Updated as of June 7th 2021
It’s an excellent time to be an online retailer. In 2021, over 230 million Americans will be shopping digitally, positioning the United States as one of the leading e-commerce markets.
Social platforms are highly influential with millennials, teens, and Gen Z consumers; 50 percent of college students have purchased on Instagram, and 48% of U.S. internet users aged 18 to 34 years have purchased through social media this year. But older folks are also becoming more comfortable with social media shopping as well; 28% of U.S. internet users aged 18-55 said they would consider purchasing through social media platforms for digital shopping.
As these platforms become more intrinsic to our daily lives, social media platforms have become a crucial attack vector that enterprises can no longer ignore. Compared to eCommerce and corporate websites, social media platforms lack layers of protection capable of fending off the attackers. Social media empowers multiple avenues for malware delivery to users, such as advertisements, friend requests, social engineering, shares, and plug-ins.
According to the FBI’s internet crime report 2020, victims in the U.S. have lost over $155 million to social media-enabled cybercrime.
What are the most popular types of Social Media attacks?
Reconnaissance is an attack precursor that, when conducted passively on social media platforms, is difficult to detect. When individuals overshare personal and private information on social media networks, it can be collected and analyzed to allow a profile of their behavior to be compiled. After gathering information about locations, hobbies, and relationships, a threat actor can begin to piece together a potential victim’s life and use this to craft convincing lures, such as malicious links sent from a profile impersonating someone they know, as well as gain knowledge that may allow them to authenticate to other services such as email or banking websites.
For example, how many people use a child or pet’s name in their passwords or password reset questions? How many use their year of birth? These seemingly innocuous details when shared alone aren’t that valuable, but when combined into a full profile, can provide the keys to unlock further parts of their digital life. Knowing the value that these tidbits of personal information have to threat actors, shrewd social media users limit the amount of personal data they publicly share to reduce its intelligence value to potential attackers.
Using a fake social media profile, threat actors can mimic a legitimate profile and carry out attacks both on a large scale (e.g. fake public figure profiles used to distribute mass-malware or phishing campaigns to millions of victims), and a smaller ‘targeted’ scale.
Recently, threat actors linked to hostile states have been taking advantage of the Linkedin platform by using fake profiles to target employees in key industries and government departments all over Britain. These attacks show how tactics continue to evolve in response to the way we are using social media.
A reconnaissance phase often pre-empts such attacks; they can also be conducted against organizations by using fake profiles that mimic key individuals within that target organization.
In addition to mimicking legitimate individuals within an organization, perhaps acting as the CEO or CFO to instruct an employee to perform an action, some threat actors conduct catfishing attacks where they masquerade as an attractive (fictitious) individual to lure victims into divulging personal or sensitive information. Broad catfishing attacks are typically financially motivated, while catfishing attacks against employees of an organization may be motivated by gathering intelligence through virtual ‘pillow-talk’. By extracting this information, the attacker learns credentials that can be used to gain access to systems, and in more serious cases, luring a victim into exposing themselves in a compromising situation that can be used in blackmail.
A real-world example of such an attack is the impersonation of the richest woman in the world, the billionaire philanthropist MacKenzie Scott, a novelist best known as the ex-wife of Jeff Bezos, the Amazon founder. After announcing that she was giving away half her fortune, Ms. Scott has given away generous gifts and grants totaling nearly $6 billion throughout 2020.
Since then, Ms. Scott has been impersonated by threat actors who have posed as her representatives. It all started when the famous socialite sent out (a legitimate) email to hundreds of NGOs with unsolicited offers of monetary support.
Sadly, threat actors got wind of this and leveraged Ms. Scott’s reputation when contacting vulnerable individuals looking for financial assistance. Threat actors would send out emails under the name “Ms. Scott Foundation” promising monetary support. The catch? The hopeful recipient must pay a modest transfer fee to receive the funds. However, the moment the money was sent, the fake Ms. Scott’s foundation disappeared into thin air. The real Ms. Scott Foundation was left to pick up the pieces of their shattered reputation.
This impersonation scam was highly evolved. It utilized fake bank portals, counterfeit Facebook pages, branded WhatsApp messages, and a Bitcoin cryptocurrency app to whisk the “transfer fee” money away from its targets.
Impersonation scams are getting ever more sophisticated and targeting organizations as well as individuals. Recently, threat actors copied the webpage of the federal Small Business Administration and impersonated the Federal Trade Commission.
Social engineering attacks usually involve some type of psychological manipulation of unsuspecting users or employees into sharing confidential or sensitive data. Commonly, social engineering attacks occur via email or other communication that invokes urgency, fear, or similar emotions in the target, prompting the target to reveal sensitive information, click a malicious link, or open a malicious file.
Attacks have been increasingly successful because the attackers are creating more legitimate looking emails and with the prevalence of social media, an attacker can look up everything they need to know about a person and their interests.
Armed with this information gleaned from social media, they can craft an email tailored to that person, and email them directly, which increases the chances of that person clicking.
Although not a cybercrime, fake news has been a hot topic in the last few years. Troll Farms attempt to subvert and influence public perceptions using social media platforms.
The 2020 U.S. presidential elections are the most recent high-profile target of this tactic. In March, a declassified intelligence document reported that Putin authorized influence operations to discredit Biden, support the then-President Donald Trump and undermine faith in American democracy. The U.S. government sanctioned Russia as a response, but despite purported efforts to prevent the spread of fake news, the share of fake news seems to be growing exponentially. According to Vox, In 2019, 8 percent of engagement with the 100 top-performing news sources on social media was dubious. In 2020, that number more than doubled to 17 percent.
Similar to brand hijacking, the direct compromise of a social media profile, especially those that are ‘verified’ by the platform and therefore implicates trust, could be just as damaging as compromising an organization’s website. Given the ‘push’ nature of social media platforms, a compromised social media profile could be used to target the customers of a brand with malicious or nefarious content.
Recent examples include the compromise of ‘verified’ Twitter accounts, such as Twitter accounts of Uber and Apple along with multiple other prominent Twitter accounts that were hacked as part of a cryptocurrency scam.
The accounts were hijacked to post a message with an address of a bitcoin wallet, claiming the amount of any payments made to the address would be doubled and sent back.
Following the attack, Twitter announced that the attack was made possible through “a coordinated social engineering attack” on employees who gave a hacker “access to internal systems and tools.”
Typically, malicious links are used to lure a victim into clicking through to a payload that is hosted on third-party sites rather than the malicious content being directly available from the social media platform. One-click exploits such as those used for account takeover could easily be distributed via social media and, when clicked, could exploit the victim. For example, One example of a recent attack is the attack targeting South Korean users by the Lazarus hacking group who hid malicious payloads in BMP image files.
Covid-19 and Social Media Threats
As a consequence of COVID-19, the digital transformation of commerce skyrocketed. Social distancing, lockdowns, and remote work have boosted the prevalence of digital channels, including social media and social commerce.
People rely more than ever on digital channels, and the connection between social media and eCommerce has never been stronger. As eMarketer reports, the number of social commerce buyers in the United States alone grew by 25.2% to 80.1 million in 2020 and is expected to grow by 12.9% to 90.4 million in 2021.
In 2020, Facebook drove 40% of traffic for e-commerce brands, and 66% of Instagram users seek interactions with brands on the app, with 46% of Instagram users making purchases after seeing product information on the app. Simultaneously, 52% of TikTok users say they find new products from seeing ads on the platform.
No wonder that threat actors are trying to capitalize on that trend, constantly evolving their methods, techniques and tactics.
Digital risk requires digital defense
Given all the ways that social media can be used to attack your brand, how can organizations protect themselves, especially as we gear up for the summer.
One way is to treat social media with the same level of scrutiny as other channels. Just as you teach your team about scanning email attachments before opening, reporting suspicious emails, and other security essentials, you also need to train your team about these common social media attacks. However, awareness, while important, will not be able to stop all the attacks. It is important to have a coordinated social media and digital brand protection plan in place.
Cyberint’s Digital Risk Protection monitors your social media platforms, fiercely protecting your brand and ensuring that your social media presence remains untampered, and your customer data doesn’t get into the wrong hands.
Here’s to safe and happy social media browsing!