Alex Archondakis, from the BCS Internet specialist group, discusses the rising trend of using social media for spear phishing.

Phishing attacks are on the rise as they are simple and effective. There are three main kinds of payloads used in phishing attacks:

  1. Technical payloads such as ransomware via an attachment or malicious web link
  2. Psychological payloads such as business email compromise
  3. Credential theft via spoofed password reset links or keyloggers

Since 2015 Ransomware increased by 752 per cent with known ransomware families jumping from 29 to 247; and it hasn’t slowed down since. Most famous among ransomware is WannaCry which infected the NHS in 2017.

Business email compromise is becoming increasingly popular. This type of attack uses a spoof email address of a senior executive (CEO, COO etc.) to, for example, send an email to the finance department requesting a payment to an attacker-controlled account. The average loss after a business email compromise attack is $140,000. Some companies have lost a lot more - Leoni AG lost a whopping $44.6 million in a business email compromise.

Phishing emails are usually easy to spot as they are often written in broken English, use unconvincing email addresses and title the emails with greetings like ‘Dear Customer’ - but what if an attacker took the time to spoof an email address and research the victims? This is called spear phishing.

Social media has made spear phishing a lot easier. People are constantly posting private information without realising how it can be used against them, for example:

Bob goes on holiday to Greece and stays in a hotel called ‘Hotelia’. On his return Bob uploads his holiday pictures which have the hotel name in the background onto social media. An attacker sees this and contacts the hotel via email asking a basic question like ‘do you have gym facilities’ so that they can study the email structure and copy the footer / branding.

The attacker now creates a malicious email using Hotelia’s branding and footer, stolen from the email. The title and body claim to have found items of value left in the room shortly after Bob checked out asking to confirm if these items belonged to him by either viewing infected files attached to the email, or a malicious link. Bob clicks on the payload and the computer becomes infected.

When Bob receives this email, he will have little reason to doubt the legitimacy of the email as it is based on valid information i.e. that he has just returned from a stay at Hotelia.

In a typical Penetration test spear phishing engagement, the team starts by looking at Linkedin and profiles those individuals who they believe will be the most likely to click on a link or download an attachment. A typical profile would be someone that has recently joined the company as they may not have had any security awareness training and may work in a non-technical role. The team will try to find as many of these types of employees as possible.

The next stage is to look at all the social media accounts for the chosen employees and build a profile based on interests, hobbies etc. until a scenario for an attack is created. For example, whilst profiling Vulncorp, our team found Alice who had recently joined the organisation and works in a non-technical role and is a passionate runner. The team created an email pretending to have pictures of Alice running at her last event to trick her into clicking on the link or attachment and becoming infected.

In conclusion, every day social media use is becoming a playground for hackers to find out personal data and profile victims. Businesses should try to perform regular security awareness training for their staff to help protect against spear phishing and educate them on the dangers of using social media.

About the author

This blog is brought to you by the members of the BCS Internet specialist group and allows you to harness their skills, expertise and knowledge. The internet is ubiquitous and has a major impact on our daily lives, at work, at home on the move. The associated risks and security concerns are real, but the magic and advantages of the internet are significant.