Attacks on social media, cloud apps exploit trust in popular free services
Cyber criminals increasingly rely on emotional triggers to get users to react
By Jaikumar Vijayan, ThirdCertainty
Phishers have begun leveraging the trust people have in popular social media and cloud collaboration websites to trick people into downloading malware or parting with sensitive information.
Phishing attacks increasingly co-opt trusted social media brands like WhatsApp, Facebook and Twitter, as well as cloud apps like Google Apps, Office 365 and Dropbox, and use them as a launch pad for their phishing campaigns, security experts say.
Free resource: Planning ahead to reduce breach expenses
By leveraging the trust intrinsic to the social media or cloud tools website, the attackers improve their odds of distributing malware and spam. This is a trend that poses challenges for consumers and for security administrators at small and medium-size businesses with meager security resources.
“There is no shortage of creativity on the cyber criminal side for who to target and how,” says Fatih Orhan, director of technology at security vendor Comodo’s Threat Research Labs.
Emails exposed to spoofing
Over the past few months, several security vendors have reported seeing attacks involving the use of spoofed messages from Facebook, WhatsApp, Twitter and Google. The messages purport to be innocuous alerts from the operators of the social media and cloud tools sites and are designed to trick recipients into clicking on a malicious link or attachment.
Related infographic: Spear phishing attacks becoming more common
These attacks often arrive as a notification or an alert about:
- Some sort of security threat
- A just-delivered voice-mail message waiting to be heard
- An audible warning being missed
- A video message waiting to be viewed.
Recipients who interact with such messages typically have ended up downloading malware onto their systems. The enormous reach of social media networks like Facebook and WhatsApp make them attractive targets for phishers, Orhan says.
‘Official’ communication officially fake
Earlier this year, Comodo analysts spotted two separate malware campaigns targeting consumers and businesses using Facebook and WhatsApp. In both cases, the attackers used emails disguised to look like official communication from the companies to try and distribute a data-stealing malware tool dubbed Nivdort.
Though the rogue emails were sent from external servers, it was only by hovering over the “From” field in the email address that a recipient would have known that the emails did not originate from Facebook or WhatsApp.
The ability of Facebook and WhatsApp to recognize and halt such attacks is limited. “These popular, trusted sites usually are not aware of these types of attacks, and they cannot control any part of the attack, unfortunately,” Orhan says. “However, they can cooperate with security companies to have a closer focus on their brand and platform so they can instantly detect threats,” he says.
Criminals expand dirty deeds
Hackers have been exploiting brand trust to go after social media network users in ways that go beyond malware delivery. Last August, security vendor Adaptive Security reported that WhatsApp was being used to distribute spam related to a pump-and-dump scheme. What made the campaign noteworthy was that it marked the first time that criminals had leveraged a social media application, instead of the usual email and text messages to proliferate the spam.
Earlier this year, AdaptiveMobile reported on a slew of spam campaigns in the form of picture messages sent via Kik Messenger, a popular, free social media application that lets users share pictures, chat and interact across multiple platforms. Each of the campaigns was tied to specific seasonal events, like Halloween, Thanksgiving and Cyber Monday.
“Essentially [attackers] are using the trust built by the company and emotional triggers to motivate people to react,” says Scott Gréaux, vice president of product management at threat management service provider PhishMe.
Another example is an email that informs the recipient that one of their social media accounts has been compromised and instructs them to follow a link to review the activity and re-enable their account.
“The irony is that they use a made-up compromise to execute a real one—pretty ingenious,” Gréaux says.
Cathal McDaid, head of the Threat Intelligence Unit at AdaptiveMobile, says associating a popular social media or cloud app with a malicious message or posting gives the communique more legitimacy.
Users of Facebook, Google and Craigslist all have been big targets, in recent months, he says. And while the targets of these attacks are the end users, the social media and Web app vendors are exposed, too. They stand to take increasingly heavy reputational hits if trust-leveraging attacks continue, McDaid says.
Additional related stories and resources:
Putting effective data risk management within reach
Cloud use increases data security risk for health care organizations
Emerging exposure: Rising use of cloud apps creates data leakage pathways