Thursday, 19 August 2021

How Phishing Got Social

There’s a new attack vector in town: social media. Social is currently the fastest-growing type of phishing attack. Here’s what you need to know.

There’s a new attack vector in town: social media. Social is currently the fastest-growing type of phishing attack. Here’s what you need to know.

We’ve covered phishing many times here on the Grant McGregor blog. We think it’s important to do so, because we all need to stay vigilant against the phishers – and, to do that, we need to keep up to date with what the new threats look like.

That’s why the latest research about phishing attacks is so worrying: it indicates that phishing is going beyond its traditional channel of email to expand – rapidly – on social media.

Phishing has gone social

Phishlabs found that the number of phishing attacks using social media rose by 200 percent in 2018. This compares against a growth of 40.9 percent of phishing attacks in general during the same period.

We’ve highlighted, in an earlier post, the focus on Office 365 of many phishing attacks. Microsoft is the #1 spoofed brand in phishing attacks – probably because of its attraction, given the widespread use of Office 365.

The same report showed that Facebook was the third most-impersonated brand in phishing attacks in Q2 2019 – showing a 175.8% increase from Q1. Twitter and Instagram phishing attacks were also shown to be rising sharply.

Why are attackers turning to social?

Malicious phishing expeditions are being increasingly carried out on social media platforms for a variety of reasons.

Social phishing is more effective

Around 66 percent of spear phishing attacks on social media sites are opened by their targets (according to a report by ZeroFOX). This compares to a 30 percent success rate for spear phishing emails (based on findings by Verizon).

Credentials can be exploited widely

The popularity of both the Facebook and Twitter social logins, which allow users to use their social IDs to log into and sign up for other iOS and Android apps, is thought to be a key part of the attraction for hackers. Phishers who, for example, gain access to a user’s Facebook login would be able to use those stolen credentials to access all the associated apps.

Phishers can exploit the trust of friends and family

Impersonation plays a huge role in phishing activity. This often plays two ways; first, by impersonating a brand to steal credentials or otherwise compromise a user’s account. Second, in multi-phase attacks, where compromised accounts are used to fool friends and associates or other brands into sharing more valuable data or, even, share funds directly.

What phishing scams should users be wary of when using their social accounts?

Phishing scams on social media fall into several broad categories:
• Impersonation
• Credential theft
• Intelligence gathering for spear phishing
• Propagating further attacks from compromised accounts

As with most hacking activity, users need to be wary of:
• Unexpected or unfamiliar attachments
• Clicking on links from unknown sources – especially dressed up as clickbait
• Usernames and links that aren’t what they seem
• Entering competitions and quizzes which are created only to harvest your data (such as the unravelling Cambridge Analytica scandal on Facebook)
• Fake friends or followers (and, especially, any links they share)

Phishlabs says, “Abusing short URLs is nothing new when it comes to phishing attacks, but it is becoming more prevalent on Twitter”. It’s another reason to think twice before clicking on any kind of link – but especially shortened links where the destination URL isn’t immediately obvious.

The ingenious ways phishers are using social

Phishlabs also warns that some malicious actors even host their C2 attack (command and control attack) infrastructure on the social media platform.

Furthermore, Vade Secure warns of increasingly sophisticated and obfuscated methods of attack. It says there has been a rise of ransomware being delivered by phishing emails – most notably, the Sodinokibi ransomware which was shared via a fake email.

Meanwhile, threat-detection software producer Akamai has highlighted another hard-to-detect threat. Hackers hid the phishing URL by embedding zero-width characters into it, so that it evaded Microsoft’s URL reputation check and Safe Links URL protection.

There are also numerous reports of the widespread use of phishing websites that have SSL encryption – lending an extra level of credibility to the phishing approach. Users need to be wary; just because a site displays SSL credentials, that doesn’t necessarily mean it’s not part of a phishing scam.

What can you do about these new social attack vectors?

Education is the first line of defence when it comes to the new social approach to phishing. This means both staying abreast of the latest techniques deployed by the phishers and also cascading that knowledge throughout your organisation.

If you’d like help and advice about how to do this, we’ll be publishing a follow-up blog soon with details. In the meantime, please reach out to the Grant McGregor team directly for more information.

Contact us on: 0808 164 4142