Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Mike Raggo
Mike Raggo
Connect Directly
E-Mail vvv

Anatomy Of A Social Media Attack

Finding and addressing Twitter and Facebook threats requires a thorough understanding of how they're accomplished.

Social media threats are at an all-time high, ranging from account hijacking to impersonation attacks, scams, and new ways of distributing malware and executing phishing attacks. Sophisticated attacks target organizations of all sizes. For example, Microsoft was the victim of a series of social media hacks by nation-state threat actors. The attack campaign was extensive, affecting multiple Twitter accounts (principally Skype’s) and exposing corporate passwords and emails for dozens of Microsoft employees.

Because social media exists outside of the network perimeter, social media threats can manifest long before network perimeter and endpoint security detect malicious behavior. Detecting and mitigating these threats requires a thorough understanding of this new threat landscape. If we compare these tactics, techniques, and procedures to traditional network attack methods, we can draw some important contrasts.

Adversaries traditionally target a corporate network using two phases: reconnaissance and exploitation. Reconnaissance involves footprinting (for example, gathering information about an organization’s IP address and domains), scanning (identifying what systems are using what IPs), and enumeration (identifying the services and ports available on these target systems). When attackers use social media, their strategy is similar, but the methods of attack are quite different. In social media, targeting an organization and corporate network involves footprinting, monitoring and profiling, impersonating or hijacking, and, finally, attacking.

In a social media context, footprinting involves gathering information to identify employees, typically executives, as well as brand accounts owned by the target company. Names, email addresses, and phone numbers can be acquired from the company’s website and publications, the news media, and other sources to identify target social media accounts.

Next, the adversary seeks to establish a social media fake trust network to monitor and profile activities, behaviors, and interests across the social media accounts mapped to the organization. Keywords, hashtags, and @ mentions are also analyzed and used to establish trust when communicating with an impersonator account. Using relevant lingo establishes credibility and makes other employees less aware of an impersonator, making them more vulnerable to engaging in conversations. 

Now that the organization has been footprinted, monitored, and profiled across the social networks, the adversary can set up one or more impersonating accounts. Impersonation is one of the most common techniques used by attackers on social media, particularly when targeting enterprises. Our sample of approximately 100 customers shows more than 1,000 impersonation accounts are created weekly by perpetrators. By impersonating a key executive, an attacker can quickly establish trust to befriend other employees.

The adversary may use the actual profile image and bio from the legitimate account to build the impersonation account. The figure below shows a Twitter account impersonating Berkshire Hathaway CEO Warren Buffett, complete with @ mentions and relevant keywords. To weaponize an account like this in an attack campaign, the attacker must do a fair amount of social engineering, all made much easier by social media. (Note that attackers made easy-to-miss changes in the spelling of the target’s name.)  

Hijacking an account is more difficult than impersonating it but yields quicker results if successful. The most effective social media attacks on an organization occur when an attacker is successful in finding a method to hijack an account and use that to further infiltrate a network. Numerous social network data dumps have made account hijacking much easier.

Whether trust is established through an impersonation account or hijacked account, the adversary begins an attack by sending a direct message with malware or a phishing link to harvest credentials or infect a machine inside the network. This can be difficult to detect, as many of the social networks use URL shorteners that obfuscate the actual URL and may include multiple redirects. The following diagram depicts the anatomy of the attack. At this point, the internal beachhead has been established, the network has been compromised, and the adversary can expand their infiltration of the network. 

As social media threats continue to evolve, enterprises can fortify their detection and defenses by using additional countermeasures. The following is a list of some of key actions an organization can take to shore up their social media and network defenses:

  • Identify your organization’s social media footprint (companies, accounts, and key individuals).
  • Document responsible individuals for the corporate and brand accounts. These accounts should have strong passwords and two-factor authentication enabled (available from many social networks today).
  • When available, use verified accounts. Social networking companies such as Twitter and Facebook offer an option for verified accounts or profiles to ensure authenticity.
  • Monitor for impersonation accounts and, when you find them, arrange for takedown.
  • Enhance your perimeter security by leveraging a solution that feeds additional context, such as social media malicious URLs, into protection such as firewalls, intrusion detection, malware protection systems, proxies, or security information and event management systems.
  • Augment your incident response plan and process to encompass social media and include a takedown process. 

Related Content:

Michael T. Raggo has over 20 years of security research experience. His current focus is social media threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding: Exposing Concealed Data in Multimedia, Operating ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/25/2016 | 9:19:08 PM
Re: Buffett example
@Whoopty: It's not even about always being seen as a good guy.  It is a fact of business that people are going to dislike you for whatever reasons they decide to come up with -- whether deservedly so or not.

The point is to not go out of your way ticking off the wrong people unless the benefit exceeds the risk and cost factors.
User Rank: Ninja
8/25/2016 | 7:32:18 AM
Re: Buffett example
Agreed, being seen in the public as a "good guy," is a must, though in Sony's case not having juvenile level security would have helped a lot too! 

I wonder sometimes if it's worth cultivating relationships with international security companies too, as we've seen U.S. firms defending U.S. firms and the same in Russia in recent years. Being on good terms of all sorts of security companies so you have a good reputation in different circles is likely to be a postive step too.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/24/2016 | 8:48:09 PM
Re: Buffett example
@Whoopty: Yep.  The number one way to protect yourself -- that most people don't think about -- is to make yourself not a target (or, at least, to make yourself as less attractive a target as possible).

The first big aspect of that is exactly what you said: Don't be the easy pickings -- the low-hanging fruit.  Do the basics, which a lot of companies don't.  All it takes is one minor slipup combined with shoddy policy.  (TJX, I'm lookin' at you.)

The second big aspect is to do what you can in terms of how you do business to not actively motivate people.  Sony is a great example of a "don't" in this way -- when they sued a 13-year-old hacker for modifying his own Playstation.  OBVIOUSLY they were going to get hit super hard and super often by the hacktivists of the world for that move.  (A good lawyer will tell you when you can sue and for what.  A great lawyer will tell you all that and also tell you the risk-benefit analysis of all of your options.)
User Rank: Ninja
8/24/2016 | 7:51:03 AM
Re: Buffett example
That's the thing though isn't it? No one is vigilant all of the time. All it takes is a slip up when you're tired, or not paying attention and you are compromised. Ultimately, it's about not being the lowest hanging fruit and doing your utmost to remain safeguarded as best you can.

If someone wants to hack apart you they are likely going to do it. You need to make yourself more of a time or money sink when it comes to cracking and that way they're likely to focus on someone else instead. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
8/23/2016 | 1:57:32 PM
Buffett example
If an employee at Berkshire Hathaway would fall for that sample Warren Buffett spoof -- with the name spelled incorrectly twice, and only 40 followers -- then that employee may well be too darn stupid to work for B.H. in any capacity.

That said, I realize that there are (slightly) more convincing spoofs out there than this.  But still.

In any case, a little training can go a long way.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.