutual
friends in common, although this could expose them to more unknown
people – even advertisement agents or cyber-criminals.
When it comes to trusting their “friends”, a quarter (26 percent) of
those surveyed would have no hesitation to click on a link sent by a
friend without asking what it is, or considering that the sender's
account could have been hacked.
“Social network users are playing a dangerous game by not being
cyber-savvy and essentially giving strangers easy access to their
personal details and private information. With social media profiles
containing a raft of insight – from birthdays through to addresses
and holiday plans – it wouldn't take much digging for a
cyber-criminal to find and exploit valuable information, or steal
your identity for their own gain. This is even easier if you have
unwittingly made them your friend,” said David Emm, principal
security researcher at Kaspersky Lab.
Ken Munro, senior partner at Pen Test Partners, told
SCMagazineUK.com that by manually seeding social networks with
regularly updated profiles, it's possible to create real identities
for bogus staff to form a social media honeynet to more readily
“The type of ‘staff' dummies used should be based upon what type of
attack you wish to monitor,” he said.
Munro added that new starters are “perfect cannon fodder” for spear-phishing
campaigns as they “aren't familiar with internal processes, probably
haven't had security inductions yet and feel nervous about speaking
up or getting fired in the event of doing something silly on their
“Using this ‘honeynet', it then becomes possible to check for any
similar patterns on mail logs. It is even possible to reverse
engineer the malware, and find out where the connection goes back
to. Obtain a sample and destination IP address and upload it on to a
site such as VirusTotal or similar and you might just save someone
else from being compromised too,” added Munro.
Fraser Kyne, principal systems engineer at Bromium, told SC that all
social media represents both benefit and risk.
“Social engineering is so simple these days – I can find out all I
need to know about you online. In light of this, all businesses will
need to modify their employee corporate responsibility guidelines
and procedures to include social media,” he said.
“They cannot rely on users to do the right thing automatically. This
is particularly important given the flippant disregard that most
people have for securing their personal information online. If they
don't protect their personal data you can't rely on them to protect
your corporate data.
“People have to realise a simple truth: if the product is free, then
you are the product. This is not only a risk to individual privacy,
but a huge risk to any business.”