Spear Phishing Attack on The Rampage – Stay Alert!

Today, social media is being used rampantly in the modern world and abuse of social media is on the rise too. While marketing teams have been known to monitor social media to protect their brand and communicate on their behalf, they are not equipped to handle the advances in social media that are becoming increasingly prevalent. Spear phishing is one such attack that poses serious threat.

Social Media Platforms – A Goldmine for Hackers  

It acts as a data delivery mechanism for the user’s contacts, location, and even business activities. Hackers often use this to gather critical information about the company or individual, develop targeted advertisement campaigns, or spear-phishing attacks.  Most cybercriminals are typically after monetary scams.  

One such incident that brought this issue to the forefront recently was the Twitter account hack – Twitter revealed the root cause of the security breach it suffered a few weeks ago when several high-profile accounts were hacked to spread a cryptocurrency scam. It mentioned that a technique called “phone spear phishing attack” was used to target a small number of its employees, leading to a major breach.  

Phishing is a form of social engineering using digital methods for malicious purposes. In the case of social media, numerous forms of phishing occur such as Impersonation, Credential theft, Propagating attacks, Data dumps, Romance scams, 419 Scams (Nigerian prince), Intelligence gathering (for account takeover and spear phishing). Unfortunately, these platforms still offer only minimal controls to prevent the further propagation of account takeovers,   

Spear Phishing Attack – It’s Bigger Than You Think  

In your day-to-day life, there is a good chance you’ll run across a YouTube video, an embedded tweet in a news article, or even scroll through cute puppies on Instagram. However, the threats posed to social media as a whole are significantly larger than just the biggest social media sites.  News sites, forums, blogs, paste and doc sites, and even gripe sites are all part of the social media ecosystem.  

Abuse of short URLs is not new when it comes to phishing attacks, but it is becoming more rampant on Twitter. Threat actors deploy a combination of Twitter’s URL shortener to hide malicious links, while other threat actors even hose their C2 infrastructure on the platform.  

As phishing is the malicious use of social engineering, impersonation plays a huge role in the success of an attack. By posing as someone with any kind of authority, it’s pretty easy to destroy that person and the brand associated with them. For example, when a celebrity posts on Twitter, a threat actor replies to it, posing as that user, saying they are giving away free bitcoins. In reality: they aren’t!  

Things Could Get Ugly  

Not only are threat actors employing phishing attacks right on social platforms, but they also trick users into logging into fake landing pages, which in turn leads them to compromise on their credentials. When this happens, a threat actor can gain easy access to the user’s account, and propagate attacks to trick new users into handing over their credentials.  

It is quite common for dumps of breached databases to make several rounds on the internet. Also, data Gathering gimmicks like – Quick, what was the name of your first pet? It was fluffy, wasn’t it? Well, that post you shared on social media 10 years ago just happens to contain the information use also use to reset passwords. A threat actor can use this information to build a sophisticated spear-phishing campaign custom-designed for you!  

Protect Your Business from Spear Phishing Attacks and Social Media Engineering  

 Here are some surefire ways to protect your businesses from Social Engineering-  Ensure you have full visibility into all brand channels, and executive accounts where necessary; Train your employees to keep them informed about the latest cybersecurity trends, threats, and to be mindful about what they post on their social media accounts; Implement an overarching data governance policy that makes clear what employees can and cannot post on social channels.  

Above all, businesses need to educate their employees on the responsible use of social media, not only for the brand’s sake but for theirs as well. Armed with the right knowledge, and the right technology to manage digital risk, brands can reduce the likelihood of suffering an effective social media engineering attack.  

 If you wish to learn how you could protect your organization, employees, brands, and users from such phishing attacks, you could visit Cyber Chasse

If you find this piece of write up informative, please share your feedback in the comments section below. Follow us on social media for such interesting write-ups.  

Related post: Top Cybersecurity Measures amid the Outbreak of COVID-19