Phishing is a well-known cyber threat in today’s digital world. For years, cyber criminals have successfully stolen the personal details of internet users through malicious websites and links sent via email. As cyber security develops, users and technologies get smarter. Most employees are now aware of the dangers of following links sent from unknown sources online. Similarly, anti-phishing solutions are widely available to block spam or phishing content from reaching email inboxes. However, as the world becomes ultra-mobile, these protections are no longer adequate.
Mobile has created a powerful new channel for hackers to exploit and carry out malicious phishing attacks. The information-sharing nature of social media sites has made them ideal channels for malicious bodies to impersonate or compromise the accounts of reputable organizations. Hackers can then build trust and con other users into disclosing sensitive information. Preying on this weakness and abusing the trust of users has proven to be a much more effective form of phishing than email-based equivalents, with up to 66% of spear-phishing attacks on social media sites said to be opened by their intended targets. In 2017 Facebook disclosed that up to 270 million accounts were illegitimate while Twitter identified over 70 million fake and suspicious accounts earlier this year. Many anti-phishing solutions however, still fail to protect from social media-based attacks. What’s more, many users remain unaware of the dangers that may be lurking in their newsfeed.
WhatsApp has become one of the most commonly used channels for social media phishing attacks. While one of the most popular smartphone apps in the world, it has also become one of the riskiest and most commonly blacklisted apps by enterprises due to the high volume of phishing messages currently in circulation. Generally, messages will warn or offer advice to the user about upcoming changes to the app. They will then urge them to share the message to their contacts. This social engineering tactic immediately gains the user’s trust as the warning is from a friend or family member. Therefore, they have no reason to doubt the content of the shared message.
In July, Corrata reported on two such scams, the ‘Martinelli’ video and the introduction of ‘WhatsApp Gold’. Since then however, several new attacks have come to light. WhatsApp users in countries including the US, Norway, India, and Pakistan have reported receiving a message offering a free pair of Adidas trainers to celebrate the 93rd anniversary of the brand that directs them to a legitimate looking website where instead of claiming the new shoes, inputting their credit card information signs them up for a $49.99 monthly subscription service.
LinkedIn is a social media platform that has become extremely popular for phishing attacks in recent years. This is likely due to the assumption of most users that all members are professionals looking to make connections. Earlier this month, Corrata reported on the types of scams currently targeting the trust of LinkedIn users by posing as other members as well as the service itself.
At the core of every phishing scam is the attempt to look legitimate and gain the trust of the victim. One of the easiest ways of doing this is to pose as a friend or well-known brand. Facebook is an ideal platform for such an attack. Users have been found to be more comfortable clicking on links, downloading apps or divulging personal information having been prompted by someone they assume to be a friend.
A common Facebook scam involves the hacker sending a friend request to a user and once accepted, then posting a message to the victim’s wall with a link and an intriguing message such as “Jump on this unbelievable offer before it’s too late!”. The victim is brought to a seemingly legitimate Facebook login screen. The page asks them to re-enter their username and password. What the user does not know however is that this page does not belong to Facebook. It in fact has copied their login credentials and given the hacker access to their account. Once a hacker has control over the user’s account they can then repeat the process and target other users.
Facebook Messenger is also becoming a popular channel to send links to this imitation login page, disguised as a YouTube video shared from a friend. While just last week, it was discovered that a weakness in Facebook’s “View As” feature could have allowed hackers to take control of over 50 million user accounts. The most troubling aspect of this scam is the fact that once a hacker gains control of one online account, accessing users’ other accounts becomes easier due to the common use of single passwords and usernames for multiple accounts.
All social networks, especially Twitter, provide the perfect channel for sharing machine-generated content due to their access to extensive personal data, bot-friendly API, colloquial language and use of shortened URLs. Brands often use social media to distribute content and engage with customers. However, it also creates the ideal platform for machine-generated phishing attacks. Commonly, Twitter phishing campaigns take the form of correspondence from accounts posing as well known brands or as Twitter itself.
In 2016, a study found that 19% of social media accounts appearing to represent top brands were fake, with many of these posing as customer support accounts on Twitter. Many customers now prefer to seek support from brands over social media rather than through traditional channels. Therefore, users should note that only verified accounts have blue checkmark badges.
They should also watch out for slight misspellings or variations in user handles. For example @AmazonHelp is Amazon’s legitimate support account. However, @Amazon_Help, a fake account used to steal personal information from users. Earlier this year an ad was found to be circulating Twitter that claimed users could have their account verified by clicking on the link supplied. Users would then be brought to a page that looked extremely similar to Twitter’s official login page. The page would then ask users to enter their login details, contact information and follower count. Of course, like on Facebook, this page was fraudulent and hackers had designed it to steal the user’s information.
Now with over 1 billion active monthly users, Instagram has quickly become one of the most popular social networks in the world. Inevitably however, this has made the platform a prime target for spear-phishing attacks. Like Facebook and Twitter, hackers gain users’ trust by masquerading as friends or followers. They then post links to malicious or phishing websites on their account or via direct messages. Extremely convincing fake login pages are then used to collect account credentials. What is most worrying about these attacks is that victims often have no idea that hackers are targeting them. The fake page simply redirects them back to their Instagram page as if nothing happened. This means that the hacker could potentially access or take control of the account for some time without the user ever realizing that their data has been compromised, putting other accounts or sensitive data at risk.
Snapchat is a relatively new platform for phishing attacks, however with 188 million daily active users and its mainly young teenage market, malicious attacks are increasingly common. In 2017, it emerged that a phishing attack resulted in the usernames and passwords of over 50,000 users becoming publicly visible online. The attack relied on a link, sent to users through a compromised account they believed to be a friend. When clicked on it opened a website designed to mimic the official Snapchat login page. Hackers collected usernames and passwords, which they then made publicly available on phishing website ‘klk.viral.org’.
What can users do?
Social networks are taking some action to detect and protect against suspicious activity like this. For example, Facebook have vowed to take steps to improve security and privacy features by requiring Two-Factor Authentication for logging in, while Snapchat have introduced the use of machine learning techniques to look for suspicious links sent within the app and block access to suspicious URLs. Security experts and social media sites have also advised users to take caution following links. They should check that brand social media accounts have been officially verified. Users should be wary of clicking on external links regardless of their source. They should also double check with friends and followers if suspicious of their online behavior. Lastly, users should be cautious of any special offers that may seem too good to be true.
As humans however, it is inevitable that we will make mistakes. To ensure protection for our sensitive data, especially as organizations with employees using mobile devices for personal as well as business, external security is essential. Corrata’s Security and Control solution provides unparalleled protection against phishing attacks, on all platforms. Corrata detects and blocks access to any malicious or fraudulent sites. This allows employees to continue using social media with the peace of mind that their sensitive data is safe.
To find out more visit www.corrata.com or email us at firstname.lastname@example.org.