Social Media and Targeted Phishing Attacks will continue to be an increasing cybersecurity risk in 2020! How best to mitigate the risk?
By Marc Kisner, Senior Security Consultant & Penetration Tester at Bridewell Consulting
When it comes to cyber criminals social Media is used primarily as an intelligence gathering tool but it’s also a channel to deliver targeted phishing attacks and is a threat vector itself.
Social media networks such as LinkedIn and Facebook, are the go-to places to start to gather information and intelligence before closing in on a target organisation.
These platforms are treasure troves of corporate information that is in the public domain, as well as key information on employees who work for the organisation. These elements become the key components for any successful phishing campaign. Cyber criminals utilise phishing attack techniques to trick users into divulging sensitive information or to deliver and install malware via electronic communication. This could be via an email, social media message, or SMS message.
You can have all the latest technical controls in place and the highest levels of security, but cybercriminals will always target the human element as the weakest link in the layered defence of an organisation.
So, as a user, what can you do? What best practices can you follow?
Understanding the risk
The first port of call is to understand the nature and risks of a targeted phishing attack and how cyber criminals use social media to help gather information to target an organisation. Phishing attacks are a type of social engineering attack. The main objective is to deceive, trick and con an employee/user into clicking on a spurious link by impersonating the organisation or business though targeted email campaigns. Fraudsters are targeting human behaviour and not the underlying technology.
The general rule is “think before you click!!”
Methods phishing Attack
Users and employees need to be vigilant and aware of all forms of phishing attack. The main methods of attack include:
- Mass Scale Phishing – (The shotgun approach) – This is an attack technique where threat actors cast a wide net of attacks that are not highly targeted to specific individuals. These types of attacks are similar to spam emails but with a malicious payload or link to a spurious website.
- Spear Phishing – More of a sniper’s approach that targets a specific victim or a group of individuals using personal details that mimic the organisation and pretend to come from a legitimate source i.e. another individual from within the organisation. A common method would be to mimic an internal email from the IT support desk.
- Whaling – This is a highly targeted attack technique taking a sniper’s approach to target a specific high-powered senior executive and important individual within the organisation such as the CISO, CEO or CFO etc
Spotting phishing emails
Phishing attacks send phony emails that appear to come from a valid source trying to trick users into revealing sensitive personal or corporate information. According to Phishing Box Phishing Box and the Verizon Data Breach Investigation Report (DBIR):
- 66% of malware is installed via malicious email attachments
- 90% of incidences and breaches included a phishing element
- 21% of ransomware involved social actions, such as phishing
- 43% of all breaches included social tactics
- 93% of social attacks were phishing related
- 28% of phishing attacks are targeted
Phishing emails can be very difficult to spot. Key tell-tale signs to look out for, and ways to identify phishing emails include:
- Check carefully and verify the sender name and domain name are correct
- Look for compressed attachments such as zip files
- Be wary of impersonalised Messages. Mass phishing campaigns tend to be impersonalised
- On the other hand, spear phishing attacks will be highly targeted so also look out for highly personalised emails which often will reference co-workers and other departments such as HR, Finance etc
- Look for grammatical errors
- Don’t fall for scare tactics creating urgency
- Check for brand imitation and spoofing of the domain name. Always check URLs that appear to look legitimate by design as often they mimic well known websites and are used to steal information submitted via forms and distribute malware to visitors
- Look out for embedded malicious files. Attackers will often embed malware within common file attachments such as .doc, .xls, .ppt, .pdf
- Triple check hyperlinks – always hover over links and look out for text that often hides the hyperlinks true destination
What is Smishing?
Smishing is a variant of Phishing attacks but the attack technique will be via a text SMS message as opposed to an email. SMS message attacks involve fraudsters sending fake text messages to trick users into divulging sensitive information or infecting your mobile devices with malware.
To best detect and avoid these types of attack look out for the following factors:
- Key tell-tale signs such as any numbers that do not look like a genuine mobile phone number. These are most likely to be fake SMS messages where fraudsters are masking their identity by using email to text services
- Spoofed websites – phony text messages can contain a link to a fake website with the aim of infecting your device with malware or stealing sensitive information
- Unknown numbers – This is the first red flag. If a text received from an unknown number or is unsolicited
- A sense of urgency – these types of attacks often use the last few digits of your debit/credit card as a scare tactic to pressure a response
- Credible contact details – always contact the sender directly to validate if the text message is legitimate especially if the text message appears to be from a bank or financial institution or social media platform and other business accounts
- Spoofing of authentication platforms – cyber criminals will go to extremes to achieve their goals and have even spoofed two factor authentication for Gmail, Hotmail and Yahoo Mail
- In order to gain access to a victim’s email accounts the attacker will target authentication systems where the fraudster will attempt to trick legitimate users into resetting their passwords. Here is how they do it:
- This process follows a strategy of verifying the victims email address and phone number from publicly available sources such as LinkedIn. The attacker then poses as the victim and initiates a password reset.
- The platform will then send out a reset code to the victim
- The attacker then sends an SMS to the victim’s mobile phone number with a fake message pretending to be from LinkedIn saying that it has detected unusual activity on your account. Please respond to this message immediately with the code sent to your mobile previously
- The victim then is conned into sending the verification code to the attacker thinking the request is genuine
- The attacker then uses the verification code to reset the victim’s password and the credentials are then compromised and the attacker has taken control of the account in question
What is Vishing?
Vishing is short for voice phishing where attackers will use social engineering tactics and use the telephone to solicit sensitive information from unsuspecting victims.
To best detect and avoid these types of attack look out following these steps:
- Be wary of calls from people you don’t know pretending to be from your IT department asking for credentials. These should never be shared over the phone
- Don’t be fooled by how much they may know – personal data can be gathered from social media profiles that aid the fraudster in sounding more realistic and from a legitimate source
- Keep an eye out for pressurising tactics. Scammers often try and use fear as a scare tactic and will tell a phony story trying to induce you to think your money is at risk and you must act quickly
- Look out for generic numbers. These are a red flag and tell-tale sign that someone is up to no good. Often fraudsters alter phone number IDs to appear to be from a legitimate source and try to mask the origin of the call
What is social media phishing?
As mentioned earlier, social media is a treasure trove of corporate and personal information that is in the public domain, as well key information on employees that work for the organisation.
Fraudsters use social media as a channel to carry out phishing attacks. As with all of these types of attacks, the main aim is to trick legitimate users into divulging sensitive information or to spread malware. Some attacks are used to hi jack your accounts to launch follow up attacks on your connections and followers.
To ensure you don’t fall fowl to social phishing, follow the below:
- Always be vigilant as phishers can pose as admins from social networking sites and attempt to gain access to passwords and other account information
- Don’t take everything at face value – these fake messages often claim the previous account was abandoned. Messages are then sent to the victim’s friends that demand urgent action such as click on a link with the aim of inducing a user to divulge sensitive personal or corporate information
- Be wary of bogus posts – these are common click bait on social media feeds and attempt to trick users to click on a link and then a form to capture sensitive information such as credentials
- Not everyone is your friend – fraudsters often pose as a friend/follower and send messages with links to malicious websites that are infected with malware
At Bridewell Consulting we are in it for the long term. As a trusted partner, our team of experts can assist you on your cyber security journey and beyond. For further information or a no commitment chat, on any of the above, please get in touch here or give us a call on 01189 255 084.