Social networks have become a trusted communication medium for both personal and professional communication. However, hackers regularly exploit the trust of the users of social networks for their own gain. This is often done by using phishing attacks. The term “phishing” refers to a social phenomenon whereby an individual imitates a trustworthy source with the aim to collect sensitive information from an unsuspecting user.
According to a research conducted by Kaspersky Lab, 22% percent of the phishing scams target Facebook. The report stated that Kaspersky Lab identifies more than 20,000 incidents per day in which the users of Kaspersky Lab attempt to visit Facebook pages. The above-mentioned statistic clearly indicates the need for security awareness programs amongst the users of social networks.
The purpose of this article is to examine the four most popular social media phishing schemes, namely, deceptive phishing (Section 2); malware-based phishing (Section 3); content-injection phishing (Section 4); and man-in-the middle phishing (Section 5). Finally, a conclusion is drawn (Section 6).
2. Deceptive phishing
Deceptive phishing is the most common type of social media phishing. In a typical scenario, a phisher creates an account pretending to be the account of the victim. Next, the phisher sends friend requests to the friends of the victim as well as a message such as “I have abandoned my previous Facebook account. From now on, please communicate with me through this account only”. Afterwards, the phisher starts sending messages to the friends of the victim that demand the recipient to click on a link. Examples of such messages include: (1) a statement that the receiver of the message has a virus which can be deleted by signing up for a special anti-virus inspection conducted by the social network; and (2) a fictitious invoice which can be cancelled by clicking on a link requesting the user to provide her/his personal information.
In most cases the messages sent by the phisher to the victim aims at collecting the personal information of the victim, including numbers of credit and debit cards. This information will be used by the phisher for transferring funds from the victim’s account to the phisher accounts. It is worth mentioning that often the phisher does not directly cause any economic damage to the victim, but merely resells the stolen information to third parties who commit the actual financial theft.
It should be noted that even the social network accounts of famous persons could be impersonated and used for deceptive phishing. A reporter at Nature, a scientific journal, found that more than 100 scientists, policy-makers and journalists have bogus Facebook accounts. The victims do not have any control over their profile and the actual owners of the accounts remain unknown. What is particularly interesting is that the bogus accounts have a network of bogus friends, which is used to persuade the victims that the phishing messages are sent from a genuine account. The creation of a network of impostors is also known as a “Sybil attack”.
3. Malware-based phishing
Malware-based phishing refers to a spread of phishing messages by using malware. For example, the Facebook account of a victim who installed a rogue Facebook app will automatically send messages to all the friends of the victim. Such messages often contain links allowing the receivers of the messages to install the rogue Facebook app on their computers or mobile devices. The best way to avoid the installation of rogue Facebook apps is to be very selective when installing any third-party Facebook applications. For example, Facebook apps developed by unknown developers that request access to extensive information should be researched thoroughly. One method often used by phishers to “seduce” the Facebook users to install malware to their computer is to promise them that the malware will enable them to see a list of people who visited their Facebook profile page.
In some cases, phishing malware is enclosed in gaming apps for mobile devices. For example, a popular gaming app called “Cowboy Adventure” contained malicious functionality that allowed the app developers to collect Facebook IDs and passwords of the users. The app operates as a genuine app and the person who installs it may not even suspect that he/she installed malicious software on his/her computer. The app was removed from the Google Play Store. However, similar malicious apps may already exist on Google Play Store, Apple AppStore, and other app marketplaces.
4. Content-injection phishing
The content-injection social network phishing refers to inserting malicious content in social networks. The malicious content can often be in the form of bogus posts (e.g., tweets, posts in the Facebook feed or in LinkedIn feed) published by users whose accounts were affected with rogue apps. In many cases, the victims are unable to see the bogus posts posted by the malware apps on their behalf. The bogus posts, for example, may contain a photo of the account owner and the text: “I am in the hospital. If you would like to help me, please sign up by clicking on the following link”. When the victim clicks on the link, he/she will be requested to provide his/her personal data, which may be used by the phisher for committing identity theft and other scams.
Sometimes a post may contain a malicious content and hoax text that requests the users to share the post. A typical hoax message reads as follows:
“As of September 28th, 2015 at 10:50p.m. Eastern Standard Time, I do not give Facebook or any entities associated with Facebook permission to use my pictures, information, or posts, both past and future. By this statement, I give notice to Facebook it is strictly forbidden to disclose, copy, distribute, or take any other action against me based on this profile and/or its contents. The content of this profile is private and confidential information. The violation of privacy can be punished by law (UCC 1-308- 1 1 308-103 and the Rome Statute). NOTE: Facebook is now a public entity. All members must post a note like this. If you prefer, you can copy and paste this version. If you do not publish a statement at least once it will be tactically allowing the use of your photos, as well as the information contained in the profile status updates.”
Facebook has little or no control on such hoax messages because, pursuant to Facebook’s legal documents, the users own all of the information posted by them on Facebook. Phishers can easily insert phishing links in the hoax messages. For example, a phisher may modify the second part of the aforementioned message as follows:
“Facebook is now a public entity. All members must sign-up at www.facebook12ds5.com/signup in order to prohibit Facebook from disclosing, copying, and distributing my information. If you do not sign-up here at least once you will be tactically allowing the use of your photos, as well as the information contained in the profile status updates.”
5. Man-in-the middle phishing
A man-in-the-middle social network attack, also known as social network session hijacking attack, is a form of phishing in which the phisher positions himself between the user and a legitimate social network website. Messages intended for the legitimate social network website pass through the phisher who can inspect the messages and acquire valuable information. Furthermore, the man in the middle can post phishing links on behalf of the victim.
There are many online tutorials that provide instructions on how to hack Facebook using a man-in-the middle attack. The man-in-the-middle attacks are easy to perform because they consist of several easy to implement steps. In a typical scenario, the attacker performs the following steps: (1) the attacker lures the victim to a phishing site (e.g., a fake login page of Facebook) where the victim enters his/her username and password; (2) the phisher’s server uses the stolen credentials to enter the legitimate social network website and keeps the session open; (3) when the user logs off from the phishing website, the phisher inspects the account of the victim on the legitimate social network website and acquires valuable information which can be used for various criminal purposes, such as stealing money or coming identity theft.
In some cases, the work of the man-in-the middle is facilitated by security vulnerabilities in the social network platforms. By way of illustration, the Egyptian penetration tester Ahmed Elsobky discovered a serious flaw in Facebook, which allowed hackers to perform a man-in-the-middle on Facebook. Facebook’s security team replied to the finding of Ahmed Elsobky as follows:
“We’d actually received an earlier report from another researcher regarding this same issue. In response to that report, we’ve been working on limiting this behavior when it comes to our official apps, since they’re pre-authorized. For other apps, unfortunately, fully preventing this would mean requiring any site integrating with Facebook to use HTTPS, which simply isn’t practical for right now.”
In order to prevent man-in-the-middle social network attacks exploiting the security vulnerability found by Ahmed Elsobky it is necessary to: (1) never send an access token over unencrypted channel; (2) use only encrypted apps; and (3) use “HTTPS Everywhere” Browser Extension.
Social network phishing is a significant information security threat for both individuals and companies. A large number of individuals have become victims of identity theft resulting from phishing attacks. Such attacks have caused severe reputation damage to many companies. There is a pressing social need for spreading security awareness about phishing. This article attempted to spread such awareness by examining the four most popular social network phishing attacks. The article also provides recommendations on how to avoid some of those attacks.
Looking forward, the phishers will invent more sophisticated social network phishing methods. In order to avoid becoming victims of these new methods, individuals and companies should undergo regular security training, which allows them to identify the phishing threats. For example, the popular social security networks (e.g., Facebook, LinkedIn, and Twitter) can provide their users with free video lessons educating their users on how to identify phishing attacks. Such videos will not only protect their users from hackers, but also increase user’s trust in the social networks.
- Faircloth, J., ‘Penetration Tester’s Open Source Toolkit’, Elsevier, 2011.
- ‘Hacking Facebook Using Man in the Middle Attack’, Hacking Tutorial Tips & Trick. Available at http://www.hacking-tutorial.com/hacking-tutorial/hacking-facebook-using-man-in-the-middle-attack/#sthash.lYTg7grK.sFg6Zual.dpbs.
- Herper, M., ‘I Was Impersonated On Facebook’, Forbes, 27 April 2009. Available at http://www.forbes.com/2009/04/24/facebook-privacy-herper-business-media-facebook.html.
- Hussain, F., ‘One Million Android Users Infected With Facebook Hacking Malware Apps’, HACKREAD, 12 July 2015.
- Laursen, L., ‘Fake Facebook pages spin web of deceit’, Nature, 23 April 2009. Available at http://www.nature.com/news/2009/090423/full/news.2009.398.html.
- Maniyara, M., ‘Phishers’ New Face Social Media Apps’, Symantec Official Blog, 22 May 2013. Available at http://www.symantec.com/connect/blogs/phishers-new-fake-social-media-apps.
- Mennie, P., ‘Social Media Risk and Governance: Managing Enterprise Risk’, Kogan Page Publishers, 3 October 2015.
- Navarro, J., and Jasinski, J., ‘Identity Theft and Social Networks’, In: ‘Social Networking as a Criminal Enterprise’, Marcum, C. (Ed.), Higgins, G. (Ed.), CRC Press, 2014.
- Patil, A., ‘Phishers Use Malware in Fake Facebook App’, Symantec Official Blog, October 2013. Available at http://www.symantec.com/connect/blogs/phishers-use-malware-fake-facebook-app.
- ‘Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication’, Tricipher. Available at https://www.globaltrust.it/documents/press/phishing/PhishingSolutionWhitepaper.pdf.
- Price, K., Kirwan, G., ‘Personality Caught in the Social Net: Facebook phishing’, In: ‘Cyberpsychology and New Media: A Thematic Reader’, Psychology Press, 2013.
- Sims, A., ‘Facebook hoax: No, you don’t need to post either of these fake statuses to protect your profile or pictures’, Independent, 30 September 2015. Available at http://www.independent.co.uk/life-style/gadgets-and-tech/facebook-hoax-no-you-dont-need-to-post-either-of-these-statuses-to-protect-your-profile-or-pictures-a6671166.html
- Stern, A., ‘Social Networkers Beware: Facebook is a Major Phishing Portal’, Kasperky.com, 23 June 2014. Available at https://blog.kaspersky.com/1-in-5-phishing-attacks-targets-facebook/5180/.
- Timm, C. and Perez, R., ‘Seven Deadliest Social Network Attacks’, Syngress, 2010.
- ‘Types of Phishing Attacks’, PCWorld. Available at http://www.pcworld.com/article/135293/article.html
Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.