Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Mike Raggo
Mike Raggo
Connect Directly
E-Mail vvv

Anatomy Of A Social Media Attack

Finding and addressing Twitter and Facebook threats requires a thorough understanding of how they're accomplished.

Social media threats are at an all-time high, ranging from account hijacking to impersonation attacks, scams, and new ways of distributing malware and executing phishing attacks. Sophisticated attacks target organizations of all sizes. For example, Microsoft was the victim of a series of social media hacks by nation-state threat actors. The attack campaign was extensive, affecting multiple Twitter accounts (principally Skype’s) and exposing corporate passwords and emails for dozens of Microsoft employees.

Because social media exists outside of the network perimeter, social media threats can manifest long before network perimeter and endpoint security detect malicious behavior. Detecting and mitigating these threats requires a thorough understanding of this new threat landscape. If we compare these tactics, techniques, and procedures to traditional network attack methods, we can draw some important contrasts.

Adversaries traditionally target a corporate network using two phases: reconnaissance and exploitation. Reconnaissance involves footprinting (for example, gathering information about an organization’s IP address and domains), scanning (identifying what systems are using what IPs), and enumeration (identifying the services and ports available on these target systems). When attackers use social media, their strategy is similar, but the methods of attack are quite different. In social media, targeting an organization and corporate network involves footprinting, monitoring and profiling, impersonating or hijacking, and, finally, attacking.

In a social media context, footprinting involves gathering information to identify employees, typically executives, as well as brand accounts owned by the target company. Names, email addresses, and phone numbers can be acquired from the company’s website and publications, the news media, and other sources to identify target social media accounts.

Next, the adversary seeks to establish a social media fake trust network to monitor and profile activities, behaviors, and interests across the social media accounts mapped to the organization. Keywords, hashtags, and @ mentions are also analyzed and used to establish trust when communicating with an impersonator account. Using relevant lingo establishes credibility and makes other employees less aware of an impersonator, making them more vulnerable to engaging in conversations. 

Now that the organization has been footprinted, monitored, and profiled across the social networks, the adversary can set up one or more impersonating accounts. Impersonation is one of the most common techniques used by attackers on social media, particularly when targeting enterprises. Our sample of approximately 100 customers shows more than 1,000 impersonation accounts are created weekly by perpetrators. By impersonating a key executive, an attacker can quickly establish trust to befriend other employees.

The adversary may use the actual profile image and bio from the legitimate account to build the impersonation account. The figure below shows a Twitter account impersonating Berkshire Hathaway CEO Warren Buffett, complete with @ mentions and relevant keywords. To weaponize an account like this in an attack campaign, the attacker must do a fair amount of social engineering, all made much easier by social media. (Note that attackers made easy-to-miss changes in the spelling of the target’s name.)  

Hijacking an account is more difficult than impersonating it but yields quicker results if successful. The most effective social media attacks on an organization occur when an attacker is successful in finding a method to hijack an account and use that to further infiltrate a network. Numerous social network data dumps have made account hijacking much easier.

Whether trust is established through an impersonation account or hijacked account, the adversary begins an attack by sending a direct message with malware or a phishing link to harvest credentials or infect a machine inside the network. This can be difficult to detect, as many of the social networks use URL shorteners that obfuscate the actual URL and may include multiple redirects. The following diagram depicts the anatomy of the attack. At this point, the internal beachhead has been established, the network has been compromised, and the adversary can expand their infiltration of the network. 

As social media threats continue to evolve, enterprises can fortify their detection and defenses by using additional countermeasures. The following is a list of some of key actions an organization can take to shore up their social media and network defenses:

  • Identify your organization’s social media footprint (companies, accounts, and key individuals).
  • Document responsible individuals for the corporate and brand accounts. These accounts should have strong passwords and two-factor authentication enabled (available from many social networks today).
  • When available, use verified accounts. Social networking companies such as Twitter and Facebook offer an option for verified accounts or profiles to ensure authenticity.
  • Monitor for impersonation accounts and, when you find them, arrange for takedown.
  • Enhance your perimeter security by leveraging a solution that feeds additional context, such as social media malicious URLs, into protection such as firewalls, intrusion detection, malware protection systems, proxies, or security information and event management systems.
  • Augment your incident response plan and process to encompass social media and include a takedown process. 

Related Content:

Michael T. Raggo has over 20 years of security research experience. His current focus is social media threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding: Exposing Concealed Data in Multimedia, Operating ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2016 | 9:19:08 PM
Re: Buffett example
@Whoopty: It's not even about always being seen as a good guy.  It is a fact of business that people are going to dislike you for whatever reasons they decide to come up with -- whether deservedly so or not.

The point is to not go out of your way ticking off the wrong people unless the benefit exceeds the risk and cost factors.
User Rank: Ninja
8/25/2016 | 7:32:18 AM
Re: Buffett example
Agreed, being seen in the public as a "good guy," is a must, though in Sony's case not having juvenile level security would have helped a lot too! 

I wonder sometimes if it's worth cultivating relationships with international security companies too, as we've seen U.S. firms defending U.S. firms and the same in Russia in recent years. Being on good terms of all sorts of security companies so you have a good reputation in different circles is likely to be a postive step too.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/24/2016 | 8:48:09 PM
Re: Buffett example
@Whoopty: Yep.  The number one way to protect yourself -- that most people don't think about -- is to make yourself not a target (or, at least, to make yourself as less attractive a target as possible).

The first big aspect of that is exactly what you said: Don't be the easy pickings -- the low-hanging fruit.  Do the basics, which a lot of companies don't.  All it takes is one minor slipup combined with shoddy policy.  (TJX, I'm lookin' at you.)

The second big aspect is to do what you can in terms of how you do business to not actively motivate people.  Sony is a great example of a "don't" in this way -- when they sued a 13-year-old hacker for modifying his own Playstation.  OBVIOUSLY they were going to get hit super hard and super often by the hacktivists of the world for that move.  (A good lawyer will tell you when you can sue and for what.  A great lawyer will tell you all that and also tell you the risk-benefit analysis of all of your options.)
User Rank: Ninja
8/24/2016 | 7:51:03 AM
Re: Buffett example
That's the thing though isn't it? No one is vigilant all of the time. All it takes is a slip up when you're tired, or not paying attention and you are compromised. Ultimately, it's about not being the lowest hanging fruit and doing your utmost to remain safeguarded as best you can.

If someone wants to hack apart you they are likely going to do it. You need to make yourself more of a time or money sink when it comes to cracking and that way they're likely to focus on someone else instead. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2016 | 1:57:32 PM
Buffett example
If an employee at Berkshire Hathaway would fall for that sample Warren Buffett spoof -- with the name spelled incorrectly twice, and only 40 followers -- then that employee may well be too darn stupid to work for B.H. in any capacity.

That said, I realize that there are (slightly) more convincing spoofs out there than this.  But still.

In any case, a little training can go a long way.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.