Hackers Hide Cyberattacks in Social Media Posts
SAN FRANCISCO — It took only one attempt for Russian hackers to make their way into the computer of a Pentagon official. But the attack didn’t come through an email or a file buried within a seemingly innocuous document.
A link, attached to a Twitter post put out by a robot account, promised a family-friendly vacation package for the summer. It was the kind of thing anyone might click on, according to the official hit by the attack, who was not authorized to speak publicly about it.
That is exactly the problem, Pentagon officials and cybersecurity experts said. While corporations and government agencies around the world are training their staff to think twice before opening anything sent by email, hackers have already moved on to a new kind of attack, targeting social media accounts, where people are more likely to be trusting.
Pentagon officials are increasingly worried that state-backed hackers are using social media sites such as Twitter and Facebook to break into Defense Department computer networks. And the human error that causes people to click on a link sent to them in an email is exponentially greater on social media sites, the officials said, because people are more likely consider themselves among friends.
Another official, who spoke to The New York Times on the condition of anonymity because he was not authorized to speak to reporters, described the problem as teaching an entire department to be wary of anything that was sent to it — even if the message appeared to come from family or a friend.
While last year’s hacking of senior Democratic Party officials raised awareness of the damage caused if just a handful of employees click on the wrong emails, few people realize that a message on Twitter or Facebook could give an attacker similar access to their system and that accounts can be spoofed or imitated so it appears that attackers are a trusted friend.
“Spear phishing,” or the act of sending a malicious file or link through a seemingly innocuous message, is hardly new. In November 2015, the State Department revealed that its employees had been spear phished through social media accounts.
But Pentagon officials say the scale of the spear phishing attacks is unlike anything they had ever seen before. A report in Time magazine this month revealed that a Russian-led cyberattack tried to spear phish 10,000 Twitter accounts belonging to Defense Department employees, using personal messages targeted at specific users.
The Defense Department did not respond to a request for comment. In response to a Times reporter, Twitter sent a copy of the company’s anti-spam rules, which said any account that violated its rules would be suspended. A spokesman for Facebook said the company was aware of the problem and was monitoring spear phishing on the platform.
In a recent white paper published by Facebook, the company outlined the common hacking it was seeing. The company said it was using specialized notifications, detection systems and user education to counteract spear fishing.
Cybersecurity companies said spear phishing through social media was one of the fastest-growing methods of attack.