All Those Innocuous Social Media Quizzes are Hacker Goldmines

We’ve all seen them on Facebook, maybe even done them ourselves: viral social media quizzes. Perhaps it was about the top 10 concerts you’ve attended or a dozen fun facts people might not know about you. Innocent though they may seem, these social media quizzes can put you in the crosshairs for attackers, both physical and cyber. They are a prime example of over-sharing sensitive data online, which has grown rampant with the advent of social media.
In the spirit of National Cyber Security Awareness Month, we’re shining on the light on this ubiquitous issue. Its one of the most prevalent and most preventable.

Over-sharing not limited to viral quizzes or trends. Posting publicly about vacations, family, personally identifiable information (PII), or your physical location can, in some cases, put you at risk. Most people know not to post pictures of their credit cards (you’d be surprised) or disclose sensitive login of financial information, but a surprising number of people post their phone numbers, home address and more on social media. After all, the networks encourage users to fill out every possible field on their profile, including some of the more sensitive ones.
Attackers can use this data in three main ways:

Bruteforcing passwords

Hackers look for any information that they could use to guess passwords. Oftentimes, it doesn’t take much. The most commonly used password in 2016 was “123456,” followed by “123456789.” Attackers can simply try the first 25 most common passwords and succeed a whopping 50% of the time. Passwords are often only marginally more complex than that; a dog’s name or a street name paired with “123.” Attackers use automated tools to test combinations of keywords — things you might have happily disclosed in you social profile — to rapidly guess thousands of combinations of passwords.
Hackers also use data gleaned through over-sharing to guess security questions and break into accounts that way. Security questions are often things like the name of your first pet, the street where you grew up, your highschool mascot, your favorite author or you childhood hero. They sound strikingly like viral social media quiz questions, don’t they?

Social engineering attacks

Any information you posts on social media can also be used by an hacker as they craft a social engineering attack. Armed with your personal information, an attacker is well-equipped to customize a message for you that looks legitimate. For example, if a hacker knows you’ve been to a Radiohead concert, the message, “did you see Radiohead’s newest song? Just dropped today!” will have a much higher chance of success. Attackers drive users to phishing pages and malware exploits with this tactic. The message will be even more effective if it’s coming from a fake account impersonating someone you know, or, better yet, the real account of a connection after it’s been hijacked. For an attacker, these are both added benefits.

Physical theft

People love to post photos of their vacation. If an attacker knows where you live — a surprisingly easy thing to figure out in the social media age, especially if you list it on your profile, enable geolocation of your posts or have ever posted photos from in or around your house — they will have all the information they need to break in and take whatever they want. We suggest waiting until you are home to post and intentionally using language to imply you are not abroad.
We’re not advocating you stop posting on social media altogether. Rather, be careful what you share, and take a second to think about the potential consequences before shouting that information into the public forum of social media

ZeroFOX