Joe Gray
Continuing the conversation about the Open Source Intelligence (OSINT) collection across social media, it is worth discussing Pinterest. While it is not as verbally intimate as LinkedIn, Instagram, Twitter and Facebook, Pinterest is a board-based platform that allows users to "pin" images and links to their topical boards. Users can pin other user's pins to their boards. Organizations and people can use Pinterest as a marketing tool in terms of pinning images from their website to boards or by adding the Pin It widget to their site to allow others to do so.
ARTICLE CONTINUES AFTER ADVERTISEMENT
Where does the security threat come into play? For beginners, like other social media platforms, people reuse the same username. This allows attackers to locate victims on other platforms and correlate data. What other platforms do they use? If the username is the same, it will be easy to find out. Intel Techniques and Pipl both have username searching features. Keep in mind that many platforms will not allow them to change their username more than a couple of times, if at all. For example, on Facebook, if a victim changes their name but not their username, an investigator or attacker could still ascertain the victim's name or vice versa with changing the username.
Speaking of correlation, an attacker can take victim's work information from LinkedIn, their Facebook check-ins, celebrities they follow on Twitter and their cubicle from Instagram and combine with their Pinterest boards to further profile them. This tactic is common in social engineering attacks. The actors that perpetrate these attacks are typically not the run of the mill cybercriminal, they are typically sophisticated adversaries with more time and technique to perform the reconnaissance. Less sophisticated adversaries will spray and pray, meaning they do not do any in-depth research on the targets but rather just send the emails and hope that someone falls for them.
The next threat for Pinterest is that the attacker can get an idea of the victim's browsing history. How? Simply by reviewing the victim's boards. It is not 100% certain that the victim went to the website, they may have pinned it off someone else's board. In the chance that they did, the attacker now has a website a domain to spoof (impersonate) to get the victim to click and/or visit. If the attacker can build rapport with the victim and get them to their boards, the attacker could drive them to false websites that seek to steal their credentials or host them malware. To be honest, I am not sure how much effort Pinterest puts into checking links for malware and malicious activity, so stay tuned for that. I will be researching this soon. I have also found that there is a Python library for interacting with the Pinterest API, which will also get researched.
The final and most obvious threat to using Pinterest is the attacker's ability to view all the victim's boards and what is pinned to each. Does the victim subscribe to a fad diet like Keto or Paleo? Do they pin Instant Pot or Air Fryer recipes? Do they have a fashion board? What about an upcoming wedding board? Perhaps, the victim has a board for bodyweight exercises for people that travel frequently.
YOU MAY ALSO LIKE
To put this to the test, I selected a random popular pin from the Pinterest home page. I navigated to that user's boards. The pin was about exercising. Notably, I found other boards for places they would like to visit, food, social justice, art, books, kids stuff, camping and money. Of that non-inclusive list, I can think of several pretexts (industry lingo for ruses) to use in both phishing and vishing (voice phishing) that would build rapport without further context. If I took the time to get to know what is on this user's boards, I could speak more closely to their likes or dislikes or aspirations. Knowing these things means that I could build deeper rapport faster and be able to influence this person into doing something malicious.
In conclusion, awareness is the front line of defense in using Pinterest, similar to all other social media platforms. Taking steps to make it harder for an adversary to profile you and your family greatly reduces the potential impact. There is nothing wrong with posting information about yourself or your family, you must just think of the potential outcomes and how to mitigate it. With regards to usernames, that issue is not exclusive to Pinterest but still requires forethought. A problem that many people (myself included) did not factor in when creating MySpace and Facebook accounts.
ARTICLE CONTINUES AFTER ADVERTISEMENT
With regards to your boards and the pins on them, consider the outcome of how you could be targeted by the board. Pinterest does have a secret board feature. I also understand that similar to a private profile on Twitter, it somewhat defeats the purpose of having an account, unless you are one who likes to snoop or lurk.
No comments:
Post a Comment