Social media entices most of the world to share details of how they meet up, hang out, show off, and generally stay connected with others everywhere, all of the time. This constantly updated ocean of personal information yields an endless stream of notifications that populate email inboxes. Altogether, social media activity gives threat actors bountiful opportunity for social media phishing attacks.Nowadays Facebook has almost 3 billion users, Instagram 1 billion users, LinkedIn 740 million members, and Twitter 328 million users; these social media giants are thus most commonly impersonated in phishing campaigns. This article focuses on phishing attacks that use social media notification emails to steal account credentials. But I'll touch on a related social media phishing campaign. In these types of attacks, users are enticed to click on an infected link or provide sensitive personal information that can be later used for malicious purposes.
Why do attackers go after social media account credentials? It’s not like banking logins and work passwords are stored in Instagram, right? Well, unfortunately, that is often essentially the case. Hackers know that many people tend to recycle passwords across personal and work accounts. Thus, a single password can be like a skeleton key for cybercriminals.The shift to remote work has created a surge in social media activity, and with it, a cybercrime wave. Criminals can safely assume their targets are using at least one social media platform, are accustomed to receiving notifications and alerts, and will thus be prone to clicking spoofed notification links.Criminals exploit that familiarity by blasting out fraudulent notifications that trick people into entering credentials on an attack site. Using phishing templates, attackers exploit basic human emotions and needs (popularity, urgency, elevated social status, getting something for free) to manipulate them into unwise actions.Impersonation attacks, meanwhile, use LinkedIn most often to hack into corporate email accounts, as a LinkedIn profile is more convincing and trustworthy for professionals. Cybercriminals can create false profiles or even pose as a co-worker to make an email look more authentic. Be especially wary of fake recruiters asking for strangely personal information!
A profile page can contain juicy information useful for creating sophisticated spearphishing campaigns, which are well-crafted phishing attacks custom-designed for a specific person. The more convincing details they contain, the harder spearphishing campaigns are to spot with, so be careful about what you share online. While we often joke about sharing too much information, criminals can’t get enough.Social media phishes usually work as thus:
The fake page could look identical to the official login page. A good way to determine whether it’s a scam is by examining the URL of the site. If it’s spelled strangely, then it’s an attack site. Misspellings and bad grammar are also a telltale sign of a phishing attack. Professional sites always have impeccable copy. The safest way to proceed is to navigate directly to the social media site in question and see if you have any notifications of friend requests, messages, updates, etc..
Work emails are mostly targeted with LinkedIn phishes. This is a real life example where the attacker is impersonating LinkedIn’s password change service. The attacker increases authenticity by adding specific information gleaned from social media activity about where the login happened. That manipulation of publicly available information can add the necessary bait to get the victim on the hook.
The above real life social media phishing campaign example claims that Instagram has published your video. Tempting, isn’t it, to see what’s been published without your knowledge? But that’s the point. Many people fall for these attacks.
Another dominant social media attack vector includes romance attacks. Social media is commonly used for dating, as lonely hearts across digital space doth meet. Targeting victims most vulnerable to seeking love and companionship, criminals mercilessly set the hook with a pay-for-love scam, perhaps to pay for flight tickets for a rendezvous. These stories always end sadly.Next up, the “pay for followers” attack leverages social media platforms where popularity is measured by number of followers. The attack breaks down as thus:
There’s a daisy chain effect. One account after another is infected and turned into a spam factory. It’s a newer means of executing traditional email-based phishing attacks like the botnet Undead King of Malware. Hackers know email sent by a trusted friend or family member is more likely to entice victims to click a link.Simulations: The next two email templates are our own simulations of real life phishing attacks. Clear vision, action made towards YOUR account/profile keeps the content appealing.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.
