Blog

Beware: Social Media & Phishing Attacks | Blog | IRONSCALES

Written by Eyal Benishti | Mar 20, 2019

Let this sink in for a minute: in 2019, it is estimated that social media has exceeded 3 billion users around the globe, equating to more than one-third of the world’s population. If you were to exclude both children under 10 years old and the elderly over 80 (those most likely not to be active on social media), then this percentage creeps up to half of all people, give or take.

We don’t need to rehash all of the many positives of social media usage, nor do we need to discuss some of the most obvious negatives. We all are well aware of how social media has brought people together while simultaneously it has been corrupted to push people apart. If anything, such a dichotomy is truly representative of how powerful social media is as a communications medium.

Presently, when the public thinks about the cons of social media, the majority of minds undoubtedly focus on the spread of fake news, stories of data theft and both the real and perceived invasion of privacy by Facebook and its vendors. While all three circumstances present real challenges for social media companies to overcome and are incredibly dangerous to public safety and security, they actually are not the primary detriment of social platforms.

Social media platforms are the primary medium for cyber criminals and fraudsters to find personal information that can be used for highly-customized social engineering campaigns. In fact, a savvy adversary can obtain 80% or more of the information they need to craft malicious emails that look and feel incredibly realistic simply by scrolling through Facebook.”

The perils of oversharing on social media

Oversharing on social media is not a new phenomenon. In conducting some research for this article, I came across articles, blogs and reports warning people not to share too much information from as far back as 2010. Now, there are endless articles about the “things we must stop sharing on social media.” But these lists are no more than common sense at best and click bait at worst.

The reality is that attackers are far more sophisticated than many people give them credit for. The best attackers are masters at not just the technical requirements of hacking, but their ability to understand and exploit the psychology of people is ingenious.

Here’s one current example to help paint the picture:

Most Americans anticipated greater returns from the IRS this tax season due to last year’s tax code legislation. Instead, many are now fuming with anger that the average tax return is down nearly 17% year-over-year. Such extreme discontent presents a prime opportunity for cyber criminals to launch tailored phishing attacks that play to the heightened emotions of those who feel wronged by the Trump Administration, Congress, the IRS or a combination thereof.

Instead of the common IRS tax season phishing scams of yesteryear, attackers in 2019 are deploying social engineering techniques that seek to gain a person’s trust by reducing their anger. To do so, attackers search social media, primarily Facebook and Twitter, to identify who is angry or perceives themselves as a victim. This information is easily obtainable through basic searches of people’s status and Tweets. As members of this constituency are identified, a simple search of people’s profiles and a scan of dark web sites makes it all but seamless to obtain enough information needed to create a personalized correspondence.

Now that the attacker has built a profile, they can craft messages that they know their targets will want to engage with. For this tax season, attackers are counting on many angry taxpayers jumping at the opportunity to respond to a message claiming, “there’s a way to increase your refund,” or “your refund was wrong; the IRS made a mistake,” etc. These messages would then ask for the person to provide confidential/private information to access money or try to persuade them to take an action, such as clicking on a malicious link or attachment. While the majority of people won’t fall for the scam, there are enough that will to make this a valuable endeavor for attackers.

Businesses also beware of how social media can spur phishing attacks

Tax season scams are just one example of how social media helps attackers. In the business world, every time a company posts a job on LinkedIn or Indeed.com and references the types of technology proficiency candidates require, they are inadvertently telling attackers what technology they use and the types of people that they are looking for. The availability of such information is leading to a rapid rise in business email compromise attacks, which because they lack a malicious payload, are hard for enterprise security tools to identify. Over one-third of U.S. companies have “received emails pretending to be from a senior manager or a vendor,” according to Media Post.

An attacker knows that your company is using Intuit because of a job posting, they can within minutes know with some certainty who at the company is in charge of that software. Then, they can conduct some reconnaissance that will allow them to eventually send a BEC message in the form of a fraudulent invoice or a message requesting payment.

Moving forward, both individuals and companies are going to have to weigh the pros and cons of posting online much more closely than they do now. While you may be incensed by your tax return, or lack thereof, is it really worth sharing your frustration with the world? Thanks to automation, machine learning and AI, attackers just need one piece of personal information to start their discovery. And that one piece of information might come from nothing other than your Facebook status.

Want to learn how we help businesses prevent, detect and respond to social engineering attacks and business email compromise? Watch this video and contact us today.