Taming the social media exhibitionist

Twitter, Facebook, and LinkedIn logos on a smartphone screen

According to AllTwitter, every minute of the day more than 100,000 tweets are sent; 684,478 pieces of content are shared on Facebook; 48 hours of video are uploaded to YouTube; and 3,600 photos are shared on Instagram.

It won’t be long, if it isn’t already, for an individual’s expertise and/or popularity to be measured purely by the number of ‘followers’ or ‘friends’ that they have. From the famous to the infamous, it seems everyone and anyone is happy to tell virtual strangers what they’ve had for dinner or where they’re going on holiday. The issue is, while many consider status updates a means to raise their profile, the sad truth is far too many users are oblivious to the intimate details they are innocently revealing via social media channels to friends and the bad guys too.

In September 2012, users of the popular photosharing website Pinterest began complaining about widespread account takeovers that spilled image spam onto adjoining social networks like Twitter and Facebook. Users who had linked their Pinterest account to adjacent social networks like Facebook and Twitter found that the spammers were quickly able to take advantage of that access, blasting out tweets and wall posts linking to the spam images.

Once Pinterest was notified of the attack, the site advised users to have a unique password for each social networking site – however it didn’t mention anything about refraining from linking Pinterest accounts with other social networking sites.

Users should be particularly careful when linking social networking sites. If a hacker is able to compromise one site they find it far easier to gain access to others. It is advisable that users look at the links between each of their social media accounts, identifying what information is connected and what could be of value to hackers.

The Pinterest example is just one of many that show how data we provide to social networking sites can be used in ways we didn’t intend. For instance, pictures sent over Twitter often contain metadata that reveals our location, allowing someone to potentially track our movements without our knowledge.

Opaque or transparent?

Many individuals are blissfully unaware of the security risks these public domains pose. While revealing who you are in contact with, and where you frequent, has obvious physical security implications, the risks run much deeper. And not just to the individual concerned but, for an employee, it can also leave the organisation they work for exposed to unnecessary risks.

The reality is that today’s criminal is busily scanning these public forums, researching their victims and collecting any personal information they can find that can be used to digitally attack the individual and/or their network of friends and peers. Using this intelligence, they craft messages that are highly customised and immediately gain the potential victims’ trust – known as spear phishing attacks.

Spear phishes encourage recipients to either open a malicious attachment, follow a false link that introduces malware to the user’s device, and the infrastructure to which it connects, or to disclose personal information that can be used by criminals fraudulently. This leaves the employee and his employer open to potentially massive security breaches, such as the loss of customer data, R&D information, system disruption – you name it.

Two-pronged defence

Rather than reiterate the risks, let’s look at what can be done to mitigate these attacks.

For organisations, corporate policies can be used – especially in terms of offering guidelines and setting expectations. In particular, detailing what is, and isn’t acceptable behaviour for social media – for example around the use of privacy settings etc. available on forums such as Facebook. However, while that is acceptable for someone’s professional persona, it is increasingly difficult to dictate what someone can and can’t do online in their personal life.

This is where training bridges the gap. People need to be made aware of not only what they can and shouldn’t be doing, but also what to look out for and understand how they might be targeted.

For example, one social media avenue that phishers are exploiting is the use of shortened URLs. On Twitter a criminal can use bit.ly or a similar tool to disguise the true URL destination. Users need to be aware that clicking a link may not take them to paradise, but instead could lead them up a dark virtual alley. A simple solution is to use a browser ‘plug in’ which shows the underlying URL when the cursor hovers over a short link, unmasking the true destination.

It’s a brave new digital world – but it’s also fraught with dangers. Employees need to understand what their virtual profile says about them – both intentionally and unintentionally, if they’re to make sure they aren’t leaving themselves, and their employers, vulnerable to attack.

For security experts in the channel, the dangers posed by social media exhibitionism could offer a lucrative new business opportunity.


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.