Check out all the on-demand sessions from the Intelligent Security Summit here.
A Twitter API vulnerability shipped in June 2021 (and later patched) has come back to haunt the organization. In December, one hacker claimed to have the personal data of 400 million users for sale on the dark web, and just yesterday, attackers released the account details and email addresses of 235 million users for free.
Information exposed as part of the breach include user’s account names, handles, creation date, follower count and email addresses. When put together, threat actors can create social engineering campaigns to trick users into handing over their personal data.
While the information exposed was limited to users’ publicly available information, the high-volume of accounts exposed in a single location provides threat actors with a goldmine of information they can use to orchestrate highly targeted social engineering attacks.
Twitter: A social engineering gold mine
Social media giants offer cybercriminals a gold mine of information they can use to conduct social engineering scams.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
With just a name, email address and contextual information taken from a user’s public profile, a hacker can conduct reconnaissance on a target and develop purpose-built scams and phishing campaigns to trick them into handing over personal information.
“This leak essentially doxxes the personal email addresses of high-profile users (but also of regular users), which can be used for spam harassment and even attempts to hack those accounts,” said Miklos Zoltan, Privacy Affairs security researcher. “High-profit users may get inundated with spam and phishing attempts on a mass scale.”
For this reason, Zoltan recommends that users create different passwords for each site they use to reduce the risk of account takeover attempts.
The link between social engineering and API hacks
Insecure APIs provide cybercriminals with a direct line to access user’s personally identifiable information (PII), usernames and passwords, which are captured when a client makes a connection to a third-party service’s API. Thus, API attacks provide attackers with a window to harvest personal data for scams en masse.
This happened just a month ago when a threat actor successfully applied to the FBI’s InfraGuard intelligence sharing service, and used an API vulnerability to collect the data of 80,000 executives across the private sector and put it up for sale on the dark web.
Information collected during the incident included data such as usernames, email addresses, Social Security numbers and dates of birth — all highly valuable information for developing social engineering scams and spear phishing attacks.
Unfortunately, it appears that this trend of API exploitation will only get worse, with Gartner predicting that this year, API abuse will become the most frequent attack vector.
Beyond APIs that ‘just work’
Organizations too are increasingly concerned around API security, with 94% of technology decision-makers reporting they are only moderately confident in their organization’s ability to materially reduce API data security issues.
From now on, enterprises that leverage APIs need to be much more proactive about baking security into their products, while users need to take extra caution around potentially malicious emails.
“This is a common example of how an unsecured API that developers design to ‘just work’ can remain unsecured, because when it comes to security, what is out-of-sight is often out-of-mind,” said Jamie Boote, associate software security consultant at Synopsys Software Integrity Group. “From now on, it’s probably best to just delete any emails that look like they’re from Twitter to avoid phishing scams.”
Protecting APIs and PII
One of the core challenges around addressing API breaches is the fact that modern enterprises need to discover and secure thousands of APIs.
“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use,” said Chris Bowen, CISO at ClearDATA. “It’s a lot for organizations to manage, but the risk is too great not to.”
There’s also a slim margin for error, as a single vulnerability can put user data directly at risk of exfiltration.
“In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport and exchange security, and trusted connectivity,” said Bowen.
It’s also important that security teams not make the mistake of relying solely on simple authentication options such as usernames and passwords to protect their APIs.
“In today’s environment, basic usernames and passwords are no longer enough,” said Will Au, senior director for DevOps, operations and site reliability at Jitterbit. “It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth.”
Other steps like deploying a Web Application Firewall (WAF), and monitoring API traffic in real-time can help to detect malicious activity and reduce the chance of compromise.