“I heard this is a great phishing spot.” – Pro-scammer.
As a medium for communication, social media is a game-changer for the modern world. Its wide adoption guarantees it’s going to sit right up there with the telegram, telephone, pager, email, and the mobile phone that came before it. As more people use social media for daily interaction, the medium has attracted scammers like a carcass attracts flies, but why?
What makes social media networks so unique?
Easy like Sunday morning
Social media networks have billions of registered users, and a vast majority of them practice little to no account security. Criminals use the medium as much as everyone else, and they have mastered the art of abusing it by using social engineering attacks. Arkose Labs researchers analyzed over 1.2 billion social media interactions in real-time. The communications included logins, account registrations, and payments in several key industries.
They found that 53% of all social media logins were fraudulent, and 25% of new accounts were fake. The numbers mean that it’s effortless for criminals to abuse social media platforms using any form of phishing attack they see fit.
Protecting your social media profile or brand from an attack is something that you’re most likely not equipped to handle. No one is. Aside from watching everything like a hawk and using tools for monitoring identity theft, no one has the time or the resources to go over every detail.
Social media network phishing 101
Social engineering attacks like phishing use digital methods for fraud, theft, and other malicious activities. Several forms of phishing can happen on any social media network. These are:
Romance scams. This type of phishing scam creates a duplicate account of a real person, usually someone from the military living abroad. The scammer targets the most vulnerable victims looking for love or companionship.
Identity and credential theft. Criminals are using social media platforms to launch phishing attacks. Some scammers befriend their targets and get them to divulge more personal information than they intend to. The criminals then create a false identity using bits and pieces of collected data for fraud. Criminals use stolen credentials to launch propagation attacks.
Propagation attacks. Some phishing attacks use fake landing pages and trick users into logging-in using their credentials. When a user makes the critical error of utilizing his or her login details, the criminal captures everything and gains access to a user’s account. Once inside, criminals can launch attacks from within the profile owner’s account, targeting the entire network of contacts while posing as the user.
Data dumps. Data dumps are the result of a system-wide breach, exposing millions of user logins, passwords, credit card information, and other credentials.
Impersonation. Impersonation is the height of a social engineering attack. Scammers can pass themselves off as someone with authority, building credentials, and trust along the way. Impersonators with enough of a following can discredit people, damage brand reputations, or dupe followers into committing a particular action.
“419” scams or Nigerian prince scams. Scammers use social media networks to target their next victim. The “mark” will receive a message from a person claiming to be either a Nigerian government official or a prince. The con is that the Nigerian prince needs to get a massive sum of money out of the country and needs cash to pay for bribes and fees. The scammers promise the target a cut once the money is out of Nigeria, which, of course, never comes.
Intelligence gathering used for spearfishing and account takeover. Criminals are adept at digging up ancient details about their targets so they can use it to take control of accounts. Old pet names and school teachers are some of the questions in a forgotten password test. If the scammers can dig up the information from past posts, it’s game over.
URL abuse. Abusing short URLs is one of the most common types of phishing attacks, especially for platforms like Twitter. Criminals love to hide malicious links and even C2 infrastructure using Twitter’s URL shortener.
Two scammers walk into a bar… … And exchange notes on the best phishing spots around.
With billions of daily active users, social media networks are the prime phishing spot for cybercriminals and pro-scammers. Don’t be a statistic, and do whatever you can to secure your accounts and keep your profile private.