Social Media Phishing: Beyond Credential Theft

social media phishing attacksIn the past few weeks, our team highlighted how social media is abused by threat actors seeking to steal credentials and to administer phishing attacks. While these are both two of the most prominent cybersecurity threats distributed through social media, there are some other tactics in play, too.

Join us on February 6 to discuss the latest social media-based financial scams.

This week we’re going to take a closer look into some of the other threats that are distributed on, abuse, or impact social media brands that we use every day. For large organizations, perhaps one of the more vicious tactics are those that target their executives.

Targeting Executives

All employees are considered extensions of an organization’s brand(s), with executives more so. In the past decade of social media growth, there have been countless headlines showing consumers revolting against brands due to the personal opinions of an executive, which means in today’s world, protecting their name is just as important as protecting your logo. There are two common ways that threat actors will target an executive on social media: impersonation and doxing.

The impersonation of an executive is self-explanatory. In some cases, the person creating the account is doing it for the purposes of humor or parody and is not outright designed to disparage the target or the brand. Others,; however, attempt to mimic the appearance of an executive in an effort to negatively impact the brand, dish personal information, or even scam people by giving them small amounts of cryptocurrency.

Doxing, on the other hand, can be a bit more vicious. Depending on the nature of what is being made public, an executive’s home address, phone number, and other highly personal information may be shared freely. When this happens it can result in anything from hate mail, threats, or disparaging their character.

Reputation

Like social actors targeting an executive, one of their motivations may be tied to impacting a business’s reputation. This can come in the form of fake reviews, negative comments, hateful remarks, and other types of public-facing information that could impact an organization’s ability to do business. This, for example, is why PhishLabs detects threats beyond just the primary social networks, and into the dozens of platforms home to gripe sites.

Gripe sites, like traditional social media sites, allow people to post what they want, typically without using their real name, and often appear in search results. In some cases, a person will go as far as building their own site to impersonate or spoof a brand, too.

Source Code Dumps

Software and code can be the lifeblood of tech companies, and if proprietary information were to make its way into a public setting, it could negatively impact them. There are headlines after headlines showing examples of credentials being accidentally shared to code repositories.

According to a ZDnet report, “a scan of billions of files from 13% of all GitHub public repositories over a period of six months has revealed that over 100,000 repos have leaked API tokens and cryptographic keys, with thousands of new repositories leaking new secrets on a daily basis.”

Between developing mature processes to check for these kinds of accidental dumps and searches for proprietary source code, organizations can avoid being part of the 13% at risk for damaging their own brands.

Abusing Social Media Brands

In this year’s Phishing Trends and Intelligence report we highlighted social media as one of the most abused brands. This is because of the widespread adoption of each platform, which means it’s likely that a consumer will be familiar with the relevant logo, and seeing a password reset or account lock notice isn’t outside of the realm of reality. It’s the same reason that threat actors abuse cloud-based platforms like Adobe or Microsoft 365 as there is an increased likelihood that their victim has a related account.

When a threat actor abuses a social media brand, the goal is either to gain access to their account so that they can scam their connections or further propagate their phishing attacks. In other cases, a threat actor will use these credentials in an attempt to breach their email or financial accounts using the same information

According to a report by LassPass, “though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% said they did so anyway. For 61%, it is the fear of forgetfulness that was the primary reason for password reuse.”

With these kinds of odds, more than 1-in-2 victims will have opened up the door to greater risk by falling for a phishing attack abusing a social brand.

Physical Threats

When it comes to social media, there is a heavy disconnect between the technology involved and the laws that most of us abide by. Because of this, there are times when the law needs to catch up with each platform, an example best seen in the supreme court case Elonis vs. U.S.

It was through this case that a violent threat made through a social network update, specifically rap lyrics, could potentially be construed as a physical threat against a person. In the end, the case ruled that the lyrics alone would not legally stand as a physical threat, and the supreme court avoided coming to a conclusion associated with first amendment rights.

Despite this example, each social network is constantly changing, and the consequences of violent or threatening language can vary. In most cases though, if there is a clear indication of a physical threat, the post in question can be removed, the account suspended, and if authorities are brought in, the person’s details will be made available as part of an investigation. Therefore, on a legal basis, physical threats are still a gray area when it comes to social media. Fortunately, each network has relatively clear rules and consequences.

One of the challenges associated with navigating this gray area is finding a way to actually take down these threats as the standard approach is to report it and wait. That’s where a solution like our Digital Risk Protection comes into play, as it allows our partners to tap into more than a decade of relationship building that results in fast lanes, APIs, and other processes that result in rapid mitigation.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at: https://info.phishlabs.com/blog/social-media-phishing-beyond-credential-theft