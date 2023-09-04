Instagram\u2019s Threads platform launched to great fanfare in July with a massive surge of users signing up for the new text-sharing and public conversation service, including businesses using the service as an extension of existing social media and communications programs.\n\nMany have seen it as an alternative to Elon Musk\u2019s X \u2014 formerly Twitter \u2014 platform, which has been roiled by massive layoffs, changes that have infuriated some longtime users, and the appearance that Musk\u2019s free speech mandate has given a renewed voice to white supremacists and other hate groups.\n\nInstagram users log into Threads via their Instagram account and can post up to 500 characters as well as links, photos, and videos up to five minutes in length. Meta\u2019s new social network is also considered a direct competitor to Slack, receiving over 10 million in site traffic in its first two weeks, with the app\u2019s global website ranking skyrocketing from 545,741 to 5,813.\n\nDemand for and intrigue about Instagram Threads is high. However, Threads is also already proving to be a target for fraud and abuse, with several potential security and compliance risks associated with its use for organizations.\n\nDomain fraud and brand abuse\n\nResearch from CSC found 428 new domain registrations using the term \u201cthreads\u201d between June 26 and July 27, 2023, many of which have some sort of affiliation to existing brands. This points to the need for organizations to monitor their domain activity to determine which registrations on Threads are authorized and authentic, and which are fraudulent and can put their brand at risk of abuse, CSC said. Possible brand infringements can include impersonation and hacks.\n\nVeriti said it observed a surge in the creation of suspicious domains, with 700 domains related to threads being registered daily. These domains pose a significant risk as they can be used to deceive users, distribute malware, and lure unsuspecting individuals into downloading untrusted versions of the app.\n\n\u201cAs with any new tool or technology, organizations should take the initiative to learn about its risks and consider the security measures needed before jumping right into more consistent use,\u201d CSC said. In the case of online platforms like Threads, cybercriminals will try to beat you to the punch, so it is crucial for organizations to be aware of their entire domain landscape and take proactive steps to cut off exploits and infringements from the source at the time of registration, CSC wrote.\n\nMalicious URLs and malware downloads\n\nHigh-profile products draw keen interest from malicious actors, and Threads is no exception, Alexander Applegate, senior threat researcher at DNSFilter, tells CSO. \u201cThreads attracted 100 million users in its first week, displacing ChatGPT to become the fastest application to achieve that mark. During that same week, researchers found 200 million suspicious URLs associated with the tool.\u201d\n\nWhile the threat is not one that is likely to make its way into the Apple Store\u2019s walled garden, many of the links were false downloads for malware, Applegate says. \u201cThe remaining links were taking advantage of the low state of security review for the product and looking to capitalize on user trust to perpetrate scams and to deliver malware via posting on the platform.\u201d\n\nUnintentional and malicious data leakage\/exposure\n\nIf employees use Threads for official communication or to share sensitive data, there is a risk that the data could be leaked unintentionally. \u201cEven if they are using it for personal conversations, discussions about company projects, strategies, or internal gossip might slip out,\u201d says Guenther.\n\nThreads has a feature for sharing one\u2019s location, and if used carelessly by an employee, it could reveal sensitive or strategic business location data. Likewise, content shared on Threads, like any cloud service, is stored in servers managed by the service provider. Even if encrypted, there\u2019s always a concern about how this data could be used or who might gain access, Guenther adds.\n\nWhat\u2019s more, Instagram Direct (and by extension, Threads) doesn\u2019t use end-to-end encryption for messages (like signal or WhatsApp) by default. \u201cThis means that the content of messages is potentially accessible by Instagram and anyone who can compromise Instagram\u2019s systems,\u201d Guenther says.\n\nShared credentials and account hijacking\n\nThreads is very easy to both download and sign up for, as it integrates seamlessly with a user\u2019s Instagram account when first signing up for the platform. However, this seamless integration could pose security risks, according to a blog from AgileBlue. Instagram, Facebook, and now Threads are all owned by Meta and for many users, each of their Meta accounts share the same login credentials between each of the platforms.\n\n\u201cThis makes it much easier for malicious actors to access information as gaining access to just one account ultimately gives them access to all Meta accounts,\u201d the blog said. In fact, as of writing, only users with an Instagram account can create a Threads account, so if an individual wants to sign up for Threads, they will first have to create an Instagram account.\n\n\u201cIf an employee\u2019s Threads account is compromised, malicious actors can impersonate the employee to gather information or spread misinformation within their close circle,\u201d Guenther says.\n\nData privacy and compliance issues\n\nOrganizations that are required to maintain certain compliance standards might find it challenging if employees use personal apps such as Threads for work-related matters, Guenther says. The app is unavailable in areas with strict privacy laws, such as the European Union (EU). Countries in the EU are much more heavily regulated when it comes to protecting the privacy of the consumer, but regulatory scrutiny regarding Threads extends to the US and other countries.\n\n\u201cMeta, the parent company of Threads, remains under a consent decree imposed by the FTC in 2012, which prohibits \u2018unfair or deceptive\u2019 practices in handling user personal information. If the forced linking of Instagram and Threads accounts results in users losing adequate control over their data privacy or necessitates burdensome additional steps to ensure data security, it is possible that this could be deemed a violation of the FTC decree,\u201d read AgileBlue\u2019s posting.\n\nThis highlights the potential legal implications and the importance of ensuring users\u2019 privacy rights are upheld in the context of using Threads, particularly given that Threads collects more user data than many other social media platforms today.\n\n\u201cThe obvious initial concern is Meta\u2019s historical track record with data privacy, and Threads is no exception. It demands access to all manners of personal data, including location-tracking information, social networking data, financial data, even when the application is not in use,\u201d Applegate says.\n\nPhishing and vulnerabilities\n\nAny messaging platform can be used to deliver phishing messages and is susceptible to vulnerabilities. \u201cEmployees might receive malicious links or be manipulated into sharing sensitive information,\u201d Guenther says. Undiscovered vulnerabilities (zero-days) might be exploited by attackers and, given that Threads is linked with Instagram, there\u2019s a risk that vulnerabilities or data breaches in one app could potentially affect the other, she adds. Vulnerabilities could also be misused to exploit the permissions Threads asks for (like access to contacts and location) on a device.\n\nTraining, policies, and monitoring are key to secure use of Threads\n\nTo help ensure secure use of Threads within a business, Guenther recommends implementing a combination of employee training, policies, and monitoring. \u201cEmployees should be aware of the risks related to using personal messaging apps for professional purposes.\n\nPolicies should outline clear guidelines regarding the use of personal apps on work devices. Monitoring tools should detect unauthorized apps or activities.\u201d\n\nTwo areas in which Threads shows security promise are the lack of a direct-message function, which should help to some extent with cyberbullying, and the absence of advertising, which removes the threat of malvertising and other ad-based scams, Applegate says. \u201cThe initial buzz also seems to have cooled significantly, and the platform has apparently lost about half of its subscribers since early June. With less users comes less interest from threat groups.\u201d