Oversharing and Cybersecurity: Dangers when employees share too much online

Employee advocacy has existed as a concept for over a decade. But what began as a well-intentioned way to enhance corporate profile, thought leadership, and marketing also has some unintended consequences. When professionals post about their work, their company, and their role, they expect to reach like-minded professionals, as well as potential clients, allies, and partners. ESET, a leading company in proactive threat detection, warns that malicious actors are also paying attention and that the more information there is, the more opportunities there are to carry out malicious activities that could seriously affect an organization. Once that information is publicly available, it is often used to help create convincing spearphishing or business email compromise (BEC) attacks.

“The first stage of a typical social engineering attack is information gathering. The next is to weaponize that information in a spearphishing attack designed to trick the recipient into unknowingly installing malware on their device. Or, potentially, into sharing their corporate credentials to gain initial access. This could be achieved through an email, a text message, or even a phone call. Alternatively, they could use the information to impersonate a high-level executive or supplier in an email, phone call, or video call requesting an urgent bank transfer,” reveals Martina Lopez, Cybersecurity Researcher at ESET Latin America.

“The first stage of a typical social engineering attack is information gathering.” The main platforms for sharing this type of information are the usual ones. LinkedIn is perhaps the most widely used. It could be described as the world’s largest open database of corporate information: a veritable treasure trove of job titles, roles, responsibilities, and internal relationships. It’s also where recruiters post job openings, which can reveal too many technical details that can then be exploited in spearphishing attacks.

GitHub is perhaps best known in the cybersecurity context as a place where careless developers post hardcoded secrets, IP addresses, and customer data. But they can also share more innocuous information about project names, CI/CD pipeline names, and details about the technology stacks and open-source libraries they use. They can also share corporate email addresses in Git commit configurations.

Then there are the classic end-user-oriented social platforms, such as Instagram and X. This is where employees often share details about their travel plans to conferences and other events, which could be used against them and their organization. Even information on your company’s website could be useful to a potential scammer or hacker. Think about details on technical platforms, suppliers and partners, or important corporate announcements, such as mergers and acquisitions. All of this could serve as a pretext for sophisticated phishing.

 

The attacks mentioned above typically require a combination of impersonation, urgency, and relevance. Here are some hypothetical examples:

• An attacker finds information on LinkedIn about a new employee in the IT department of Company A, including their main duties and responsibilities. They impersonate a key technology vendor and claim an urgent security update is needed, referencing the target’s name, contact information, and job title. The update link is malicious.
• A malicious actor finds information about two colleagues on GitHub, including the project they are working on. They impersonate one of them in an email asking the other to review an attached document, which contains malware.
• A scammer finds a video of an executive on LinkedIn or a company website. They see on the person’s Instagram feed that they are giving a presentation and will be out of the office. Knowing that the executive may be difficult to contact, they launch a BEC deepfake attack using video or audio to trick a member of the finance team into transferring urgent funds to a new vendor.

 

ESET describes real-world examples of malicious actors using open-source intelligence (OSINT) techniques in the early stages of attacks. These include:

• A business email (BEC) attack that cost Children’s Healthcare of Atlanta (CHOA) $3.6 million: Malicious actors likely reviewed press releases about a newly announced campus to gather details, including the hospital’s construction partner. They then used LinkedIn and/or the company’s website to identify key executives and finance team members at the construction firm involved (JE Dunn). Finally, they impersonated the chief financial officer in an email to CHOA’s finance team requesting that they update their payment information for JE Dunn.
• The Russia-based SEABORGIUM and Iranian-aligned TA453 groups use OSINT for reconnaissance before launching spearphishing attacks against pre-selected targets. According to the UK’s NCSC, cybercriminals use social media and professional networking platforms to “research the interests [of their targets] and identify their real-world social or professional contacts.” Once they have established trust and a relationship via email, they send a link to collect the victims’ credentials.

 

Education: the most powerful preventive weapon

“While the risks of oversharing are real, the solutions are simple. The most powerful weapon is education. Updating security awareness programs is crucial to ensuring that everyone in a company understands the importance of not oversharing on social media. Ask staff to avoid sharing information through unsolicited direct messages, even if they recognize the sender (as their account could have been spoofed), and ensure they are able to detect phishing, BEC, and deepfake attempts,” advises Lopez from ESET Latin America.

” Furthermore, among ESET Latin America’s security recommendations is the need to support this with a strict social media policy, defining clear limits on what can and cannot be shared, and establishing clear boundaries between personal and professional/official accounts. It may also be necessary to review and update corporate websites and accounts to remove any information that could be used as a weapon.

Checking multifactor authentication (MFA) and strong passwords (stored in a password manager) should also be standard practice for all social media accounts, in case professional accounts are compromised to attack colleagues.

Finally, monitor publicly accessible accounts whenever possible to detect any information that could be used for spearphishing and business email marketing (BEC), and conduct red team exercises with employees to test their awareness.

“AI is making it faster and easier than ever for malicious actors to profile their targets, gather OSINT, and then draft convincing emails/messages in perfect natural language. AI-powered deepfakes further increase their options. The takeaway should be that if something is in the public domain, you can expect a cybercriminal to know it too and soon come knocking,” concludes Martina Lopez of ESET.

ESET invites you to learn more about cybersecurity by visiting: https://www.welivesecurity.com/es/.

For other useful preventative information, also available in Venezuela:  https://www.eset.com/ve/, and on their social media channels @eset_ve. Also on Instagram (@esetla) and Facebook (ESET).

With information and reference image provided by ESET and Comstat Rowland

Follow our news on Google! For current, interesting, and accurate information, click here to see all the content on Bitfinance.news. You can also find us on X/Twitter and Instagram