The first line of defense against a social media-related attack recently perpetrated by a suspected Iranian hacker group is to teach employees how to spot cyberspies, experts say.
The use of social media to trap specific targets is common in government-sponsored espionage campaigns. In the latest attack, hackers posed as attractive women on Facebook and LinkedIn in order to lure associates of the targets, security consultancy iSight Partners reported Thursday.
By first gaining credibility with the associates, the hackers hoped to later use those relationships to build trust with the intended victims. The actual targets included U.S. military members, lawmakers, Washington, D.C., journalists and defense contractors and lobbyists for Israel.
The purpose of the scam was to eventually trick people into divulging their email credentials on spoofed login pages.
While companies could try to avoid such an attack by barring employees from using social media on corporate PCs, such a strategy would be difficult to enforce and ineffective, experts say. That's because employees can just as easily give up their credentials using their own computers.
The better solution is to teach employees about the tipoffs of a scam, such as inconsistencies in the information provided by the attackers, John Hultquist, manager of cyberespionage and threat intelligence at iSight, said.
"What eventually gave them (the suspected Iranian hackers) away were the mistakes they made," Hultquist said. "A lot of things were inconsistent with who they claimed to be."
For example, one of the attackers claimed to be a member of the U.S. Navy and the U.S. Army at the same time, while another who claimed to be a journalist had poor English skills, Hultquist said.
Employees should also be told never to trust the identity of a person given online. "Ask probing questions," said Kevin Coleman, strategic management consultant with SilverRhino, which advises government agencies on security.
If a person claims to be from a particular organization, then employees should look up the entity's main number and use that in verifying the contact, Coleman said. Also, they should ask for the person's employer email address and never accept namedropping as a form of credibility.
"Don't fall for the so-and-so is linked to them, so they must be OK," Coleman said.
Employees who suspect they've been duped should not fear being disciplined. This will help ensure prompt reporting of incidents to the IT security department.
Besides changing the victim's login credentials, the security team should gather as much information as possible in order to find clues for preventing future attacks.
"A lot of these attacks are very consistent or they have similarities," Conan Dooley, security analyst for consultancy Bishop Fox, said.
For example, if an attack is connected to a malicious site, then it's likely the location was used in other attacks. Therefore, the security team should look for other computers that visited the site, Dooley said.
Companies can then turn to their login monitoring tools to determine whether the credentials of people using those computers have been misused, Dooley said.
The response companies take to a potential breach should be tailored to the individual organization, since the threats posed by an attack will vary, depending on the company, Dooley said.
"It's really about finding something (a response) that's appropriate for that particularly company," Dooley said. "The larger struggle we have in security is understanding the problems in a nuanced way and an appropriate way for the company that we're working with."