How susceptible are security experts to counterintelligence targeting on social media? For a 28-day period between December 2009 and January 2010, security consultant Thomas Ryan ran an experiment to answer that very question. Using a photo from a pornography website, he created the fictitious persona of “Robin Sage” on LinkedIn, Facebook and Twitter.
Inside the Robin Sage Experiment
Claiming to work as a “cyber threat analyst,” Ms. Sage then reached out to approximately 300 officials, many of whom worked for the U.S. military as well as U.S. intelligence agencies and defense contractors. Surprisingly, many of these officials blindly accepted her invitation to connect. Some of them even extended dinner invitations and offers for consulting work. More seriously, several of them provided very sensitive information regarding themselves and their work. In the course of their official duties, most of these officials had received routine briefings regarding how to protect themselves and our nation’s secrets from external threat actors. Have security experts learned a valuable lesson from Ms. Sage? Apparently not.
Targeting Security Experts Today
I frequently test this same concept prior to my presentations at conferences and client security awareness training events. In advance of the event, my avatars will reach out to connect with prospective attendees, many of them senior corporate executives. Based upon my findings, over 52 percent of those approached readily connect with these fictitious profiles. The avatar will then engage the “target” in a conversation utilizing the platform’s messaging application. Just as an email which can be utilized for a phishing attack, the social media messaging application can also be used to deliver a malicious link or attachment. Clicking on that link or opening the attachment can upload malware resulting in ransomware or other compromise of the user’s IT network. In my scenarios, the avatar will encourage the recipient to open the attachment where more information is said to be provided. While the attachment I utilize is not malicious, it is a corrupted file which will not properly open. Many of the targets will try to open it. Some of them will even contact the avatar, apologize for not being able to open it and ask for it to be resent to their personal email. Most alarming, many of the individuals who fall for this ploy are heads of security for their respective organizations.
Accepting Social Media Requests
My advice for those with social media profiles is to limit the amount of sensitive information which is posted. Unless utilizing the strictest of privacy settings, such information is readily available to members of the public. As there are currently over 4.55 billion social media users worldwide, the risk of a threat actor assessing you as a potential target is very high. If you do decide to accept connections from people who you do not know, it is very important to verify whether the profile is genuine and how to tell when a profile is fake.
There are several tools I use to verify the veracity of profiles which will be discussed in future blog posts.