Skip to main content

As users become more social, threat actors take advantage

There are currently over 200 different social media platforms on the Internet which give users the unprecedented ability to engage in discussions, publish and share content and network with others across the globe. It’s unsurprising that users are flocking to these platforms where they are sharing more information and using less discretion than ever before. In fact, between 2014 and 2015, there was an increase of 220 million new social media users and these platforms now account for 28 per cent of all internet traffic.

However, as social media becomes the preferred method of communication and content aggregation, it is also becoming a fast-growing environment for criminal activity. Threat actors are taking notice and putting organisations and their customers at risk.

There are many factors that make social media platforms attractive to threat actors. As with malvertising, social media campaigns allow them to get in front of millions of people cheaply and efficiently, and the social nature of social platforms provides an environment that improves the effectiveness of their scams. We’ve become conditioned to be wary of the tell-tale signs of a scam in platforms like email but when it comes to social media, we’re much more impulsive.

Even though members of social platforms have weakly verified authenticity, users seem to have an inherent trust in the connections they make and the groups they join – as well as a belief that popular destinations can always be trusted. Our interactions through social media take place “in the moment” and as a result, some users are even more susceptible to the same kinds of scams that happen on other channels.

Things are not always what they seem

Social media attacks often involve some form of impersonation. Threat actors create fraudulent accounts that impersonate an organisation or a department or persona therein. This tactic can include a fake official company account or an account claiming to be support, human resources, or an executive or another employee.

Impersonated accounts will partake in what appears to be normal activity such as discussion threads for Twitter and networking and posting in LinkedIn. Criminals will leverage trending topics, group memberships, or falsely claimed affiliation with trusted brands to reach targeted groups and make themselves – and their malicious activities – appear more credible.

Criminals also leverage the conventional use of URL shorteners in social media (which deter users from scrutinising URLs before clicking) and the fact that URLs are often hidden in mobile. This absence of URL transparency allows threat actors to take a user through a series of redirects without their knowledge before arriving at their final destination. Behind this complexity, traffic can start out as benign but become fraudulent or malicious in an instant. For example, introducing affiliate links or redirects to malware or credential-harvesting sites.

Waking up to the dangers of social media

It’s not only social media users who are compromised by these scams. When organisations use social media to offer customer service, recruit employees, send promotions, and transact business and exchange information with their community, rogue social media profiles impersonating the brand, or one of its executives become more than just a brand protection problem – they become a serious security problem. Savvy organisations recognise social media’s potential as another attack vector for phishing and malware distribution, and are bringing social-based threats into their security and anti-fraud programs.

How threats take place

Recently, threat actors impersonated a large bank’s customer service Twitter handle. The fake handle used the bank’s brand name in the username and stated that it was the secondary support profile set up to take on overflow from the primary customer service handle. It asked users to direct their queries to the fake handle if they did not receive a quick response from the official handle.

We have also seen other examples in which fake customer support handles actively send tweets to the customers who have posted a complaint to the official support handle. These tweets include a link for the user to click to “solve” their issue, which directs them to a phishing site masquerading as the official site and asks them to log in. One major bank was targeted by 30 new impersonating accounts phishing customers over a two-month period. Though most of these fake accounts were active for less than a day, the damage was long-lasting.

Twitter is by no means the only platform where these threats are present – at RiskIQ, we have also seen multiple instances of brand impersonation of Facebook and LinkedIn.

The solution

Rogue social activity is no longer a human-addressable problem. The vastness of social media both in terms of platforms and traffic, the short lived nature of many of the scams and the continual change in tactics require sophisticated automation and machine-learning techniques to allow organisations to detect and respond in time.

Effective security and fraud prevention strategies cannot treat social media independently from other digital channels. Threat actors use the interconnectivity of today’s digital world to increase their reach by using multiple channels to conduct fraud, distribute malware and carry out other abusive activities. Cross-promoting their attack vectors among web, mobile and social channels maximises each attack’s impact.

Businesses need to adopt technologies that will allow them to contextualise the full extent of the threats that impact their brand and customers across all digital channels through a single pane of glass. By adopting a scalable threat-detection solution, businesses can continuously analyse large volumes of social media content in real-time to discover and remediate social threats.

Ben Harknett, VP EMEA, RiskIQ

Image Credit: underverse /Shutterstock