A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details.
Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake "Twitter help center," which asks for the user's login credentials.
The Discord phishing campaign sends users a message from friends or strangers accusing the user of sending explicit photos that are exposed on a server. The message includes a link to the purported server, and if the user wants to follow the link, they are asked to log in via QR code. If they do, the account will most likely be taken over by scammers, according to Malwarebytes. The message then gets sent to the user's friends from his or her account, perpetuating the phishing scam.
Patrick Harr, CEO at SlashNext, an anti-phishing company, says the Twitter and Discord attacks are a clever twist on the traditional social engineering scam to steal credentials. The best social engineering scams use fear or outrage to move the victim to act quickly without taking too much time to think "Is this a phishing scam?," he explains.
"In both cases, the users of Twitter and Discord are motivated to resolve an issue that could impact their status, business, or entertainment, which is why this phish is so effective," he notes.
Social media platforms are perpetual targets of phishing campaigns, using psychological manipulation to encourage victims to disclose confidential login credentials. The pilfered information is then used by malicious actors to hijack the user's social media accounts, or even gain access to their bank accounts.
But more importantly for enterprises, successful social media attacks on their employees can open the door to infiltration to the company network via the user’s infected device or abused credentials. "This means companies need a BYOD strategy that includes multichannel phishing and malware protection to protect social, gaming, and all messaging apps," Harr says.
Fear and Urgency as Phishing Tools
James McQuiggan, security awareness advocate at KnowBe4, explains social media phishes are effective because they use fear and urgency to get the victim to take an action they might not otherwise take. "A lot of the time, phishing attacks rely on the victim reacting to the email in an emotional state," he says. "The victim sees the email and responds without adequately checking the sender or the link."
An example is the threat of the social media account being suspended or a notice that the password has expired. When the victim clicks the link and visits the fake website, it looks exactly like the login page, and the user enters their credentials.
And if the user employs multifactor authentication (MFA) with the account, he says, the attacker can copy that session key to bypass the login and automatically gain access before the victim realizes it.
Attackers typically create high-pressure situations to increase their success rates. "If the target doesn't have time to think or feels pressured to act, they will likely overlook any red flags or gut reactions telling them not to engage," says Hank Schless, senior manager of security solutions at Lookout.
In the two incidents involving Discord and Twitter, Schless says, the attackers went for the integrity of the individual. "The public shame associated with hate speech or inappropriate behavior can be enough to get someone to act without thinking," he says.
Remote Workforce Susceptible to Phishing
McQuiggan points out remote workers have less in-person interaction with people around them and are less likely to share the experience or event with their co-workers sitting next to them.
"Suppose the organization isn't providing them with equipment from the organization," he says. "In that case, they will certainly be using their own devices and are more relaxed with them at home than with a machine from their organization."
It's not hard for cybercriminals to search LinkedIn or Twitter to see which users work for the public relations, marketing, or communications teams and then work to target them. He says spear-phishing is a top attack vector to get employees to click the links and "open the electronic front door" of the organization.
SlashNext’s Harr says training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work life. "However, we hear from customers that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well-received," he says. "In fact, asking employees to install managed security on their personal devices is also a non-starter."
McQuiggan says additional training is certainly one method of getting users aware of the various social media attacks. "Avoid relying on the links in the email and use it as an alert to check the account," he adds. "Use the application or a browser to log in and verify if an account is wrong or experiencing problems, as mentioned in the phishing email."
Organizations should employ mobile phishing protection across their entire user base — to both corporate-owned and personal devices, Schless recommends.
"Phishing credentials on mobile devices is typically how attackers can gain discreet access to the broader infrastructure and execute more advanced attacks like ransomware," he explains. "Protection against those more advanced attacks requires visibility into how users are accessing apps and data, then how they interact with that data."
Phishing Attacks Just Won't Die
Schless is also seeing a recent increase in voice phishing (vishing) and QR code phishing. "There could also be broader use of deepfake technology to impersonate an individual's voice or face in order to make the malicious communication even more convincing," he says.
Harr says social engineering phishing scams continue to be a serious problem for organizations. "We have seen an increase in requests for SMS and messaging protection as business text compromise, like its cousin business email compromise, is becoming a growing problem for an organization to detect and block."