We’ve talked about phishing quite a bit in previous HackingLoops posts. Still, when most people they think of phishing, think of an image from the distant past. Even in the infosec world, the word “phishing” evokes Nigerian prince scams offering millions of dollars to gullible email recipients. While these threats still exist, the phishing world has advanced quite a bit since those days. In particular, phishing on social media now represents the main attack vector for this genre of attacks.
In this article, we’ll give you a sample of what modern phishing looks like on Twitter. Hands-on learning matters much more than theory, so we’ll create real accounts and walk through the attack step-by-step.After that, we’ll summarize the main kinds of attacks hackers on using on social media today.
Let’s hop on x.com (Twitter’s new domain) and start phishing!
A realistic example of phishing on social media
We’ll start with the most brutal form of phishing on social media: angler phishing.
In this kind of attack, we find someone on Twitter (or any other social media platform) who has a complaint about a product or service. Then, we pretend that we work for that company’s support team and can help them. After convincing the victim to give us sensitive info, we steal their account.
Since we’ll play both the target and the attacker in this example, let’s start by creating an account as the innocent victim and post something that would likely attract the attention of an attacker.
We mention a brand by name because hackers often use Google Alerts to automatically detect complaints about products on social media.
Once the attacker finds our post, they’ll craft a response to make me think they work for Walmart and want to respond to my complaint.
Stealing the victim’s account
Once we’re in the victim’s DMs, we begin trying to get them to give us their account. In the old days, you’d simply try to phish their username and password. However, this tends to make modern users suspicious. Besides, it’s not needed. Instead, try getting the user to use a site that will request authentication via Twitter.
This makes logical sense to the user (they need to prove they’re the person from Twitter!), attracts less suspiciou (they’re just logging into a website!), and gives you full access to their account.
We’ve all logged in via forms that ask for permissions on our social media accounts, like this one:
Using these social media login buttons trains users to give other sites permission to use their account.
Once the attacker has that, they will have a token that lets them use their account. Typically, they’ll add it to a spam network, or as a bot, or to follow accounts that pay for followers. The sky’s the limit, for the attacker.
The user can remove these permissions in the Twitter UI:
Of course, for non-technical users, knowing about this feature may be unlikely. Furthermore, this means attackers can also steal your account by hacking an app that you’ve connected to your Twitter.
That’s why leaked databases are so valuable, even when passwords are hashed and salted. Apps today carry so much data for a hacker to abuse.
Common kinds of phishing on social media
Now that we’ve looked at one of the most effective forms of phishing on social media, let’s cover other common attacks. For each attack, we’ll give you three pieces of information:
- The popular name of the attack.
- A full description of how it happens.
- More resources to learn about the attack.
Let’s start with the most famous and work our way down to more obscure attacks.
SIM swapping
You likely already know that your phone uses a SIM card to authenticate with the phone network. SIM swapping is a of fraud where attackers trick a mobile carrier into transferring a victim’s phone number to a new SIM card under their control. Once successful, the attacker gains access to the victim’s calls, messages, and potentially sensitive accounts tied to the phone number. Usually, they do this by social engineering the phone company.
The motivation behind SIM swapping is typically to exploit the access to the victim’s accounts, such as email or banking, often using the compromised phone number for password resets.
You can prevent SIM swapping by simply using multi-factor authentication.
For a great real life example of SIM swapping, listen to this episode of Darknet Diaries: https://darknetdiaries.com/transcript/112/.
Romance scam
Love makes people crazy. As a social engineer, that’s exactly how you want your victims: irrational, hopeful, and eager. A romance scam is actually a very old kind of trick – pretending to be a dream lover, then tricking your victim into giving you their money.
But modern romance scams make use of social media. Some even pay amateur actresses in developing nations so they can send their victims real video to show that they’re “real”. This kind of attack is very effective, obviously, and also one of the most soul-crushing for victims.
The Swindled podcast gave one of the best ever presentations of a modern romance scam, here: https://swindledpodcast.com/podcast/32-the-match/.
Entrapment
This one is simple. An attacker goes online, pretending to be an attractive suitor. They then begin a relationship with their target. But unlike the romance scam, they then tell the target the truth! The attacker explains that this is an attack. You see, the target is married. And the hacker will send their entire convo history to the target’s wife, unless they pay some amount of money.
This kind of extortion varies – sometimes the hacker pretends to be very young, or of the same sex, or whatever other underhanded means might be useful to blackmail the target. Social media has made this kind of attack easier than ever for attackers.
Sometimes, the attacker even creates a fake cheating claim and threatens to tell the husband or wife anyway! For example, https://www.youtube.com/watch?v=pLdINawjysQ.
Learn more about phishing on social media
Whether you work in the defensive side of infosec, or like most HackingLoops readers, you’re more interested in offense, phishing is a fundamental skill. As tech literacy increases, targets are less likely to fall for old school email scams. That means that red teamers need to know subtler avenues of attack like those we describe above. For blue teamers, that means finding novel ways to defend your org from highly complex social engineering attacks using social media.
To begin upping your skills with social media based attacks, check out some of the resources listed below:
We also recommend seeing what attackers are actually up to by snooping around cracking forums like nulled.to and ogusers.gg. Often, threats being discussed on these forums won’t appear in educational courses until years later.
So stay up to date, never stop learning, and happy hacking!
Leave a Reply