Social Media

Information

• Name: Social Media

• ID: T1593.001

• Tactics: TA0043

• Technique: T1593

Introduction

Social Media (T1593.001) is a sub-technique under the MITRE ATT&CK framework's "Search Open Websites/Domains" technique (T1593). Adversaries leverage publicly accessible social media platforms to gather intelligence, identify potential victims, map organizational structures, and prepare targeted cyber-attacks. Social media platforms, such as LinkedIn, Facebook, Twitter, Instagram, and others, provide adversaries with rich sources of information that can significantly enhance reconnaissance efforts.

Deep Dive Into Technique

Adversaries utilize social media platforms to gather extensive information about individuals, organizations, and their associated networks. Common technical details and methods include:

• Information Gathering: Attackers collect personal details, employment history, job titles, email addresses, phone numbers, interests, and social connections.

• Mapping Organizational Structures: Using publicly available profiles, attackers can reconstruct organizational charts, identify key personnel, and understand reporting structures.

• Identification of Technical Infrastructure: Posts, images, or discussions may inadvertently reveal details about internal technologies, software versions, or security practices.

• Social Engineering Preparation: Information obtained from social media can be used in spear-phishing campaigns, impersonation, and other targeted social engineering attacks.

• Automated Scraping Tools: Adversaries may deploy automated scripts or tools to systematically scrape large volumes of publicly accessible data from social media platforms.

• Monitoring and Tracking: Attackers may continuously monitor social media for updates, changes in employment, upcoming events, or other actionable intelligence.

When this Technique is Usually Used

Social Media reconnaissance is typically employed during the early stages of an attack lifecycle, primarily during the reconnaissance and initial access phases. Specific scenarios include:

• Pre-Attack Reconnaissance: Adversaries gather intelligence prior to initiating phishing campaigns or targeted attacks.

• Social Engineering Campaigns: Information gathered from social media is frequently used to craft convincing spear-phishing emails or messages.

• Credential Harvesting Attacks: Attackers may identify potential targets and their personal details to facilitate credential theft or account takeover attempts.

• Advanced Persistent Threat (APT) Operations: Sophisticated threat actors use social media intelligence to support long-term espionage activities, infiltration, and persistent reconnaissance.

• Supply Chain Attacks: Attackers identify third-party vendors, partners, or suppliers through social media connections to target vulnerable points within an organization's supply chain.

How this Technique is Usually Detected

Detection of adversarial reconnaissance via social media involves proactive monitoring, user awareness, and technical controls. Effective detection methods include:

• Social Media Monitoring Tools: Utilize commercial or open-source tools to monitor mentions of organizational assets, personnel, and sensitive information.

• User Awareness Training: Educate employees about risks associated with oversharing information, recognizing suspicious connection requests, and reporting unusual activity.

• Behavioral Analysis: Implement analytics to detect abnormal patterns of access or scraping activities on organizational social media accounts.

• Honeypot Profiles: Deploy fictitious or monitored social media profiles to detect reconnaissance activities or suspicious interactions.

• Indicators of Compromise (IoCs):

  • Sudden increase in connection requests from unknown or suspicious profiles.

  • Fake profiles impersonating employees or executives.

  • Unusual patterns of repeated profile views or scraping attempts.

  • Reports from employees of suspicious interactions or messages on social platforms.

Why it is Important to Detect This Technique

Early detection of social media reconnaissance is crucial due to the significant risks and impacts it presents, including:

• Enhanced Social Engineering Attacks: Detailed personal or organizational information increases the effectiveness of spear-phishing and impersonation attacks.

• Credential Theft: Adversaries can leverage gathered information to guess passwords, security questions, or perform account takeovers.

• Operational Security Risks: Exposure of sensitive internal details can compromise organizational security posture and operational effectiveness.

• Reputational Damage: Successful attacks facilitated by social media reconnaissance can result in significant reputational harm and loss of stakeholder trust.

• Financial and Data Loss: Attacks enabled by social media intelligence gathering can lead to data breaches, financial fraud, and operational disruptions.

Proactive detection and mitigation strategies significantly reduce these risks and enhance overall organizational resilience.

Examples

Real-world examples demonstrating the use of social media reconnaissance include:

• APT34 (OilRig):

  • Utilized LinkedIn profiles to identify and target employees within critical infrastructure sectors.

  • Crafted highly personalized spear-phishing emails based on detailed employment information.

  • Resulted in successful credential harvesting and initial access to sensitive networks.

• Lazarus Group:

  • Leveraged social media platforms to identify cryptocurrency exchange employees.

  • Conducted targeted spear-phishing campaigns using personal details obtained from social media profiles.

  • Successfully infiltrated networks, leading to substantial financial losses and sensitive data theft.

• FIN7 Cybercrime Group:

  • Monitored social media to identify executives and IT administrators at retail and hospitality companies.

  • Crafted targeted phishing campaigns using detailed personal and professional information gathered from LinkedIn and Facebook.

  • Resulted in major data breaches, financial fraud, and significant operational disruptions.

• Operation Sharpshooter:

  • Attackers used LinkedIn profiles to target defense contractors and government agencies.

  • Created convincing spear-phishing emails leveraging detailed organizational and personal information.

  • Achieved successful infiltration and persistent access to sensitive networks.

These examples highlight the critical role social media reconnaissance plays in enabling sophisticated cyber-attacks.