More and more cyber criminals are using the newest generation of communication platforms – social media - for their phishing attacks. Whereas in “normal” phishing attacks these are done via e-mail, in social media phishing the attacks are carried out using social media channels. The methods are often the same, so what makes phishing on social media so appealing to cyber criminals? And what does a phishing attack on Facebook, LinkedIn and co. look like? You can find out in this blog article.
One in 99 e-mails is a phishing attack* with malicious links and attachments. The methods used vary and include identity theft, exploiting the implied trust and passing on malicious links or malware – for example ransomware. In a phishing e-mail, e-mails are forged or they imitate reputable senders, making it difficult to recognize them as being “fake”. The targets are different – clicking on a link and a prompt to enter confidential information on the fake website or to perform an action, for instance opening a file that installs malware on your computer. New generation communication platforms are becoming increasingly popular with cyber criminals, and social media phishing is on the increase year on year. Frequently, the same methods are used for e-mail phishing, except that they are applied to Facebook, LinkedIn and co.
All the social media networks have grown rapidly in recent years and feature a wide range of advanced functions, including the integration of third-party apps. This provides cyber criminals with new points of attack and an enormous source of potential victims. They use social engineering for psychological manipulation, to trick users into revealing confidential information. Social networks are based on trust, and their users trust social networks. This makes them ideal platforms for launching attacks. Users make a lot of personal (and sometimes confidential) information public, such as their location, the place where they live, their job, their birthday, their hobbies and last but not least their friends. This information is available to cyber criminals with very little effort and makes it easier for them to make targeted attacks. Our cyber security experts have put together 15 tips on how to protect yourselves from social engineering.
Once cyber criminals have gathered enough information, they launch their (spear) phishing attack via the social media channel. When they do this, one possibility is that the user is tricked into sharing on their social networks a malicious link to a fake website. It is very easy for the users social contacts to fall for the scam because the link originates from a reputable or known contact. Phishing campaigns with the “verified” tag are also very efficient. The little blue “verified” box confirms that the account of a public figure, influencer or brand is a genuine one. Cyber criminals posing as Facebook or Instagram send users phishing e-mails asking them to log in to the platform to activate their “verified” box. At the same time, their login data is taken, and using the compromised account, the criminals can then gain access to millions of users.
Facebook is the biggest and most influential social media channel and is the network most commonly used by cyber criminals for scams. Facebook is now the third most commonly used brand in phishing attacks. One option is for cyber criminals to get illegal user data on the Darknet which they then use for their own purposes. In other cases, they use a connection to a third-party app to obtain user data. Using the universal API login, users can log in to countless apps directly using Facebook. Cyber criminals can easily build a phishing site that mimics the Facebook login page. Users log in to an app, but they are actually giving their login details to the cyber criminal, who can then take over the account. The compromised account can then be used to contact the account holder's social network.
On top of this, users are becoming more and more used to updating their data protection, but in some cases the sender is not Facebook, it is cyber criminals who are pretending to be Facebook.
There are a lot of head hunters who contact LinkedIn users via InMail. Cyber criminals also conceal themselves among these “head hunters”. They prey on people who are looking for jobs, either by getting personal information from a phishing site or by making them download job descriptions. These PDF or Word documents contain macros that then launch malware. In other cases, the link leads to a website that will unleash the malware.
There is a new trend in scams using fake contact requests. Cyber criminals create fake LinkedIn e-mails where they ask the user to accept a contact request. When the user logs in to LinkedIn to accept them, his or her login details are captured and the LinkedIn account is taken over by the cyber criminal. This then enables cyber criminals to contact other users via InMail, either to carry out phishing or spear phishing. They can share content freely and interact with millions of other LinkedIn users.
Instagram – effectively a database for selfies – has become a huge advertising platform and a career springboard for influencers. This is why phishing has also become attractive on the Instagram platform. The attacks range from requests for password resets and phishing e-mails, all the way to multi-level attacks that begin with phishing and then progress on to spear phishing attacks. Here too, cyber criminals can read a user's Instagram credentials on a fake Instagram login page, and then take over the account. They can then use the compromised account to phish and spear phish the user's followers or demand a ransom to prevent the publication of the victim's confidential information and private pictures.
Even though cyber criminals primarily target business accounts, the majority of phishing e-mails on social media are sent to individuals rather than to company e-mail accounts. So when you are on social networks, be wary of contact requests, profile views or verification requests, and check the sender with care.
Companies are also able to protect their employees with targeted training against phishing and social engineering. Well-trained users are less likely to fall for attacks than users with no training. Our cyber security experts have put together the most important tricks for detecting phishing e-mails in a free poster. Download it now!
(*) Source: Global Phishing Report 2019 by Avanan, https://www.avanan.com/global-phish-report