I wrote a year ago about Social Media and identity theft. In that post, I discussed information leakage and how bad actors could use that for stealing someone’s identity. There are other off-label uses for social media platforms including business competitive analysis, actual spying, and a place for covert operatives to help secure their assumed identities.
It is only natural that businesses want to learn about their competition: they read other companies’ annual reports and SEC filings, they watch news wires, and they analyze competitors’ websites, among other things. But social media can provide a treasure trove of data through the same information leakage I discussed in the earlier post.
One avenue for the leakage is job posting sites. If a company posts an opening for, say, a marketing director in a company or region where they do not currently operate, it may indicate an expansion. A posting for a software developer experienced in the Internet of Things (IoT), it may indicate the development of products in that area.
Likewise, employees can unintentionally leak information on a social site. They may ask or answer questions about technologies not usually associated with their employer. Or they may just a little too much on a slide-sharing site or a video platform. In researching this post, I found some specific examples in an older post on forbes.com; there are clearly more options now.
On a similar note, attackers can use these sites to discover titles and job roles at companies they want to attack. They can select employees for spear phishing attacks, for example. Or they might forge emails from a manager to her employees. Before the prevalence of social media, company employee lists were often considered confidential. Now a search on LinkedIn (and I am using them only as an example. They are only one such site. I am a LinkedIn user and have no intention of saying anything negative about them here) or other platforms can help one generate a partial list short order.
Both corporate and more conventional spies understand that one essential (and in many cases the core) technique is something called “HUMINT” or human intelligence. What better place to connect to people is through social media? A LinkedIn connection request may appear to come from a potentially valuable business contact, but may indeed come from a spy of either type.
The requester could appear to have an impressive resume and multiple contacts. When was the last time you actually took the time to verify a LinkedIn contact request? It may be very difficult. Will a company verify that a person actually works there? If you message one of their contacts, wouldn’t a bogus one verify the individual’s identity?
And don’t think this is limited to LinkedIn; a connection could be on any number of platforms. In fact, a request on multiple platforms might make it more believable!
And once you accept such a contact, you may inadvertently share information with that spy. Personally, I have few, if any, Facebook contacts I do not know personally (I am connected to people with whom I work, but have only communicated with via email, for example). I don’t share much on LinkedIn outside of a few groups where I am aware people I do not know could see the information.
Spies need cover identities or “legends”. If you wanted to build a profile that people could believe, social media would be a great option. You could use a real photo and everything else could be bogus. This was discussed briefly in an article in the International Business Times which also discusses other social media by intelligence services.
Social Media is clearly for more than cute cats and rants about politics. It has serious uses for both good guys and bad guys. Being aware of these uses can make them safer for organizations and individuals.
To your safe computing.