View all sessions on demand from Smart Security Summit here.
Twitter API Vulnerability transport in June 2021 (and subsequently patched) came back to haunt the organization. In December, a hacker claimed to have the personal data of 400 million users for sale on the dark web, and just yesterday, the attackers release account details and email addresses of 235 million free users.
Information exposed in the breach included account name, username, creation date, number of followers, and email address. When taken together, threat actors can create social engineering campaigns to trick users into providing their personal data.
While exposed information is limited to users’ publicly available information, the large number of accounts exposed in one location provides threat actors with a goldmine of information they can use. to stage highly targeted social engineering attacks.
Twitter: A social engineering goldmine
Social media giants provide cybercriminals with a goldmine of information they can use to carry out social engineering scams.
With just names, email addresses, and contextual information pulled from a user’s public profile, hackers can conduct targeted reconnaissance and develop targeted scams and cheat campaigns to trick them into providing personal information.
Miklos Zoltan said: “This leak essentially corrupted the personal email addresses of famous users (as well as those of ordinary users), which could be used for spam harassment and even try to hack those accounts.” privacy issues security researcher. “Highly profitable users can be inundated with spam and large-scale phishing attempts.”
For this reason, Zoltan recommends that users create different passwords for each website they use to reduce the risk of being hacked. account takeover try.
The connection between social engineering and API hacking
The insecure API gives cybercriminals a direct line to access users’ personally identifiable information (PII), username and password, recorded when the client makes a connection to the third-party service’s API. As a result, API attacks provide attackers with an opportunity to collect personal data for mass fraud.
This happened just a month before a threat agent successfully registered in of the FBI intelligence-sharing service InfraGuard and uses API vulnerabilities to collect data on 80,000 private sector executives and sell them on the dark web.
Information collected in the case included data such as usernames, email addresses, Social Security numbers, and dates of birth — all highly valuable information for the development of social engineering scams. and scam teacher attacks.
Unfortunately, it looks like this API mining trend will only get worse, with Gartner predicts that this year, API abuse will become the most frequent attack method.
Beyond the ‘just work’ APIs
Organizations are also increasingly interested in API securitywith 94% of technology decision-makers saying they have only moderate confidence in their organization’s ability to significantly reduce API data security incidents.
From now on, businesses that use APIs need to be much more proactive in injecting security into their products, while users need to be extra vigilant about potentially malicious emails.
“This is a common example of how an unsecured API that developers design to ‘just work’ can remain unsecured, because when it comes to security, those who do not have security can still be unsecured,” said Jamie Boote. What’s out of sight often goes unnoticed,” Jamie Boote said. software security consulting link at summary Software integrity team. “From now on, it’s probably best to simply delete any emails that look like they’re coming from Twitter to avoid being scammed.”
Protect APIs and PII
One of the core challenges around addressing API breaches is that modern businesses need to discover and secure thousands of APIs.
Chris Bowen, CISO at Delete data. “There is a lot for organizations to manage, but the risk is too great to not do.”
There is also a small margin of error, as a single flaw can put user data at risk of a direct leak.
“For example, in the healthcare sector, where patient data is at stake, every API must address several components such as identity management, access management, authentication, authorization,” said Bowen. , data transmission and exchange security as well as reliable connections”.
It’s also important that security teams don’t make the mistake of relying solely on simple authentication options like usernames and passwords to protect their APIs.
“In today’s environment, basic usernames and passwords are no longer enough,” said Will Au, senior director of DevOps, site operations and reliability. jitter. “It is important now to use standards like two-factor authentication (2FA) and/or secure authentication using OAuth.”
Other steps such as implementing a Web Application Firewall (WAF) and real-time monitoring of API traffic can help detect malicious activity and reduce the potential for compromise.
VentureBeat’s Mission is a digital city square for technical decision-makers to gain knowledge of transformative and transactional enterprise technology. Explore our Briefings.