How Cybercriminals Use Pinterest to Run Fraud Scams
September 26th, 2018
Over the past few years, we’ve seen a noticeable increase in cybercriminals using social media as part of their attack strategy. Whether it’s a phishing campaign, online impersonation or just simply trying to promote their goods or services, social media provides hackers with a large audience that typically has their guard down when it comes to cyber scams.
One of the social media platforms that’s becoming more popular among cybercriminals is Pinterest. There are a variety of scams hackers can run on Pinterest, but for this post we’ll focus on fraud and financial scams.
Why Hackers Use Pinterest
Pinterest is a social media platform designed to help users share and discover information on the world wide web. It’s mostly used for harmless activity, such as sharing recipes, clothing, design styles and many other items, which users can pin and save to their boards. Pinterest has become one of the most popular social media and sharing websites in the world. But where there are users, there are threat actors.
Pinterest is a great marketing tool for cybercriminals. They have a huge pool of users that they can market their goods and/or services to. In addition to the increased reach, publishing on Pinterest can give users the illusion that these activities are not necessarily illegal, for example, selling stolen products of a company using its name will not raise many suspicions.
Financial Fraud on Pinterest
There’s a variety of fraud schemes and tactics that cybercriminals use, but financial fraud is one of the most direct and easiest methods. Gaining access to someone’s credit card or bank account information makes it very easy to commit financial fraud, so this is often the intent we see with threat actors using Pinterest.
Money Hacking Tool
One example we saw was a “hacking tool” that claimed it could add any amount of money to your credit card (see Figure 1). All you have to do is enter the card number and select the amount you’d like to add. Sounds “phishy”, right? Well it probably is; yet this is a common social engineering scheme that people fall for. While in theory the hacker might be using sophisticated carding methods to transfer money, it is most likely just a scam to collect a credit card number.
One of the obvious uses of a credit card number is for fraudulent purchases. But there’s another use for credit card numbers as well.
Many banking and financial sites use a credit card number as an authentication method to login to sites and/or verify an identity. If a threat actor gets a group of credit card numbers (like using the tool in Figure 1), they now have access to a pool of user names, and just need the password to log into their accounts. This can be done through brute force or looking at other compromised credentials, as users typically use weak or similar passwords.
Once hackers have access to someone’s account, not only can they commit fraud, but they can steal other personal information as well. Just recently we have seen several banks in North America that faced severe damage from these types of scams, where hackers stole users’ credit card credentials, which were later used to steal personal information from the banks’ portals.
Figure 1: Example of Credit Card Hacking Tool
Fake Bank Statements
Another example we came across were posts for creating a fake bank statement. People often need to produce bank statements for demonstrating their financial stability, and they might look to forge these documents to get access to better rates or loans. As you might expect, when there’s a need for illegal services, cyber threat actors are there to provide one, yet often with a caveat.
Figure 2 is an example of a bank statement template advertised on Pinterest. Obviously, this poses a threat to banks and financial institutions, who risk being duped by fake statements. However, this is more risky for the user, as the threat actor who designed the template is almost always collecting the information submitted on their end. So when a user inputs their bank data to create a fake statement, the hacker is getting all of that data, which they can use in the future for highly tailored phishing attacks.
Figure 2: Bank Statement Template Found on Pinterest
Fake Pinterest Accounts
Another tactic we observed is the use of fake accounts, which pose a threat to your brand reputation and to your customers, often those that are most loyal. These fake accounts can fool users into giving away sensitive information that can be used for financial fraud.
Even though user awareness for phishing has grown over the past few years, hackers always try to find new ways to phish information, and one of the latest methods we’re seeing is through brand impersonation on social media. When users are on a platform they’re familiar with, like Pinterest, they usually have their guard down, which makes them more susceptible to phishing attacks.
It can be difficult to spot a fake profile on Pinterest, so users should be aware of some key characteristics to look for. First, make sure to consider the number of followers. A low number of followers for a popular brand is usually an indication that it may be a suspicious page. In addition, look at how long the page has been in existence and what other information or posts the page has shared.
Here are some more good tips on how to spot fake social media accounts.
In the past, cybercriminals kept most of their campaigns on the dark web, where they had access to other cybercriminals and were less likely to get caught. But to reach new audiences, they’ve needed to expand, and social media is one of the places they’ve turned to. Whether it’s impersonating a brand to phish customer information, or just trying to spread the word on a new fraud tool (like a fake bank account generator), social media provides access to a large pool of users who typically are less aware of cyber scams. While social media poses a higher risk of getting caught compared to a dark web forum, it appears to be worth the risk, as we’ve seen more and more cyber scams and fraud campaigns make their way onto social media.
Just like with any social media site, users should be aware of these common tactics so that they can use these platforms safely. In addition, threat intelligence teams must monitor these platforms for fake accounts or suspicious tools so that they can take down malicious posts and protect their users.
Want to read more about financial fraud on the Dark Web?
Financial Services Threat Landscape Report (July 2018)
Orin Mor is a Security Researcher at IntSights, focused on hunting for new threats and threat actors on the Dark Web, and working to identify new attack strategies and vectors. Prior to IntSights, she served for 5 years as a Security Researcher in an elite intelligence unit in the Israeli Defense Forces, specializing in cyber operations, data mining and threat research.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.