When hackers feel heckled by cyber defenders, they scrape even ‘old’ data to wreak revenge. Protect yourself with these safety tips …

Judging by recent cybersecurity incidents where 500 million LinkedIn profiles have been put for sale on a popular hacker forum (with another two million records leaked as a proof-of-concept), it seems like the rich scraped data on social media platforms is in great demand by the dark forces.

In light of public listing (in the Dark Web) of scraped user data from Facebook, LinkedIn and Twitter, one expert, Paul Prudhomme, Head of Threat Intelligence Advisory, IntSights, noted: “The severity of this incident lies not so much in the data points themselves but in their potential use in attacks on enterprises via their employees, as well as the sheer volume of data.”

According to him, most of the data points in this leak (email addresses or phone numbers), are less sensitive in and of themselves, compared to other data points like passwords, dates of birth, and Social Security numbers.

However, Prudhomme added a qualifier: attackers could use the bits of personally identifiable information (PII) for reconnaissance or in spam, phishing, or other social engineering attacks on social media users.

“The ultimate goal of many such attacks would probably be to gain access to enterprise networks themselves via compromises of their employees’ accounts or devices. Such attacks may be more likely to succeed due to the rise of remote-working and the increased use of home or personal devices for work due to the pandemic. Attacking companies via their employees’ personal accounts and devices is one way for attackers to work around enterprise network security defenses,” said the threat intelligence advisor.

Tips for social media safety

According to Jacqueline Jayne, Security Awareness Advocate, KnowBe4 (APAC): “Data scraping is a technique in which a computer program extracts data from human-readable output coming from another program. This kind of information is publicly visible on a website. What we are seeing here is a large database or collection of this data being sold for nefarious reasons. A data breach on the other hand is where no publicly-visible information is stolen via unauthorized methods.”

What can scammers and hackers do with this so-called scraped information that is deemed harmless by the social media platforms in downplaying this phenomenon they created? According to Jayne, hackers can piece together your phone number, LinkedIn ID, full name, email address, and links to your other social media profiles, professional titles and other work-related data to target you for social engineering, spam marketing and account takeovers. 

In instances where an authentication check via phone is made, an organization may ask verification questions, and hackers posing as the victims of leaked data may be able to answer those questions with a profile built around subsequent stalking using that data.

With that said, the security awareness advocate offers some standard insights and best practices here for users to bear in mind the next time they offer personal data on social media platforms:

  • Update your LinkedIn password and make sure you have activated 2-Factor Authentication (2FA). There are three options to choose from and if you do not have a physical security key, go with the second option and set up a third-party authentication app such as Google Authenticator which will generate a six-digit code to support your login. 
  • Take this opportunity to update other passwords, check privacy settings and set up 2FA in every social media platform you are a part of.
  • Check to see if your email address(es) have been involved in this or any past data breach).
  • Be hyper-vigilant if you are asked to share or confirm any of your personal information via incoming communication channels such as SMS, phone calls and emails.  If you are making direct outgoing contact via official channels (phone or app or website) to your bank, telco, healthcare provider etc. the verification process is safer as you have made contact with them, and not the other way around! 
  • Remember that scammers and hackers will create very convincing emails that appear to originate from well-known brands. If you do receive such an email, do not click on anything, reply to it or open any attachment. Leave your inbox, go to your internet browser and search for the official website and pick up the phone to validate the email.
  • ALL Social media users should be more sceptical than usual of unexpected messages or calls that they receive at phone numbers or email addresses associated with their accounts, particularly if those messages contain links or attachments. Even though the incident does not appear to have affected passwords, users in general should enable 2FA, multifactor authentication, and change their complex passwords REGULARLY, regardless of how safe they think they are.
  • Keep up to date with emerging and innovative hacker tactics, techniques and procedures that can counter almost every safety measure: read CybersecAsia.net content and subscribe to its newsletter.

It is natural for us to sometimes feel complacent and take a gamble online when we are in a certain mood. We must be thinking: Everyone else is practising cyber hygiene now that hundreds of millions of people have been stung: “Hey, that is herd immunity…” right? Errr… NO. Please lead the way by showing exemplary e-discipline yourself, and encourage them to do their small and crucial part.

Finally, please take a moment to think about how much information we share about ourselves across social media, the internet and the sheer volume of previously breached data that is available. There is a high chance that our online profiles are robust and full of information that can be used against us by the scum of the Dark Net.

Stay digitally safe, not complacent, folks!