Social media remains an easily exploitable attack surface

Twitter is one of my favorite social platforms. As a journalist, I get news from it, but I also get to interact with my peers and friends. But Twitter, like every other social platform, has an interesting attack surface; one that criminals have been exploiting for years.

The object of social media, as one would expect, is to encourage people to be social. This is why Twitter and Facebook seem to be force multipliers when it comes to the spread of news, and gossip. But, as mentioned, this instant connection to information can be turned against the masses. While all social platforms can be abused, the two that are the easiest mess with are Facebook and Twitter.

One of the reasons for the higher levels of success on those two websites stems from the use of psychological triggers. A whitepaper from SANS has an overview of the seven triggers, and  while authored in 2002, the paper is a good resource for understanding the fundamentals and what can be done to guard against them.

The trigger most often used by an attacker is called “the strong affect.” This trigger uses a heightened sense of emotional state, such as fear, panic, excitement, or grief in order to get the victim to take an action. The best lures will center on current events that impact a large number of people.

For example, when Whitney Houston died in 2012, scammers were quick to target trending keywords on Twitter (#RIPWhitneyHouston / #RIPWhitney) and promote “shocking” or “exclusive” videos on Facebook about the event.

Given the emotional state of some of her fans, as well as the public need for new information on the event, criminals hijacked the topic to promote survey scams and click fraud. With each click, the criminals earned advertising compensation and exposed the visitor to information theft.

The same thing happened shortly after Malaysia Airlines flight MH17 was shot down by pro-Russian rebels in July.

On Twitter, posts tagged with #MH17 were used spread news, opinions, and general commentary by the public. However, as the tag grew in popularity and started trending worldwide, criminals posted malicious links and tagging them with #MH17 in order to target the people following that topic. In this case, the links were directing people to malware.

Other emotional events that were targeted include the disappearance of Flight 370, and the Boston bombings. But tragedy isn’t the only thing that criminals latch onto when leveraging the strong affect; sometimes they use the promise of amusement.

Over the summer, criminals started using the popularity of the ALS Ice Bucket Challenge in Phishing campaigns. While there were a few scattered Twitter posts and Facebook links (all of the offending posts have since been removed), the scam shifted towards email towards the end of August.

The messages contain either a link to ALS Ice Bucket videos, or an attachment promising a comical video or a compilation of them. No matter what option is presented as a lure, the payoff for the criminal is a person installing malware that harvests personal information and passwords.

Targeting both a trending topic and those with voyeuristic tendencies, the strong affect was used recently in the aftermath of the iCloud incident that led to private photos of nearly one-hundred celebrities being leaked to the Web.

Symantec started spotting Phishing attempts aimed at Apple customers within a day of the story going viral. In addition to email, the topic was also used in SMS messages sent to hundreds of people. The criminals were asking those who got the messages (including celebrities) to respond with their AppleID and password.

On social media, the iCloud incident was used to promote survey scams and malware, as people started promising downloads of all the photos, as well as videos of the actresses and singers. The image board where the leaks originated, AnonIB, housed hundreds of such malicious links in the days after the incident gained international attention.

Last week, during the Facebook outage, I conducted an experiment. As it turns out, I was able to get more than one-hundred people to click a link that delivered them to Social-Engineer.org, with a single message:

#Facebook outage explained: bit.ly/aRYt11

By targeting the information vacuum that develops in the wake of breaking news, or targeting a person’s morbid or lustful curiosity, even their emotional state, criminals are hijacking topics on social media with ease.

Because humans are acting like humans, links are clicked, information is freely given away, and files are downloaded and installed. Social engineering is the type of problem that everyone knows about, but dealing with it isn’t a simple matter. Awareness programs can help, but they can only do so much.

As long as there are people who are willing to click on links, these types of attacks will remain valid points of entry.