Social Media phishing campaigns: threat actors crashing your not-so-private party
Social media entices most of the world to share details of how they meet up, hang out, show off, and generally stay connected with others everywhere, all of the time. This constantly updated ocean of personal information yields an endless stream of notifications that populate email inboxes. Altogether, social media activity gives threat actors bountiful opportunity for social media phishing attacks.
Nowadays Facebook has almost 3 billion users, Instagram 1 billion users, LinkedIn 740 million members, and Twitter 328 million users; these social media giants are thus most commonly impersonated in phishing campaigns. This article focuses on phishing attacks that use social media notification emails to steal account credentials. But I’ll touch on a related social media phishing campaign. In these types of attacks, users are enticed to click on an infected link or provide sensitive personal information that can be later used for malicious purposes.
Why do attackers go after social media account credentials? It’s not like banking logins and work passwords are stored in Instagram, right? Well, unfortunately, that is often essentially the case. Hackers know that many people tend to recycle passwords across personal and work accounts. Thus, a single password can be like a skeleton key for cybercriminals.
The shift to remote work has created a surge in social media activity, and with it, a cybercrime wave. Criminals can safely assume their targets are using at least one social media platform, are accustomed to receiving notifications and alerts, and will thus be prone to clicking spoofed notification links.
Criminals exploit that familiarity by blasting out fraudulent notifications that trick people into entering credentials on an attack site. Using phishing templates, attackers exploit basic human emotions and needs (popularity, urgency, elevated social status, getting something for free) to manipulate them into unwise actions.
Impersonation attacks, meanwhile, use LinkedIn most often to hack into corporate email accounts, as a LinkedIn profile is more convincing and trustworthy for professionals. Cybercriminals can create false profiles or even pose as a co-worker to make an email look more authentic. Be especially wary of fake recruiters asking for strangely personal information!
Snapshots of different attacks
A profile page can contain juicy information useful for creating sophisticated spearphishing campaigns, which are well-crafted phishing attacks custom-designed for a specific person. The more convincing details they contain, the harder spearphishing campaigns are to spot with, so be careful about what you share online. While we often joke about sharing too much information, criminals can’t get enough.
Social media phishes usually work as thus:
- Fake email notification sent to victim’s email
- Notification seems to be from trusted source, and contains a malicious link
- Clicking on link sends the victim to an spoofed login page where he or she enters credentials, compromising the social media account
- Or, the link contains malware that infects your computer
The fake page could look identical to the official login page. A good way to determine whether it’s a scam is by examining the URL of the site. If it’s spelled strangely, then it’s an attack site. Misspellings and bad grammar are also a telltale sign of a phishing attack. Professional sites always have impeccable copy. The safest way to proceed is to navigate directly to the social media site in question and see if you have any notifications of friend requests, messages, updates, etc..
Work emails are mostly targeted with LinkedIn phishes. This is a real life example where the attacker is impersonating LinkedIn’s password change service. The attacker increases authenticity by adding specific information gleaned from social media activity about where the login happened. That manipulation of publicly available information can add the necessary bait to get the victim on the hook.
The above real life social media phishing campaign example claims that Instagram has published your video. Tempting, isn’t it, to see what’s been published without your knowledge? But that’s the point. Many people fall for these attacks.
Social media bad romance and pay-for-friends attacks
Another dominant social media attack vector includes romance attacks. Social media is commonly used for dating, as lonely hearts across digital space doth meet. Targeting victims most vulnerable to seeking love and companionship, criminals mercilessly set the hook with a pay-for-love scam, perhaps to pay for flight tickets for a rendezvous. These stories always end sadly.
Next up, the “pay for followers” attack leverages social media platforms where popularity is measured by number of followers. The attack breaks down as thus:
- Victim receives message, with link (cue ominous music), from hackers claiming guaranteed spike in new followers for small fee
- Clicking the link compromises your account and gives attackers access to your contacts
- This potentially transforms your account into a reservoir of spam to your followers
- One hijacked account leads to the next like stepping stones, spreading the malware by abusing the victim’s social media cred through personal messaging with links/attachments.
There’s a daisy chain effect. One account after another is infected and turned into a spam factory. It’s a newer means of executing traditional email-based phishing attacks like the botnet Undead King of Malware. Hackers know email sent by a trusted friend or family member is more likely to entice victims to click a link.
Simulations: The next two email templates are our own simulations of real life phishing attacks. Clear vision, action made towards YOUR account/profile keeps the content appealing.
How to stay out of the hook
- Think before you click! Attackers are skilled at grabbing your attention, and fabricating a sense of urgency to click a link immediately.
- Never click links in an email to “update” your personal details. Instead, visit the platform’s official page to see if there are actually any updates needed.
- Check domains the platform is using from their official site.
- Check your social media platform privacy settings, and consider: do I need to share everything I do publicly?
- Be especially cautious of shortened links (services like Bit.ly or Tiny.cc for example can mask a longer attack URL)
- Contact the sender via another channel to verify they indeed sent you message.
- Trust your instincts if you have any doubts!
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.