At the height of social media adoption, users willingly shared everything from the lunch they just ate to the exact places they visited throughout the day. While some of this has been reduced as consumers learned how sharing private information could impact their privacy, many people still hide these kinds of updates behind basic security controls. This is just one of the reasons that a flurry of activity has slid into people's DMs, and led to the $19 billion dollar sale of Whatsapp, $1.7 billion raised by Telegram, and longevity of Snapchat.
So what happens when social networks create a sense of trust and security, especially when consumers have to approve connections first, and threat actors get involved? A very messy rendition of BEC attacks. Unlike email where a threat actor attempts to spoof an address, when a threat actor breaches a social media account they gain all the perceived trust a person has with the account. From there, the threat actor can spread their phishing lures from person to person to person, creating a wider net.
What's more, this is only scratching the surface, as social media is also a haven of private information that can be used in spearphishing attacks, other social engineering, and even romance scams.
Social Media's Inherent Trust
One of the more vicious social engineering tactics a threat actor abuses is our relationships with other people. Be it a CEO or manager to their employee, a parent to a child, or even an old school chum, a compromised social media account brings with it inherent trust.
Like phishing attacks through email, if a threat actor sees success, they are going to continue on with their campaign until they need to tweak it. For nearly a decade now, people have received DMs and private messages that include phrasing like “is this you?" or “is this a photo of you?" followed by a link.
This link, of course, goes to a fake credential page that would easily trick most users into signing back in to see if there was in fact a photo of them. The victim hands over their credentials and then it's game over. The victim thinks the page is just not working, they forget about the message, and go on with their life. Then, at some random interval, the threat actor strikes by breaching their account and spreads their phishing page further.
How do the initial accounts get breached though? It can be as simple as a password reuse campaign, to compromised plugins or apps, through to a phishing campaign yielding stolen credentials. Then, the process goes on and on, further replicating and expanding the damage.
One of the largest concerns associated with social media phishing attacks is that unlike email, the connections you make on social media are more selective to begin with. Slot this in with lacking internal security controls, and social engineering attacks will continue to thrive on social media.
Information Gathering: Just a Click Away
If there is one thing you should take away from this post, it's that if something gets shared to the internet, it will live on forever regardless of security controls. That photo you think was marked private? Your plans for vacation? The name of your first dog (Fluffy)? All of this information can be used for both spearphishing attacks and breaching accounts using your private information. And unfortunately, there are two ways that threat actors abuse to make this happen:
- Posing as a real person and adding you as a connection/friend
- Someone screencaps information or uses a compromised account to do so
And once that information is out, it's out for good. There is no way to put the genie back into the lamp.
That's why it's both incredibly important to be cognizant that security controls are only minimally effective, and that the person claiming to be your old high school friend might be lying.
So how do you spot a fishy account? Start by going to their social profile and seeing if they have any shared connections. If so, that's a positive indicator, but they can just as easily connect with a targeted list of people from a specific school.
What next? See if they have any activity on their page. If it's a barren wasteland or it's a new profile, that should be a red flag. You can also get crafty by looking through their photos and seeing if they are using a readily available one by doing a reverse image search on Google or Tinyeye.
While these are just a few basic tips, when in doubt, just ignore the request. It's better to be safe than sorry.