Twitter, TikTok, Instagram, LinkedIn & all the rest are replacing nation-states—a phenomenon that was highlighted when governments and central banks reared up against Facebook’s offer to issue its own crypto-currency. We are glued to our screens incessantly.
Work, play, and interpersonal communications rely on our cellphones. Most of our financial activities are moving there, and soon most of us will be working there, as well. Mobile communications is a frightening bottleneck that cybercriminals are focusing on, and the attacks launched through phishing in social media and emails on infrastructures, hospitals and supply chains are only beginning.
Playing with the Big Kids ...
For small and medium enterprises, social media is a godsend. If once only large corporations could afford the production and media-buying expenses of advertising on broadcast television, nowadays, anyone can post an ad on Instagram with little more than a smartphone. But, unlike NBC, CBS or ABC, Facebook can channel your post to a specific audience, regardless of time or geography.
Little surprise that investment in television advertising rose 34% in the past year, while social media advertising overshadowed this with 53% growth. While Facebook targets older folks, TikTok the youngsters, and so forth, LinkedIn can serve the small business as a turnkey recruitment agency. Sales and delivery can be managed through Whatsapp; and, before long, as-a-Service (aaS) providers will be offering entire corporate and company-tech infrastructures at the click of a tweet.
In fact, one place where this already exists is the Dark Web, where hackers can find and hire Hacking-as-a-Service platforms. They can buy ransomeware and even advertise their wares as easily as a high-school nerd offering project-writing services for the jocks over TikTok.
Indeed, hacking is now big-business and the suits are rubbing their hands in glee as the social-media hosted attack-surface bloats.
… Playing with Fire
Now, one would think that the wonks at these platform headquarters would be immune to attacks, if not thanks to the millions spent by companies each year on cybersecurity products, then by their own personal awareness. This—as news items every day remind us—is simply not so. In fact, perhaps due to their over-confidence, they are ripe targets for everyday phishing.
Twilio, a major advertising platform that develops, administers, and tracks programmable communications tools, like phone calls, SMS messages, etc., is a multi-billion dollar enterprise communications firm. Valued at somewhat less, Cloudflare offers content-distribution networks (networks of proxy servers and data centers) and DDoS (Denial of Service) mitigation services.
Both were phished in the same month. In both cases, the flaw in the wall was an unwitting employee who handed his credentials over to a phishing campaign that victimized over 130 organizations. And, despite the latest authentication protocols and safety nets, these same companies are hit again and again—little to say of the social media platforms where security has never been an advertised strong point.
In fact, one of the biggest problem with social media is the ease with which an account can be taken over. One report states that account hijacking has increased by over 1,000% in the past year. The biggest threat here is to the social media advertising sector, which relies on the size of an advertiser’s following. This market is based on social media personalities with a following large enough to constitute an attractive advertising channel, and it’s worth about $16.4B per annum in the USA alone.
The followers of Instagram influencer are often counted in the millions, and the price for ransoming such an account—when hijacked by a scammer—can reach hundreds of thousands. A recent article in Dark Reading tells of the latest phishing campaign that hooks users by sending a phishing email threatening social account closure due to copyright infringement. Without thinking twice victims will click on the “Appeal” button—anything to avoid downtime. Often, the fake sign-in page will ask for the user’s multi-factor-authentication (MFA) telephone number, as well. Who has time to check if the URL is kosher? And before you know it, your account is no longer yours.
The Atlantic tells of one scammer who seized the account of an publicist managing a host of influencer accounts by sending him to a phishing page that spoofed a campaign tracking site. Once the publicist entered his client’s Instagram account details, the scammer began spamming the influencer’s followers with fake offers for free products. The hacker’s next step is either to directly sell spam to the followers or else to sell the influencer’s actual account to another budding marketeer.
Phish at Steak
The damage here is, not merely immediate income, but an influencer’s reputation and clients’ brand—values possibly measured in the millions. And Facebook and Instagram do not make it easy to regain control of those accounts. Neither platform operates a reliable retrieval mechanism—indeed neither has an accessible human support system, relying instead on its media monopoly to hold on to users. Retrieving an account can take weeks, if at all possible.
There simply is no oversight. For, if legacy media and advertising are old enough to be regulated by agencies, such as the FCC and FTC, social media advertising is still relatively ungoverned. And the advertising brands themselves often do not investigate who is behind an influencer account. They become—at best, unwitting—partners in crime.
Once again, the social platforms do not make account-vetting easy, perhaps because influencers compete with the platform’s own direct-advertisements setup. Perhaps the social platforms wouldn’t be sorry to see the influencer market simply disappear.
The term “posting too much on social media” elicits a quarter of a billion results on Google. Companies unwittingly post information that’s rife for industrial espionage—who’s meeting who, executive travel habits, and so forth. If before we said that hacking is now big business, phishing too has evolved from the days of sending out massive numbers of phishing emails and waiting for a bite.
Nowadays phishing is carefully targeted at high-value individuals, such as high-placed executives and decision makers. Using the data gleaned from readily available information on a target’s social media, mails and messages can be disguised to look extremely convincing: a mail purportedly from the company’s chief financial officer asking for a list of suppliers’ access data, client passwords, and so forth, CEOs demanding an immediate cash transfer to a partner’s account, and so forth..
But make no mistake: scams still target the vulnerable—the unemployed seeking work and assistance, retirees seeking additional income, and so forth. LinkedIn has recently become one of the most attacked platforms, since it is an easy back door into a company’s profile, which can be easily spoofed. Scam job offers are on the rise, all at the cost of simply downloading a malware-infested application form or providing your personal data. And some of the ads are coming from ostensibly well-established firms.
Malware has lately become a threat to Facebook, where ducktail phishing results in the downloading of a uniquely vicious malware that will scrape the device to discover account credentials and payment data. According to Kaspersky, YouTube is offering a browser download that is actually Chinese-sponsored spyware.
End Users at Risk
In short, nobody’s too small to be phished. Not only are you a conduit into larger systems, your accounts—bank, social and otherwise—are still at risk. Beginner hackers will still target you specifically; advanced folk will seek week links in ever-growing chains. You may think you’re simply delving into social media for the fun; you’re still feeding the machine. You may think you’re merely uploading your latest come-hither status image, but in fact, you’re uploading a wealth of biometric data. It may be your retinal scan, your fingerprint, you audio-recognition pattern, all digital signatures that you may already be using to transfer funds through Google Pay. You’re still opening that sliding security doorto your high-paying job at the NSA.
DarkReading even describes how the data can be used to create deep fakes: imagine receiving a Whatsapp video from your brother asking for an emergency cash transfer to cover a gambling debt or garage bill, only to realize your brother’s standing beside you and you’re actually looking at perfectly crafted animated fake.
But even more: you’re still a user of public and critical infrastructures, like electricity, oil, roads and emergency wards. You should think twice before depriving yourself of these by simply providing a hacker with your access data simply because he’s threatening to cut off your high-speed home wifi because of an unpaid bill.
“The journey of a thousand miles begins with one step,” says Lao Tsu, and the worst internet incidents often begin with a single misstep. Guard against phishing with your life… and perhaps with the aid of novoShield.