Social media is packed with people with malicious intents. That is obvious to anyone who has spent five minutes on Twitter. But malicious activities on social media go far beyond trolling on twitter. After reading this article, it will become obvious to anyone using social media that their social media profiles are a gold mine for malicious actors who gather data for malicious purposes. Just by scrolling through your social media account, attackers can determine your email address, favorite spots to visit, pets' names, birthday, loved ones, and workplace. They love that info because attackers know that most passwords incorporate personal information, so it's good intel to hack your password.
Why is it profitable for attackers to target social media account credentials? Well, unfortunately, around two-thirds of people use the same password for multiple websites. This means that the attackers will not only get the password for your social media account but may gain access to more important accounts such as your work account, or even your bank account
Recently, we discovered a phishing scam that tried to takeover user accounts on TikTok. This social media platform has grown in popularity in recent years and continues to grow. TikTok is no longer just popular among private individuals, but many companies have begun to use this platform in their marketing. This gives attackers a new way to target corporate accounts. Impersonating social media platforms is not totally new but the wide range of different attack types and growing set of platforms keeps the attacks relevant.
In most cases, these phishing messages are notifications related to your account. The example below impersonates TikTok and notifies you of a new sign-in attempt with an unknown device and asks you to confirm this by verifying your account. The link in the message takes you to a very authentic looking login page also shown below. It is no wonder if this scam is hard to spot. The scam site steals user credentials and then redirects them to the real TikTok front page.
These social media phishing campaigns try to take over log-in information in various ways. The most popular ways are shown in the below examples of Instagram and Twitter.
The first campaign is informing a user that their account violated copyright rules and threatens to remove the account in 24 hours unless some action is taken. This attack exploits the sense of urgency and prompts the user to act. It arouses emotions when the email claims that you have violated copyright rules and the desire to know what you have done wrong might lead to immediate action.
In the second campaign, the attacker claims to be an admin of a platform and informs the user that their account is eligible for a “verified badge” (Ooh la la!). They just need the user to confirm their account or to reply to the email so the account can be rightfully verified. Another twist of this “verified badge” campaign is that the badge will be removed from the user due to inactivity, incomplete profile, or some sort of violation. This removal can be prevented if the user follows a set of instructions which includes a login. Usually, there is a button “Confirm My Account” or “Verify your account” where the links lead to a credential harvesting site or to another platform: WhatsApp, Facebook Messenger, or even Microsoft Teams have been known to be used in these type of attacks. On these sites, the attacker starts a conversation with the user. The aim of these conversations is to gather more information such as the user’s phone number that is linked to their profile so the attacker can bypass verification protocols.