Advisory for Safe Social Media Account Administration

As Bhutan is currently under lockdown, all citizens are heavily reliant on information and news from government and media social accounts/pages on Facebook, Twitter and other platforms. In the past cybercriminals have hacked into the social accounts of many Bhutanese individuals, businesses and organizers such as Voice of Bhutan, Actor Tshering Gyeltshen and more recently Yee Getaway, to name a few.

Cybercriminals are increasingly targeting pages with a large number of followers to gain access and extort money from the owners, send malicious links to its followers or spread fake news and unwanted information on the compromised pages. In times like these, if the official social media pages of the Ministry of Health (MoH) or the Prime Minister’s Office (PMO) gets compromised, legitimate notifications and news on COVID and lockdown efforts can be tampered that can cause disharmony in the community. Very few owners or administrators of an organisation’s social media page know how to regain control after their account has been compromised and more importantly, let alone know how to effectively prevent a security attack in the first place. It has become imperative for administrators of official social media owners and administrators to be aware of the associated security risks.

The Bhutan Computer Incident Response Team (BtCIRT), Department of IT and Telecom (DITT) would therefore like to advise all official social media page owners and administrators to adhere to the following guidelines and recommendations:

Phishing Attack
Phishing is the most common tactic used by hackers for targeting unassuming users. One common method is that administrators might receive links through emails, instant messages and chats citing ‘suspension’ of their account, asking to “log in” or “authorize” the social media account. When the link is clicked, they might ask for your passwords and credentials. Most victims fall for this and end up providing the user credentials to the hackers.
Following are the recommendation for potentially averting phishing attacks requesting login credentials through emails or messages:

  • Never provide passwords and usernames upon requests from unsolicited links, chats and messages. This will lead to granting access to your accounts and potentially have your social media account taken over. Understand that the account provider will always prompt the request of a password change or re-authorization directly on their webpage.
  • Never click on links that are suspicious or too good to be true, especially clicking on links from some random email or messages.
  • Always limit the number of administrators and applications that have authorized access to your social media accounts. This helps minimize your attack surface.

Password Management

  • Ensure multi-factor authentication is enabled through sms or an authenticator app in your phone. Ensure it is enabled for both the social media account and the linked email account.Refer Two-Factor Authentication: Who Has It and How to Set It Up on how to set up Two-factor authentication on different platforms such as Facebook, Twitter, Instagram, etc., to ensure that there is a 2nd layer of protection for your account.
  • Pick a strong password that is unique and random. Use a combination of numbers, upper and lower case letters, special characters such as $, #, !, etc., with at least 14 characters in length (as advised by security benchmark organisations). The password should be different from other passwords used elsewhere on the internet. Don’t use your name and birth year!
  • Do not reuse passwords across accounts! If one is known, all the other accounts can be compromised as hackers will often use the stolen password in combination with your email address to gain unauthorized access to your other accounts.
  • Consider using a password manager to avoid reusing passwords. Third party password managers such as Keepass, Dashline, Keychain access for MacOs, etc., are available which may offer better security than the default browser password managers offered by chrome, safari, firefox, etc., which are very convenient but may not be trusted having their own set of weaknesses.
  • Change your password regularly. Especially if you have proof or are suspicious of unauthorized access to your account. In that case, immediately change the password. Usually the account provider will send an email about the recent change and along with the location of the login, which you can confirm if it was you or not. Remember to stick to the strong password policy as mentioned above.
  • Always log out of the page when you use a computer or phone you share with other people. Do not check the “Remember Me” option when logging in from a public computer, as this will keep you logged in even after you close the browser window.
  • Think before you authorize any third-party app to access your account. Third-party apps risks can potentially lead to data breach. Granting access definitely weakens your account security and privacy. Therefore, try to understand the permissions requested for what it does with the data it can access and try to limit the permissions to the minimum possible. Otherwise entirely remove those asking for excessive rights along with the redundant ones.

Since social media accounts are linked to our emails, it is important to secure our email accounts. Follow these security recommendations to make your google mail account more secure. In case of suspicious activity follow these instructions to help spot suspicious activity, get back into your account, and make it more secure. For other email accounts, research or contact the email administrator for relevant guides/instructions to secure your email accounts.

Avoid Browser and Cookie Attacks:
These attacks can provide means for hackers to access social media credentials. Therefore, adopt the following recommendations for avoiding such attacks:

  • Ensure to access your social media accounts from only trusted and clean machines and log out of social media accounts after each browser session.
  • Ensure you always use secure connections such as through HTTPS when logging in.
  • Ensure only trusted devices to access your social media, and that those devices are running anti-malware software persistently.

Incase a hack has occurred, Respond Immediately:

  • Reset passwords of the account and associated accounts such as your email. If you use the compromised password on any other site, change it there as well.
  • If the hacker did change your password, try to regain access by using the “Forgot your password” option. This will let you retrieve your password in several ways. You can either enter the email address you used to register or any other secondary email address you added, as well as your phone number.

After you have reset your password, contact the respective social media platforms and try to regain total control by reporting the hacked accounts:
Facebook: https://www.facebook.com/hacked
Twitter: https://support.twitter.com/forms/signin
YouTube: https://support.google.com/youtube/answer/76187?hl=en
Instagram: http://help.instagram.com/368191326593075

References:
https://www.pcmag.com/how-to/two-factor-authentication-who-has-it-and-how-to-set-it-up
https://support.google.com/accounts/answer/46526?hl=en
https://www.proofpoint.com/sites/default/files/pfpt-en-how-to-stop-social-media-hacks-whitepaper.pdf
https://johnopdenakker.com/how-to-create-strong-passwords/
https://johnopdenakker.com/browser-password-managers/
https://johnopdenakker.com/security-and-privacy-risks-of-3rd-party-apps/
https://www.phishing.org/10-ways-to-avoid-phishing-scams