Executives must be careful about what they reveal on social networking sites such as LinkedIn or Facebook, with experts suggesting scammers are using this information to launch cyber attacks designed to steal confidential data.
The warning comes after it was revealed mining giants Rio Tinto and BHP Billiton were hit with cyber attacks last year during the height of the scandal surrounding former Tinto executive Stern Hu, who has been jailed on charges of bribery and stealing secret information.
AusCERT senior information security analyst Zane Jarvis says he cannot identify whether those attacks where based on social networks, but suggests a trend has been developing whereby scammers gain information based on sites such as LinkedIn, and then use that to exploit weaknesses.
“The more information people are putting online, the easier it is for scammers to start targeting executives. If you’re going after a particular company, you could search the internet for people who have positions in important roles, such as financial directors or software engineers.”
Jarvis says these are the people who are more likely to have access to confidential information, much of which could be crucial to a company’s success, and says scammers usually start emailing these executives with damaging content.
“What happens is these scammers send emails which have some sort of social engineering hook, saying things like “you must review this document”. Inside will be an attachment with potentially harmful virus content, which could give remote control to a computer.”
“These attacks have always been sophisticated because they are doing their research before going against companies, and it’s not just blind hacking. They go after people in more important roles in their companies.”
Jarvis warns this should be a major concern of companies dealing with social networking, and warns business owners and executives to educate their staff on what is and isn’t acceptable behaviour on social network, as their business could be at stake.
“They need to be educated about what is and isn’t appropriate to have on these sites. Potentially harmful material could include email addresses, job titles, responsibilities of the job and so forth.”
“Additionally, there have been cases of people on Facebook complaining about things at work which could be sensitive, and hackers are using that to take advantage and target specific people. They could be giving out private information.”
James Griffin, chief executive of online reputation management group SR7, says this point is crucial and warns executives to control the online presence of their employees with extreme precision.
“We’ve heard of clients that were unaware of the amount of corporate information leakage that was occurring on social networking sites. A lot of it was unwittingly done by employees who didn’t have a good grasp of their privacy settings on these sites.”
Griffin warns businesses must undergo an extensive education program where employees are told what they can or cannot say on social networking sites, and says that businesses must be careful about why they are moving onto these sites in the first place.
“We’ve seen criminals are becoming more savvy and are manipulating those social networking tools to their own benefit and it’s a good example as to why there should be some serious consideration as to what information is going out, why it is going out and examining the exact employees who are doing this. Education is needed.”