Social Media: A Holiday Haven For Threat Actors
November 27, 2019 | 4 minute read
Updated as of November 26, 2019
It’s the most wonderful time of the year for online retailers. Global consumers are predicted to spend $768B between November 1st and December 31st and while this accounts for both online and in-store purchases, this year we will see a rise in purchases through social media platforms.
Social platforms are highly influential with teens and Gen Z; 39% said they would use "buy buttons" and 25% via shoppable photos to transact on smartphones during the holidays. Meanwhile, 28% of US internet users aged 18-55 said they would consider purchasing through social media platforms while holiday shopping.
As these platforms become more intrinsic to our daily lives, social media platforms have become a crucial attack vector that enterprises can no longer ignore. Compared to eCommerce and corporate websites, social media platforms contain up to 20% more avenues where malware can be delivered to users, such as advertisements, social engineering, shares, and plug-ins.
According to a study by Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, social media-enabled cybercrime is generating $3.25B in global revenue each year.
What Are The Most Popular Types Of Social Media Attacks?
Reconnaissance is an attack precursor that, when conducted passively on social media platforms, is difficult to detect. When individuals overshare personal and private information on social media networks, it can be collated and analyzed to allow a profile of their behavior to be compiled. After gathering information about locations, hobbies, and relationships, a threat actor can begin to piece together a potential victim’s life and use this to craft convincing lures, such as malicious links sent from a profile impersonating someone they know, as well as gain knowledge that may allow them to authenticate to other services such as email or banking websites.
For example, how many people use a child or pet’s name in their passwords or password reset questions? How many use their year of birth? These seemingly innocuous details when shared alone aren’t that valuable, but when combined into a full profile, can provide the keys to unlock further parts of their digital life. Knowing the value that these tidbits of personal information have to threat actors, shrewd social media users limit the amount of personal data they publicly share to reduce its intelligence value to potential attackers.
Using a fake social media profile, cybercriminals can mimic a legitimate profile and carry out attacks both on a large scale (e.g. fake public figure profiles used to distribute mass-malware or phishing campaigns to millions of victims), and a smaller ‘targeted’ scale. This attack is often preempted with a reconnaissance phase. These attacks can also be conducted against organizations by using fake profiles that mimic key individuals within that target organization.
In addition to mimicking legitimate individuals within an organization, perhaps acting as the CEO or CFO to instruct an employee to perform an action, some threat actors conduct catfishing attacks where they masquerade as an attractive (fictitious) individual to lure victims into divulging personal or sensitive information. Broad catfishing attacks are typically financially motivated, while catfishing attacks against employees of an organization may be motivated by gathering intelligence through virtual ‘pillow-talk’. By extracting this information, the attacker learns credentials that can be used to gain access to systems, and in more serious cases, luring a victim into exposing themselves in a compromising situation that can be used in blackmail.
A real world example of this attack involves a man named Spas Vasilev, who created a fake account under the name Alexander Nikolov. Over the course of five years, Vasilev used the fabricated identity to scam people. At least two dozen people had willingly handed over large sums of money and shared personal details between 2015-2017. The fake Alex had established himself as a social media star, and created a sizable online following, including politicians, journalists, and public figures. Fake Alex penned numerous articles in various news outlets and even dialed in as a political commentator on national TV news programs and radio shows.
Social engineering attacks usually involve some type of psychological manipulation of unsuspecting users or employees into sharing confidential or sensitive data. Commonly, social engineering attacks occur via email or other communication that invokes urgency, fear, or similar emotions in the target, prompting the target to reveal sensitive information, click a malicious link, or open a malicious file. Attacks have been increasingly successful because the attackers are creating more legitimate looking emails and with the prevalence of social media, an attacker can look up everything they need to know about a person and their interests.
Armed with this information gleaned from social media, they can craft an email tailored to that person, and email them directly, which increases the chances of that person clicking.
Although not a cybercrime, fake news has been a hot topic in the last few years. Troll Farms attempt to subvert and influence public perceptions using social media platforms. The 2016 U.S. presidential elections is the most high profile target of this tactic. Kathleen Hall Jamieson, a professor of communications at the University of Pennsylvania notes in her book “Cyberwar: How Russian Hackers and Trolls Helped Elect a President—What We Don’t, Can’t, and Do Know,” that Russian trolls created social-media posts with the intent of winning support for Trump from churchgoers and military families. Russian trolls pretended to have the same religious convictions as targeted users. The U.S. Justice Department, in connection with the Mueller probe, released an indictment of thirteen Russians working at the Internet Research Agency, a troll farm in St. Petersburg. The operatives were described as working day and night waging “information warfare against the United States of America.”
Similar to brand hijacking, the direct compromise of a social media profile, especially those that are ‘verified’ by the platform and therefore implicates trust, could be just as damaging as compromising an organization’s website. Given the ‘push’ nature of social media platforms, a compromised social media profile could be used to target the customers of a brand with malicious or nefarious content. Recent examples include the compromise of ‘verified’ Twitter accounts, such as Target in November 2018, that are used to lure customers into submitting Bitcoin in order to participate in a fake giveaway. Victims are encouraged to send '0.2 to 2 BTC' to verify their address and will get 'from 2 to 40 BTC back'. Based on the Target compromise, analysis of the Bitcoin wallet gave an indication of impact with 121 inbound transactions being made in one day, resulting in a total balance of 5.86342085 BTC (approximately 36,904 USD!). A less technical scam would've no doubt increased the number of victims.
Typically, malicious links are used to lure a victim into clicking through to a payload that is hosted on third-party sites rather than the malicious content being directly available from the social media platform. One-click exploits such as those used for account takeover could easily be distributed via social media and, when clicked, could exploit the victim. A proof-of-concept (PoC) of this type of exploit is demonstrated in the Microsoft Subdomain to Account Hijack PoC.
Digital Risk Requires Digital Defense
Given all the ways that social media can be used to attack your brand, how can organizations protect themselves, especially as we gear up for the holiday season?
One way is to treat social media with the same level of scrutiny as other channels. Just as you teach your team about scanning email attachments before opening, reporting suspicious emails, and other security essentials, you also need to train your team about these common social media attacks. However, awareness, while important, will not be able to stop all the attacks. It is important to have a coordinated social media and digital brand protection plan in place.
Here’s to a safe and happy holiday shopping season!