When we talk about phishing, the first thing people would associate with is the traditional phishing email. The click here. The “urgent action needed” kind of junk we see everyday in our inboxes… but is this still the case? Are we falling behind the times?
Over the years things change, we see criminals using new and different ways to entice people to click. When you’re tasked with getting large numbers of victims to click a link and instigate the download of malware or input their credentials, traditional email phishing could work yes… but there is a better, more efficient way – and hackers know just how good it is! It’s also likely to bypass all email filtering content and network limitations you use to stop phishing prior to the dreaded click.
Phishing has grown up and evolved, why bother with setting up a phishing server, managing a botnet to send emails from and bypassing spam filters when there is an easier way! We took to Twitter to try and find a few malware laden treats and we were spoilt for choice!
We wanted to replicate one common scam we found, short of a red leotard we focussed on the Twitter posts claiming to gift people ‘crypto currency’ they claimed they had gained enormous wealth from investing early and were feeling generous. Some posts offered 1 BTC (Approx £8,500) for a simple like and retweet. It’s refreshing to see the platform and tools have changed but the grim, predictable patter of fraudsters hasn’t!
So we have a Twitter account, know a thing or two about social engineering and have a payload we are trying to get across – in the form of educational information and videos. If they can trick people into installing malware, why can’t we trick people into taking training. Ok they might have not wanted said training (despite there being a clear need for it) but we’re not going to ruin anyone’s day! We made sure to tick off some boxes with regards to ethics and data collection too. We designed the following tweet:
We’re giving away 25 #BTC to random, lucky people who like and retweet this post. You will then have to register your details using the link. We hope to raise awareness of #InfoSec when dealing with #cryptocurrency.
— AntiSocial Engineer (@antisocial_eng) 21 January 2018
Now after a short while people started liking, retweeting and clicking on our tweet. We used Google analytics to keep track of the high level stats (similar to advertisers) and we discovered something quite alarming.
The typical click engagement rates for traditional bulk phishing is around 20% of emails sent, maybe 60/80% if you’re sending a hand full of good spear-phishing emails. But after 3 days we found the stats to be:
Can you imagine in a workplace setting if one email got in 407 people were close to clicking it, 100 people clicked it and 43 shared it around the office. It seems phishing through social media is around to stay as it is incredibly efficient at doing what phishers like to do – getting you to click.
How to stop this being a risk in the workplace.
- Block the domains of social media outlets such as Facebook, Reddit and Twitter – where possible! If your work involves social media then this won’t be an option.
- Educate staff about the way phishing is changing, transfer the knowledge they have about senders and domains and SSL and reapply it by teaching them the similarities.
- A good web proxy would help block some of these attacks post click – but it won’t help you on an employee’s own mobile phone, off your network.
- Education – seriously, twice. The open platforms social media brings to scammers means very few technical limitations are going to work, employees are the best people to stop these attacks in their tracks.
Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.