Alleged Twitter Vulnerabilities Could Adversely Affect Law Firms
Law firms ended 2019 deeply concerned with the sophistication of social engineering; Spear phishing, Whaling and other similar continual onslaughts of cyber attacks through emailing scams caused millions of pounds worth of losses within the legal sector last year.
Security firm, Insinia, have now orchestrated attacks on a number of high-profile celebrity Twitter accounts to highlight perceived flaws in the service.
As many marketing savvy firms reopen following the festive break, the potential hack, that could cause reputational damage to their business, will be a worrying development.
Insinia claim that there is a clear vulnerability with any account that attaches a public mobile phone number, or where smartphones are used to upload content to the account.
The company further explained that by analysing the way Twitter interacts with smartphones when messages were sent, it was able to take control of the account and post anything, including malicious content, without the user’s consent or knowledge.
It believes that the flaw could be used to send direct messages to trusted contacts. Any law firm using this form of social media to market or interact with consumers, could be vulnerable to attacks, with malicious messages being posted that could discredit the company.
Additionally, receiving direct messages from a trusted source could encourage and persuade employees to comply with the messages posted by the fraudster.
In a bid to highlight the problem, Insinia hacked into the private accounts of Louis Theroux and Eamonn Holmes with the message “This account has been temporarily hijacked by Insinia Security.”
Insinia have stressed that any account with a public mobile number should remove it immediately.
The whole process will also make many people think twice before sending messages via their smartphone, especially if it could impact on the credibility of their business.
Professor Alan Woodward, from the University of Surrey, said: “Interfering with many people’s accounts in this way is irresponsible.
“As frustrating as it might be for the researchers in question when Twitter maintain this functionality that can be abused, unauthorised interference with accounts is unacceptable.”
Professor Peter Sommer, from Birmingham City University, said: “some cyber-security professionals had lobbied to allow unauthorised access in special circumstances, for example to improve security.
“But at the moment the only exceptions are for the police and intelligence agencies.”
Mike Godfrey, chief executive of Insinia, said: that the company’s interaction with the celebrity Twitter accounts was only “passive” and had operated within all legal parameters.
“Nothing has been maliciously hacked. We have not had access to any Twitter account and have not seen any of their direct messages. There’s nothing unethical or irresponsible about what we did.”
As the cobwebs are dusted from the computer monitor following the festive break, companies using social media should also ensure that their cyber security considers the vulnerabilities that these marketing channels can create.
Have you experienced any hacks through social media? How much damage could a hack of this kind cause to your firm’s reputation?