In recent years, social media has become a hot bed for cybercriminal activity. Attackers are drawn to these channels because they make finding and engaging targets trivial, are easy and cost effective to use, are simple to create fraudulent accounts and allow the spread of malicious content at an unprecedented scale and efficiency.
From the recent Vevo breach stemming from a LinkedIn phishing attack to Russian operatives using Twitter to spearphish and distribute malware to the United States Department of Defense, advanced, large-scale cybercrime on social media has become mainstream. In light of National Cybersecurity Awareness Month, the ZeroFOX team compiled a list of the ten worst social media attacks of all time to demonstrate the growing need for safeguarding these platforms. In no specific order:
10k US Government Employees Spearphished with Malware-Laced Posts
Timeline: Early 2017
Tactic: Targeted Phishing/Malware, Fraudulent Accounts
Summary: In early 2017, Russian operatives sent over 10,000 custom phishing messages via social media, each link laced with malware enabling the attacker to access and control the victim’s device. This attack represents a major advancement in cyber capabilities and an escalation in Russia’s cyberwar against the US. This is the most well-organized, coordinated attack at the nation-state level we’ve ever seen.
Fake Social Media Persona Sends Malware to Employees Via Social Media
Timeline: July 2017
Targeted Phishing/Malware, Fraudulent Accounts
Summary: Attackers created an incredibly compelling fake persona, a London-based photographer named Mia Ash, and connected with corporate employees. The attacker disseminated a Remote Access Trojan (RAT), called PupyRAT, via these social media honeypot accounts to hijack the controls of victims’ devices. The persona had accounts across several popular social networks.
3rd Party App Leads to Hundreds of High-Profile Account Compromises
Timeline: March 2017
Tactic: Account Takeover
Summary: A vulnerability in a 3rd-party app called TwitterCounter allowed Turkish-language attackers to hijack controls of hundreds of high-profile accounts. They posted aggressive messages against the Netherlands after a contentious week of deteriorating relations between the Netherlands and Turkey and pivotal elections in both countries. The posts used swastikas and called the Dutch “nazis.” The breached accounts included a number of global brands and well-followed, verified accounts, including Forbes, the official Bitcoin Blockchain account, Starbucks, the European Parliament, UNICEF, Nike and Amnesty International.
HAMMERTOSS Malware Uses Social Media for Command & Control
Timeline: July 2015
Tactic: Malware/Data Exfiltration
Summary: The HAMMERTOSS malware automatically searches social networks for commands posted by attacker profiles, allowing cybercriminals to control the malware via social media posts. The attacker group behind this malware is also responsible for attacks against the White House, the Joint Chiefs of Staff, the State Department and other nation-state governments, such as Norway. This novel approach to weaponizing social media shows the need to analyze social media as a full lifecycle attack vector.
Financial Crime Runs Rampant on Social Networks
Timeline: August 2016
Tactic: Fraud & Scams
Summary: ZeroFOX researchers revealed the vast underground world of financial crime on social media, in which scammers prey on the followers of verified banks with fraudulent financial services offerings, including card cracking and money flipping. The scale of the problem is massive, with nearly a quarter-million posts for a single type of scam on a single social network. The problem was found on every major social media channel and results in hundreds of millions of dollars in losses annually.
AP’s Social Accounts Hijacked, $136 Billion Lost in Stock Market Value
Timeline: April 2013
Tactic: Account Takeover
Summary: Attackers compromised the account of the Associated Press, posting fake breaking news that bombs had gone off in the White House. The Dow subsequently dropped 150 points before rebounding; an economic value of $136 billion. Attackers have done this on a less public scale, in which they subtly erode the value of a company by compromising accounts and posting slanderous news about their target.
LinkedIn Hacked, Exposing 117 Million Credentials
Timeline: May 2016
Tactic: Data Breach, Account Takeover
Summary: The networks themselves get breached as well. The 2016 LinkedIn data dump was the 7th largest in history by sheer number of compromised credentials, according to HaveIBeenPwned.com. The breach, which originally occurred in 2012, resulted in an eventually 117 million exposed email and password combinations, which were then sold on the dark web.
Enigma’s Slack and website hacked, a half million in Ether coin stolen
Timeline: August 2017
Tactic: Fraud & Scams, Impersonation, Account Takeover
Summary: Social collaboration tools are an often overlooked genre of social platforms that pose a new security risk. In 2017, the Slack community channel of Enigma, a startup exchange for the cryptocurrency Ethereum, were breached by attackers. The attackers impersonated the executives of the company and instructed the community members to send their Ethereum coin to a specific coin wallet, stealing roughly a half million worth of the cryptocurrency.
Phishing Direct Message Sent to Customers from Compromised Brand Account
Timeline: September 2011
Tactic: Account Takeover, Targeted Phishing & Malware
Summary: In September of 2011, an Australian bank suffered the worst-case scenario for an account takeover, in which attackers didn’t immediately vandalize the account or post inflammatory messages, but instead sent direct messages to followers asking them to disclose sensitive financial institutions. While most account hacks are merely embarrassing and costly from a brand and public relations perspective, they can also be used for large scale cyberattack against a brand’s most loyal and engaged followers.
Vevo Hacked Via Targeted LinkedIn Phishing Attack, 3.12TB Exfiltrated
Timeline: September 2017
Tactic: Targeted Phishing & Malware
Summary: Streaming service Vevo suffered a breach when one of its employees was phished via LinkedIn. Hackers were able to obtain and publicly release 3.12TB worth of the company’s sensitive internal data. The professional social network allows attackers to rapidly identify their target at a specific organization and send them a personalized message, all under the auspices of professional networking or recruitment.
To minimize exposure to spear phishing, account hijacking and other targeted social media attacks, ZeroFOX recommends that users:
- Limit interactions to users you’re sure you can trust
- Avoid clicking on links or downloading file attachments sent through social media
- Ensure two-factor authentication is enabled
- Security professionals should train employees on what information should or should not be posted or visible to the public
- Adopt an automated social media protection tool to protect you employees, executives and business at scale across the dynamic social media threat landscape.