For quite some time now, phishing has been a preferred method for malicious hackers to gather from users the information that allowed them to penetrate systems. The surge in use of social networks is now making their job even easier; scores of personal details, photos, videos, ideas and posts of any kind are available often even publicly. Phishing attacks are devised using available or solicited info but also using rogue applications and web browser exploits: malicious ad-hoc social media applications or fake sites that contain malicious payloads to capture private details. Any social network users can be victims of a phishing scheme.
Why are phishers targeting social networks? In a May 2017 article in The New York Times, was reported a successful phishing attempt by Russian hackers against a Pentagon official who clicked on a Twitter post detailing a family-friendly vacation package. The episode showed that “while corporations and government agencies around the world are training their staff to think twice before opening anything sent by email, hackers have already moved on to a new kind of attack, targeting social media accounts, where people are more likely to be trusting.” While on sites like Twitter and Facebook, people consider themselves among friends and acquire a false sense of security that drives them to click on links and give out information with an ease they would never apply when handling private or work e-mails.
To date, social networking sites have revolutionized the way people communicate with others, both in their personal and professional lives. To continue browsing safely and using social media that has affected part of our everyday activities, it is important to increase awareness and learn to apply a few easy but effective safety measures about sharing, posting, and avoiding digital drama, as commonsensemedia.org advises.
Typical Social Network-Related Phishing Attacks
Spear phishers have often a very easy life looking for information that users make publicly available in their social network profiles and then applying a variety of social engineering techniques. According to the Quarterly Threat Summary (Q4 2016 & YEAR IN REVIEW) by Proofpoint, a security vendor with a strong international presence, in 2016 “criminals leveraged human vulnerabilities to launch more malicious email campaigns than ever before along with attacks across mobile and social media platforms. Exploit kits declined, ransomware exploded, and targeted attacks grew more sophisticated.” In addition to a surge in the volume of malicious email campaigns and of malware-loaded mobile apps (a special mention for apps somehow related to the Summer Olympics games: 4,500 of the mobile apps reviewed contained exploits and were potentially able to leak data), “fraudulent accounts across social channels doubled from the third to fourth quarter. These accounts may be used for phishing, social spam, malware distribution, and more.” The study also found that social media phishing attacks increased 500% during the year, to include angler phishing, a particular type of tactic that “intercepts customer support channels on social media” and allows malicious hackers to gather information by impersonating legitimate parties. As it is now common for companies to provide a customer service interface through social network sites, it is not uncommon to find online fake customer service accounts (many using Facebook and Twitter platforms) that interact with users and request information on logins, passwords and accounts from unaware customers willing to volunteer information hoping for a quick resolution to their issues.
Many scams also target information that users make; in fact, some attempt to conceal or make available only to a trusted circle of friends. One of the main things to remember when uploading info and multimedia material on sites is that there is really no expectation of privacy. In websites like Facebook, content is often available, at a minimum, to “friends of friends” and, therefore, users do not have much actual control over who has access to their data. In some cases, users are lured into using their credentials in spoofed Facebook login screens effectively giving access to their profiles. According to research on social network frauds by Kaspersky Security Network in 2013, in fact, “phishing sites imitating social network websites were to blame for more than 35% of cases […]. Sites imitating Facebook accounted for 22% of all phishing incidents.”
Another possible source of data leaks is from applications to which users give permission to gather info in exchange for a service: games to be played online, apps that show you affinity with friends or that allow you to vote in surveys and interact with others can all collect and compromise information on the user and even their friends. Also, when signing up for groups or pages, it is common to receive requests of friendship from total strangers who are active in conversation in which users might have taken part. Many of these requests might be legitimate and harmless; some, however, come from true professionals who lurk in the background waiting for possible preys to befriend in the name of a common interest. Often, they can lure fellow group members to opening phishing sites by posting fake comments and pretending to share with others their personal experience with particular online sites and services.
Phishing Security Awareness Tips and Tricks
“Common sense, caution, and skepticism are some of the strongest tools you have to protect yourself,” advises privacyrights.org. Easier said than done, however, as phishers are becoming more and more sophisticated in their techniques.
While some Internet browsers have taken steps to help identify bogus or fraudulent websites, blocking pop-ups and responding to a wide variety of attacks, engaging in secure email or safely using social networking sites is the responsibility of the end user to ensure themselves a safe online experience. First and foremost, it’s important to know how to recognize the signs of a phishing scam. An e-mail from a bank or customer service requesting login credentials or account information, a message from a friendly but unknown person insisting on befriending a user, a message that urges users to perform certain actions in a very limited timeframe could all be signs of malicious activity; attachments that haven’t specifically been requested even if coming from reputable sources could also be troublesome.
What can a user do? Below are some tips and tricks that can go a long way in helping cyber surfers be safe on social networks.
- First, check sources. If an unexpected e-mail or attachment hits the mailbox, it is important to verify directly with the sender its legitimacy. When the text of an e-mail insists on a recipient to click on a link to go to a company website or login page, opening a browser and manually navigating to the site is always the best option.
- Be sure to look for the secure address of the web page with the HTTPS syntax to keep user communications, identity and web browsing private.
- Perform all necessary browser security upgrades as soon as possible after they become available. Many are released to plug security holes immediately after they are discovered and add known phishing/hacking attempts recognition. Phishers do take advantage of vulnerable web browsers and, often, phishing attacks are the result of commonly exploited XSS vulnerabilities where the browser loads the Web page and injects script executes without the victim even knowing that such an attack has taken place.
Ethical Hacking Training – Resources (InfoSec)
- Once the browser is updated, it is always a good practice to periodically check its security feature options, such as anti-phishing plugins and extensions, and use all those that are necessary to provide maximum protection against cyber-attacks. Whatever browser you use, it’s crucial to activate all the available, integrated phishing and malware protection tools. Use anti-phishing plugins that are designed especially for protection in addition to employing anti-phishing hardware and software solutions to prevent phishing attacks.
- In addition to maintaining web browsers, make sure to keep operating systems, malware removal and anti-virus software up-to-date to ensure always to have the best protection available now.
- Learn something about phishing so to be prepared and know what you may come up against while navigating online before it happens; familiarize yourself also with pertinent regulations including the Anti-Phishing Act of 2005.
- Be familiar with the broad array of anti-phishing services that are currently available.
- In a business setting, invest in the right form of training. InfoSec Institute’s Phishing Simulator SecurityIQ, for example, can “help your employees, regardless of their role within the company, develop safe information technology habits,” says Andrei Antipov, a Security Engineer, in his ‘4 Tips for Phishing Field Employees’. Through means like PhishSIM, a phishing training, and simulation tool that provides awareness to employees through realistic automatic phishing tests and custom templates, companies can effectively train their workforce to recognize and prevent malicious attacks perpetrated through social engineering tactics.
- Become very familiar with the anti-phishing tips and privacy security settings of all social network sites you commonly use. Review the privacy options after joining a site and periodically after that to hide from public view as many personal details as possible.
- Never download unsolicited software, click on URLs in e-mails or act in response to popups that appear while you are browsing. Social networks don’t usually need extra bits of software to be downloaded on your computer. Pay particular care to shortened links (through services like Bit.ly, or Tiny.cc, etc.…), commonly used by scammers.
- Pay attention to “what is normal.” If an e-mail from a coworker is not in his or her usual style, or if a stranger insists on befriending you or else if anyone urges you to click on a link or provide info and/ or credentials, make sure to verify the legitimacy of any requests.
Everything told, awareness is always the best defense against any scams that exploits employees-related vulnerabilities. Take advantage of all services and tools provided online. For example, educate employees with Free Phishing Simulators or try SecurityIQ for free. Such an interactive program can help to decrease susceptibility to phishing attacks and augment your workforce’s resilience.
Social media activity has made consumer’s private lives much more public. Anyone can be a phishing target, so it is important to embed standard safety practices in browsing habits to stay safe online. In addition to the anti-phishing tips already discussed, you should also be ready to share your experience and findings to help other users: if you do get caught up in a scam, be it the receipt of a suspicious email in your Messenger account, for example, or elsewhere be sure to delete the message only after having reported the con (by sending the info to email@example.com for example). And when you come across a website you believe is spoofed, such as a Facebook ‘clone’ account take the time to report it to sites like the antiphishing.org or to the Google Safe Browsing team. Doing so, you will contribute to helping keep the web safe from phishing sites and fellow cyber surfers safe.
Albaugh, D. (2017, April 28). Common phishing scams and how to recognise and avoid them. Retrieved from https://www.comparitech.com/blog/information-security/common-phishing-scams-how-to-avoid/
Anti-Phishing Working Group. (2016). Phishing Activity Trends Report, 4th Quarter 2016. Retrieved from http://docs.apwg.org/reports/apwg_trends_report_q4_2016.pdf
Avast.com. (2013, March 25). Threat Intelligence Team: Fake Facebook login pages spreading by Facebook applications. Retrieved from https://blog.avast.com/2013/03/25/fake-facebook-login-pages-spreading-by-facebook-applications/
Chipurici, C. (2016, June 16). Facebook Privacy & Security Guide: Everything You Need to Know [Updated]. Retrieved from https://heimdalsecurity.com/blog/facebook-security-privacy-guide/#
Common Sense Media. (n.d.). Facebook, Instagram, and Social. Retrieved from https://www.commonsensemedia.org/social-media
Demidova, N. (2014, June 11). Social network frauds. Retrieved from https://securelist.com/social-network-frauds/63855/
Facebook Help Center. (n.d.). Phishing. Retrieved from https://www.facebook.com/help/phishing
Frenkel, S. (2017, May 28). Hackers Hide Cyberattacks in Social Media Posts. Retrieved from https://www.nytimes.com/2017/05/28/technology/hackers-hide-cyberattacks-in-social-media-posts.html
Get Safe Online. (n.d.). Get the whole picture on safe social media. Retrieved from https://www.getsafeonline.org/safesocial/
Get Safe Online. (n.d.). Protecting Your Computer Safe Internet Use. Retrieved from https://www.getsafeonline.org/protecting-your-computer/safe-internet-use/
Haley, C. C. (2013, March 18). Facebook Phishing Scams.
Retrieved from http://www.thatsnonsense.com/facebook-phishing-scams/
Hoelscher, P. (2016, May 12). Phishing on Social Networks – Gathering information. Retrieved from http://resources.infosecinstitute.com/category/enterprise/phishing/the-phishing-landscape/phishing-attacks-by-demographic/social-networks/#gref
Klosowski, T. (2012, August 30). How Secure Are You Online: The Checklist. Retrieved from https://lifehacker.com/5938980/how-secure-are-you-online-the-checklist#browser
O’Donnell, A. (2016, October 6). How to Avoid Getting Scammed By Social Media Phishers. Retrieved from https://www.lifewire.com/avoid-getting-scammed-by-social-media-phishers-2487636
Phishing.org. (n.d.). Phishing Techniques. Retrieved from http://www.phishing.org/phishing-techniques
Privacy Rights Clearinghouse. (2010, June 1). Social Networking Privacy: How to be Safe, Secure and Social. Retrieved from https://www.privacyrights.org/consumer-guides/social-networking-privacy-how-be-safe-secure-and-social
Proofpoint. (2016). Quarterly Threat Summary (October – December 2016). Q4 2016 & YEAR IN REVIEW. Retrieved from https://www.proofpoint.com/sites/default/files/proofpoint_q4_threat_report-final.pdf
Stern, A. (2014, June 23). Social Networkers Beware: Facebook is a Major Phishing Portal. Retrieved from https://www.kaspersky.com/blog/1-in-5-phishing-attacks-targets-facebook/5180/
US-CERT.org. (2015, September 8). Securing Your Web Browser. Retrieved from https://www.us-cert.gov/publications/securing-your-web-browser
Wüest, C. (n.d.). Scams and Spam to Avoid on Facebook. Retrieved from http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/scams_and_spam_to_avoid_on_facebook.pdf