Group 3 students in the INFSYS 3848 (Introduction to Information Security) examined the implications of social media in terms of spear phishing. This group identified an often overlooked aspect: The ability of malicious actors to target victims right on social media platforms!
Their web based presentation is here: http://umsl.edu/~jdrmcf/
Executive Summary of their report:
In this report, we address the serious issue of spear phishing. While standard phishing has been around for quite some time and has become less prevalent, a new form of phishing – ‘spear phishing’ – is becoming increasingly popular. In this particular form of phishing, attackers utilize a clever, manipulative tactic known as ‘social engineering’ on a specifically targeted user. With the growth of social media, attackers have learned that personal pages can be a great resource for not only information on their targets, but can also be used as a means to attack end users. This new point of attack is particularly effective as most users simply do not expect to be phished through their personal pages on social media, nor is it regularly touched on as a part of security awareness programs or included in existing measures of phishing prevention.
In order to combat this folly, we have devised a system intended to help educate the end user with an approach more interactive than existing programs. Specifically, our program focuses on the social media aspect by demonstrating exactly how much information can be collected through public social media pages. The program will also pair employees in order to have them perform information searches on one another with the intent of facilitating direct participation and active learning, as well as adding an entertainment factor. To further drive the issue home, participants will also be allowed to launch their own harmless, simulated attacks through personal social media pages to see first-hand just how frequently end-users fall for spear phishing attempts. Finally, to keep with the interactive, enjoyable theme, our program encourages rewarding employees for participation in some form.