Security efforts in both public and private organizations place a heavy emphasis on protecting their infrastructure from internal and external adversaries. These organizations spend billions each year on technology defenses. This approach was viewed as sufficient prior to the global social media explosion.

• 4.62 billion people globally use social media.

• In 2021 alone, nearly half a billion users worldwide joined social media.

• 70% of Americans use social media.

Social media serves as the primary form of communication and information sharing in the modern world. This conscious decision has given “job security” to malevolent actors,’ generating $3 billion in annual revenue for criminal actors.

Threats and vulnerabilities in the digital space manifest long before an organization’s network defenses can predict and defend against them. The digital world continues to be an insider risk blind spot. Bad actors are keenly aware of this and capitalize on it. Today’s bad actors are malicious opportunists looking for the path of least resistance to executing an attack, and social media has cleared the path.

The World Wide Web: A Digital Playground

To understand a little more about the weaponization of the digital realm it’s helpful to return to the basics, breaking down the World Wide Web (WWW). This helps to understand the digital playground — comprised of the Surface Web, Deep Web, and Dark Web — which malevolent actors are operating in.

The Surface Web comprises 4% of the internet and is what most of us are accessing on a day-to-day basis. The data housed here is indexed by search engines and easily accessible unlike in the other layers of the web. This is where Google is housed. You will also find news outlets, blogs, and social media on the Surface Web. The Deep Web forms 95% of the internet and involves data that is not indexed by search engines. This content cannot be indexed because they cannot access it without logins, or the content is stored behind firewalls.

Some examples of this can include cloud services, online banking, paid subscription-based online media sites, educational websites, Government websites, medical records, video-on-demand services (i.e., Netflix, Amazon Prime, HBO Max).

The Dark Web is comprised of sites hidden from general view that need to be accessed via TOR (The Onion Router). TOR websites have unique, encrypted URLs and afford users anonymity. This area of the web is the nerve cell of the illegal marketplace. It is where you find things like PII, illegal drugs and unregistered weapons for sale, human trafficking, organ harvesting, etc.

The waters between the Deep and Dark Web are often muddied, and the terms often used incorrectly in place of the other. The basic difference between the two is that the Deep Web can be accessed through credentials and authorization, while the Dark Web needs a special browser and software. Furthermore, data within the Deep Web is not hidden where data within the Dark Web is encrypted as its sole purpose is anonymity.

Social Media: A New Attack Vector

Society is now conditioned to primarily function — work, communicate, attend school, form relationships, etc. — in the digital world, largely via social media. The intention behind social media platforms, as they were originally created, was to share information, foster connection, and creativity amongst users, and allow for the creation and promotion of user-generated content (UGC). Many assume these platforms are safe spaces to communicate and share information. 

For a portion of users across social platforms this is true. Unfortunately, bad actors of varying sophistication continue to weaponized social media, bringing grave harm to not only individuals and organizations, but also critical infrastructure.

Perhaps the most notable example of the digital world being weaponized involves the social media war Russia launched against the United States. This multifaceted digital assault on the United States involved everything from targeted misinformation and disinformation campaigns aimed at influencing the 2016 U.S. Presidential Election, to executing a malware attack on 10k+ Twitter users within the U.S. Department of Defense, and a Russian Intelligence official infiltrating a social media group under the rouse of a 42-year-old American housewife.

Digital Dumpster Diving

Prior to the birth of social media, adversaries meticulously gathered human intelligence (HUMINT) on through travel, articles, public events, and old fashioned, boots on the ground surveillance. In the digital age, social media has become the primary HUMINT reconnaissance tool, a digital dumpster dive of sorts.

Individuals take to social media sharing intimate details of their personal and professional lives, educational background, political views, location, interests, etc. According to Tessian’s How to hack a human study:

• 59% of people post photos/names of children.

• 38% of people post about birthday celebration.

• 30% of people post names/photos of pets.

• 27% of people post names/photos of partner

• 93% of people post employment updates.

• 36% of people post information about their company, job, colleagues, boss, etc.

• 32% of people post updates and photos during business trips.

• 26% of people post information about clients.

This information is often not restricted by privacy settings and is available for public consumption. In fact, around 55% of people do not have any privacy settings activated at all, the study found.

The FBI continues to sound the alarm, issuing warnings to those who hold (or have held) security clearances about Foreign Intelligence Services targeting the U.S. and its interests via robust social media reconnaissance efforts that ultimately inform social engineering attacks.

We’ve already seen this play out in practice on multiple occasions. A notable example involves ex-U.S. Army Pilot, and now Ex-Defense Contractor, SHAPOUR MOINIAN plead guilty to selling secrets to China surrounding the United States proprietary aviation technology. MOINIAN was initially contacted by a woman who claimed to work for a technical recruiting company, offering him an opportunity to consult for the aviation industry in China.

The FBI highlights this case as being illustrative of China’s extensive use of social media as a reconnaissance tool to identify those with access to classified information, and ultimately launch a social engineering attack.

Social Engineering

The breadcrumbs that individuals and organizations leave on social media inform the insidious psychological manipulation at the root of social engineering and reverse-social engineering attacks. Social engineering provides a pathway to gaining insider access into an organization’s network and data. 74% of organizations were targeted with social media-based social engineering attacks in 2021.

In a social engineering attack, bad actors gather these breadcrumbs and weaponize them, manipulating someone into sharing sensitive information to gain access to secure networks, physical spaces, etc. They establish fake personas that appeal to their targets, befriend them, and begin to establish trust with the goal of the target divulging confidential information and delivering malware or sophisticated phishing attacks.

The pretense of a reverse-social engineering attack is similar, but the implementation is different. Unlike in a “traditional” social engineering attack whereby the bad actor approaches their target, in a reverse-social engineering attack, the target is the one to first initiate contact with the bad actor. Psychological manipulation takes a slightly different form in a reverse-social engineering attack as well.

Instead of gathering the breadcrumbs using them to inform communications with the target, bad actors use these breadcrumbs to build personas appealing to the target, making them lower their guard and, ultimately, enticing them to initiate contact.

The human element of social engineering makes it one of the top forms of insider risk. Organizations can have the most sophisticated technology defenses in place, and at the end of the day, it does not matter. At its core, insider risk is a human behavior problem — a people problem — not a technology problem.

Bottomline, people are oversharers. In broadcasting personal information, and sharing personally identifiable details about others, on social media individuals are effectively creating virtual dossiers on themselves, teeing themselves up to be exploited.

No one is above falling victim to a social engineering attack. A notable example of a social media-based social engineering attack involves U.S. Navy Admiral James Stavridis — NATO’s Supreme Allied Commander — who unwittingly fell victim to a social engineering impersonation attack orchestrated by China. Military Leaders, as well as Intelligence and Government officials throughout the world received “friend” requests from Stavridis on Facebook and accepted, believing it was Stavridis who was known to use social media both personally and professionally.

In accepting this “friend” request these Global Leaders provided China with access to a myriad of both personal information (i.e., phone numbers, email addresses, photos, names of family and friends, etc.). The U.S. Intelligence Community and NATO assert that China was able to initiate their reconnaissance operation into Stavridis’ life, and subsequent social engineering impersonation attack through information gleaned on social media from Stavridis, his colleagues, his friends and family. NATO has yet to confirm or deny the successful leak of U.S. or global military intelligence resulting from this attack.

Following the Digital Breadcrumbs

What happens to all those digital breadcrumbs we leave behind? Well, it becomes part of the world of Open- Source Intelligence (OSINT). OSINT is used to describe publicly available information gathered from the Web to inform the investigative process and intelligence cycle.

There is immense value in utilizing OSINT, and its younger sibling Social Media Intelligence (SOCMINT), in insider risk identification and prevention. To avoid bias and yield maximum results, a two-pronged solution comprised of initial exploitation via commercial, automated data OSINT/SOCMIT aggregators, coupled with a secondary human review is critical.

The emergence of SOCMINT as generator of OSINT contributes significantly to public safety and security. SOCMINT specifically refers to overt, publicly available, user generated content (UGC) across social media platforms, social networking sites, forums, blogs, image sharing platforms, vide-sharing sites, gaming platforms and peer-to-peer social communication platforms. Users of these platforms tend to transfer their online behaviors offline into the ‘real world.’ Because of this, SOCMINT provides a unique perspective into an area that other intelligence streams do not.

The Social Media Exploitation Controversy

Ethical and legal considerations surrounding bias, privacy rights, and violations of civil liberties are leading concerns around social media exploitation (SOMEX), sparking controversy in both the public and private sectors. Employers, in principle, are not prohibited from analyzing publicly available, open-source information in support of proactive threat mitigation efforts, as well as predicated investigations.

In fact, it’s already standard practice for Intelligence Analysts and Investigators to gather OSINT from publicly available sources to produce actionable intelligence. Incorporating an analysis and exploitation of overt and publicly available UGC across social media platforms serves as a forced multiplier in identifying those who may be sharing information/content, or forming connections with individuals that puts themselves and/or their workplace in a compromising position, opening the door for exploitation by adversaries.

The global social media explosion, and subsequent use of social media as an attack vector, furthers the argument that organizations can no longer avoid SOCMINT analysis as part of their proactive risk mitigation efforts.

This is not to say the very valid concerns surrounding bias, privacy rights, and violations of civil liberties should be discounted. Instead, we must develop and adapt proactive risk mitigation efforts incorporating the evolving digital landscape with strict guidelines to minimize ethical and legal concerns. This can be achieved in a few ways:

1. Develop clear SOMEX policies, directing the use of solely overt, open-source, publicly available UGC. One does not have a reasonable expectation of privacy to content they make public to others. Examining content that exists behind privacy walls or requiring employees to give employers access to their social media accounts, is not part of the strategy.
2. Establish clear policies, guidance and training surrounding civil liberties considerations (i.e., constitutionally protected speech) to practitioners who will be examining SOCMINT.
3. Use a third-party commercial SOMEX aggregation tool to drive SOCMINT gathering efforts versus.

Analysts and Investigators ‘Googling’ to reduce bias. This inevitably sparks the question, “If OSINT/SOCMINT is available to everyone, can’t we just use Google?”

The short answer is bias exists in your results when you ‘just Google’ something. Using a third-party commercial aggregation tool reduces bias. Search engines index content much like the index of a book. Unlike a book, however, the results yielded by a search engine query are biased. In fact, over 90% of the internet isn’t even available to you by search engines.

Bottom line, the results revealed to you when conducting a query via Google will be impacted, and are biased, and targeted to you specifically based on several different factors such as: IP address, browser history, device, etc. Search engines are revealing what they want you to see based on the digital profiles they have created of you as a result the digital trail you left behind.

A Shared Responsibility Forward

We cannot afford for social media to continue being an insider threat blind spot.

The public and private sectors persistent denial and inaction around taking seriously the weaponization of social media as a new attack vector only continues drives technical solutions that discount the insurmountable and evolving risks posed by the digital world. The fallout from not properly managing and mitigating digital risk can result in irreparable damage to both individuals and organizations alike. After all, doing things ‘the way they’ve always been done’ and expecting different results is quite literally the definition of insanity.

Governments, as well as public and private institutions, now have a unique and shared responsibility to react and adapt their risk mitigation approaches when society adopts new communication methods to ensure people, critical infrastructure, and national security, for that matter, are safeguarded.

The views and opinions expressed are that of the author and not those of the FBI or any other U.S. government agency. This publication has been reviewed by the FBI’s Prepublication Review Office and was approved for publication in August 2022 (PPR 22-407).