Attacks on social media, cloud apps exploit trust in popular free services

Cyber criminals increasingly rely on emotional triggers to get users to react

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Phish­ers have begun lever­ag­ing the trust peo­ple have in pop­u­lar social media and cloud col­lab­o­ra­tion web­sites to trick peo­ple into down­load­ing mal­ware or part­ing with sen­si­tive information.

Phish­ing attacks increas­ing­ly co-opt trust­ed social media brands like What­sApp, Face­book and Twit­ter, as well as cloud apps like Google Apps, Office 365 and Drop­box, and use them as a launch pad for their phish­ing cam­paigns, secu­ri­ty experts say.

Free resource: Plan­ning ahead to reduce breach expenses

By lever­ag­ing the trust intrin­sic to the social media or cloud tools web­site, the attack­ers improve their odds of dis­trib­ut­ing mal­ware and spam. This is a trend that pos­es chal­lenges for con­sumers and for secu­ri­ty admin­is­tra­tors at small and medi­um-size busi­ness­es with mea­ger secu­ri­ty resources.

There is no short­age of cre­ativ­i­ty on the cyber crim­i­nal side for who to tar­get and how,” says Fatih Orhan, direc­tor of tech­nol­o­gy at secu­ri­ty ven­dor Como­do’s Threat Research Labs.

Emails exposed to spoofing

Over the past few months, sev­er­al secu­ri­ty ven­dors have report­ed see­ing attacks involv­ing the use of spoofed mes­sages from Face­book, What­sApp, Twit­ter and Google. The mes­sages pur­port to be innocu­ous alerts from the oper­a­tors of the social media and cloud tools sites and are designed to trick recip­i­ents into click­ing on a mali­cious link or attachment.

Relat­ed info­graph­ic: Spear phish­ing attacks becom­ing more common

These attacks often arrive as a noti­fi­ca­tion or an alert about:

  • Some sort of secu­ri­ty threat
  • A just-deliv­ered voice-mail mes­sage wait­ing to be heard
  • An audi­ble warn­ing being missed
  • A video mes­sage wait­ing to be viewed.
Fatih Orhan, Comodo Threat Research Labs director of technology
Fatih Orhan, Como­do Threat Research Labs direc­tor of technology

Recip­i­ents who inter­act with such mes­sages typ­i­cal­ly have end­ed up down­load­ing mal­ware onto their sys­tems. The enor­mous reach of social media net­works like Face­book and What­sApp make them attrac­tive tar­gets for phish­ers, Orhan says.

Offi­cial’ com­mu­ni­ca­tion offi­cial­ly fake

Ear­li­er this year, Como­do ana­lysts spot­ted two sep­a­rate mal­ware cam­paigns tar­get­ing con­sumers and busi­ness­es using Face­book and What­sApp. In both cas­es, the attack­ers used emails dis­guised to look like offi­cial com­mu­ni­ca­tion from the com­pa­nies to try and dis­trib­ute a data-steal­ing mal­ware tool dubbed Nivdort.

Though the rogue emails were sent from exter­nal servers, it was only by hov­er­ing over the “From” field in the email address that a recip­i­ent would have known that the emails did not orig­i­nate from Face­book or WhatsApp.

The abil­i­ty of Face­book and What­sApp to rec­og­nize and halt such attacks is lim­it­ed. “These pop­u­lar, trust­ed sites usu­al­ly are not aware of these types of attacks, and they can­not con­trol any part of the attack, unfor­tu­nate­ly,” Orhan says. “How­ev­er, they can coop­er­ate with secu­ri­ty com­pa­nies to have a clos­er focus on their brand and plat­form so they can instant­ly detect threats,” he says.

Crim­i­nals expand dirty deeds

Hack­ers have been exploit­ing brand trust to go after social media net­work users in ways that go beyond mal­ware deliv­ery. Last August, secu­ri­ty ven­dor Adap­tive Secu­ri­ty report­ed that What­sApp was being used to dis­trib­ute spam relat­ed to a pump-and-dump scheme. What made the cam­paign note­wor­thy was that it marked the first time that crim­i­nals had lever­aged a social media appli­ca­tion, instead of the usu­al email and text mes­sages to pro­lif­er­ate the spam.

Ear­li­er this year, Adap­tive­Mo­bile report­ed on a slew of spam cam­paigns in the form of pic­ture mes­sages sent via Kik Mes­sen­ger, a pop­u­lar, free social media appli­ca­tion that lets users share pic­tures, chat and inter­act across mul­ti­ple plat­forms. Each of the cam­paigns was tied to spe­cif­ic sea­son­al events, like Hal­loween, Thanks­giv­ing and Cyber Monday.

Essen­tial­ly [attack­ers] are using the trust built by the com­pa­ny and emo­tion­al trig­gers to moti­vate peo­ple to react,” says Scott Gréaux, vice pres­i­dent of prod­uct man­age­ment at threat man­age­ment ser­vice provider PhishMe.

Anoth­er exam­ple is an email that informs the recip­i­ent that one of their social media accounts has been com­pro­mised and instructs them to fol­low a link to review the activ­i­ty and re-enable their account.

The irony is that they use a made-up com­pro­mise to exe­cute a real one—pretty inge­nious,” Gréaux says.

Cathal McDaid, head of the Threat Intel­li­gence Unit at Adap­tive­Mo­bile, says asso­ci­at­ing a pop­u­lar social media or cloud app with a mali­cious mes­sage or post­ing gives the com­mu­nique more legitimacy.

Users of Face­book, Google and Craigslist all have been big tar­gets, in recent months, he says. And while the tar­gets of these attacks are the end users, the social media and Web app ven­dors are exposed, too. They stand to take increas­ing­ly heavy rep­u­ta­tion­al hits if trust-lever­ag­ing attacks con­tin­ue, McDaid says.

Addi­tion­al relat­ed sto­ries and resources:
Putting effec­tive data risk man­age­ment with­in reach
Cloud use increas­es data secu­ri­ty risk for health care organizations
Emerg­ing expo­sure: Ris­ing use of cloud apps cre­ates data leak­age pathways

Posted in Cybersecurity, Featured Story