Attacks/Breaches

2/21/2017
12:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Social Media Impersonators Drive Security Risk

A new pool of research digs into the fraudulent social media accounts, a growing threat to individuals and businesses.

The number of social media impersonators grew 11x between December 2014 and December 2016, a sign of a trend threatening businesses and individuals as fake accounts become easier to create.

This finding comes from new research by social media security firm ZeroFOX, which spent two years digging into impersonators using machine learning, natural language processing, image recognition, and other techniques to gauge similarities between fake and legitimate accounts.

"We were analyzing tactics and techniques, trying to understand their motives for performing different types of attacks," says Mike Raggo, chief research scientist at ZeroFOX.

ZeroFOX gained its insight from about 40,000 brand impersonators across six platforms: Facebook, Twitter, Instagram, LinkedIn, Google+, and Youtube. Nearly 1,000 were analyzed in depth; for some, researchers talked with criminals to learn about goals and methodologies.

Attacks span all platforms but are most popular on Facebook, Twitter, and Google+. Their goals vary, but most involve money. With phishing, Raggo explains, they could be seeking credit card information or social network data so they can hijack accounts and broaden their victim pool.

Impersonators employ several techniques: phishing, adware, malware, fraud, counterfeit merchandise, and "follow farming". Their habits are changing. In this research, Raggo explains, he was surprised to see an increase in impostors claiming to verify accounts.

"We saw a number of impersonators, across a number of different networks, exploiting the verification process," he says. Many claim to verify social media accounts for a price, and collect victims' credentials and credit card information in the process. The verification process varies across social platforms; some require fees and some don't.

Fake promoted ads are another trend to watch, he continues. Impostors create ads prompting users to click through to a malicious site. This was surprising, he continues, because social platforms typically require a vetting process for promoted ads. Impersonators can bypass the vetting process by using real brand logos and similar-looking merchandise.

The creation of successful fake accounts takes time and expertise. Many impersonators set up their accounts long before they attack, garner followers, then change their information before they weaponize the account. They continue adopting new names over time to avoid getting caught.

"We saw a lot of impersonator accounts were set up weeks or months in advance," says Raggo. "A lot of accounts had been set up for some time to build a following. Then they change multiple times, transcending multiple accounts or companies over time."

There are several ways impostors try to trick unsuspecting users. They employ link shortening so unsuspecting victims have no idea they're getting phished. They use cropped, flipped, or altered images from legitimate brands to make their false advertising seem real.

This research highlights an interesting challenge for businesses as they figure out how to stay secure in the age of social media. Most organizations are equipped to handle phishing, malicious links, and malware in email -- but how are they positioned to handle social media?

"This is more than a perimeter and endpoint issue," he says. "This is a problem within the cloud, outside the business networks." Perimeter and endpoint security can help squash some of these threats, but they can't tackle all attacks from social media impostors.

Businesses should be monitoring for impersonators, watching for instances of brand hijacking or ads selling counterfeit goods. Finding these accounts isn't easy; anyone can go out and use relevant social apps to create fake profiles.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10428
PUBLISHED: 2018-05-23
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
CVE-2018-6495
PUBLISHED: 2018-05-23
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to al...
CVE-2018-10653
PUBLISHED: 2018-05-23
There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10654
PUBLISHED: 2018-05-23
There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10648
PUBLISHED: 2018-05-23
There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.