From Spamming to Friend Requests - Social Engineering Evolves
July 26th, 2016
In previous posts we’ve discussed the use of fake profiles and the dangers they entail
(https://intsights.com/fake-social-media-accounts/), but in addition to the obvious risk of fraud and petty cyber-crime, fake accounts present a far greater threat than first meets the eye. In the recent past, people have been communicating mainly via email, and have surfed the web for information and pleasure. The social web has changed that; now people are working and playing on social networks.
LinkedIn is the world’s largest professional network with over 400 million members. It serves as a news source, lead generation mechanism and recruitment site all at once. With its latest additions of instant messaging and in-mail capabilities to all major social networks, many people are now communicating solely on this platform without needing to “leave” use email to contact people.
Phishing Gets a Makeover
The trend of migration to the social web has not gone unnoticed by cyber criminals, or by state sponsored actors. They are now turning to social media to replace traditional “phishing” methods used to target unsuspecting victims.
Their “phishing” process is similar in concept and execution to traditional methods: a suspect is approached by a stranger who gains the victim’s trust and then manipulates it to perform an activity which could compromise the victim’s security. The difference is that the perpetrators are far more prepared; instead of blindly sending numerous SPAM emails, they can identify a specific target (a wealthy individual or a prominent VP at a leading company), gather information concerning that individual, find an excuse to reach out to him and then gain his trust. This is a far more intimate process. Moreover, these more sophisticated modern schemes can easily create a believable claim to be a legitimate, respectable individual, through a pleasant profile image, history and connections, compared to the often fantastical nature of previous phishing campaigns conducted via email.
Capitalising on the Connection
After befriending a target, the cyber criminal (most likely to be a male masquerading as a female) can gather information and even send the victim an infected file or malicious link via the site’s Chat app. Or, the virtual connection created on a social media site is used to gain initial credibility, to encourage the victim to move the conversation to different platform, such as e-mail or telephone, later on to perform the final scam. This is true when the eventual goal is to lure an individual to penetrate an organisation. A recent example involves the Iranian nation-state hackers (Code name- Cleaver group: http://securityaffairs.co/wordpress/40828/cyber-crime/iranian-cleaver-hackers-linkedin.html) utilising this technique to penetrate the state-department.
Far Beyond Social Media
The use of fake profiles and social engineering techniques are not limited to social media, but are also used extensively on other platforms that require profiles and have an internal messaging system, such as Fiverr, paypal.me, Wikipedia and Quora.
A current, growing trend that we, at Intsights, are monitoring with great concern, is to create fake profiles on job search websites in order to scam potential job seekers. This is done under the guise of an actual company (usually a prominent one), which can remain undected for a long time, thus severely damaging the company’s reputation.
The nature of the social web means that anyone can open an account and very easily impersonate another. Therefore, organisations need to constantly monitor their employees’ social media profiles. There are, however, certain signs to look out for in order to prevent a phishing effort.
A fake profile usually begins as rather dull and empty; profile photos and/or interesting information are missing, and added later. Consequently, it is crucial to detect fake profiles as soon as they are created, and continue to monitor them. This is particularly important as it tends to be very difficult to remove a profile with the help of the social media platform before it gets "phishy", so constant checks will ensure that you catch the fake profile at the first possible opportunity.
The evolution of the way we interact on the web is presenting new possibilities for hackers and cyber criminals to exploit us. Extra care is required when interacting with new, unfamiliar people and basic security rules should always be adhered to. Remember what your mom told you: never take a candy from a stranger.
This post was written by Alon Arvatz, Intsights’ VP Intelligence.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.