Have you ever wondered what it would be like to have a conversation with a phishing account? Over the course of one enthralling hour, one of ZeroFox’s Cyber Analysts had the pleasure of getting to know the intimate details and the supposed underpinnings of a venerable talk show host – Mr. Jimmy Fallon [cue applause].
It’s no secret that there are millions of fraudulent accounts across the social web. While some of these accounts are benign, many others are imbued with malicious intent. Whether their aim is to socially engineer unsuspecting employees or to disseminate customer scams, impersonators have quickly become a security issue across all industries.
In ZeroFox’s case, we wanted to see how far we could take an innocent conversation before things took an interesting turn. For your reading pleasure, we’d like to take you through a play-by-play analysis of the juicier bits of conversation that took place between us and the phishing account.
One thing to note before we dive in is that some of this content may be tough to read – literally. The grammar skills “Mr. Fallon” possesses are laughable at best. You would think he’d have a stronger command of the English language – you know, being a talk show host and all [cue laughter].
Here we go [cue applause]:
The impersonator starts off strong by trying to establish rapport with one of his “fans.” Winning the confidence of an individual is key to successfully pulling off a social engineering attempt. Also, so far no overt grammar mistakes. Off to a good start, Jimmy.
Mr. Fallon provides background information to further his confidence trick. He even openly acknowledges the fact that this account is not his official few, and it raises an eyebrow. Maybe he’s typing too rapidly to try to get through the insurmountable amount of fan messages. Probably not, but who are we to judge.
The Analyst pulls at the heartstrings of this impersonator by fully investing in the conversation. For the record, this fake Jimmy Fallon had just over 100 followers. Another key component for a successful social engineering attempt is to build credibility by attracting a large amount of followers on a social network.
The Analyst asks Mr. Fallon an innocent question to see if he is able to help raise awareness for a good cause. Fake Jimmy responds (with questionable grammar) and continues to build his case that he is the real host of the Tonight Show. Fake Jimmy has yet to break character. Impressive.
The next move Fake Jimmy pulls is an interesting, but calculated, one. The impersonator tries to steer the conversation away from the Analyst to focus on himself. He mentions he must go and deal with urgent issues, ultimately luring the victim to inquire deeper. So, we inquired.
Fake Jimmy was doing so well until now. Firstly, the amount of grammatical errors are outstanding, to say the least, and ultimately diluting his credibility. Secondly, the overall ambiguity is concerning, however, this may be a purposeful strategy. Lastly, receiving “a million dollars” for completing a good deed only adds to the fishiness of the situation.
However, you have to give Fake Jimmy credit — he does not forget about the Analyst’s initial request to raise awareness for her organization. He also employs one of the most effective forms of rhetoric — pathos. Many cyber criminals understand human psychology and are able to manipulate their victims easily, particularly via social media because of its trusted nature, scale and ease.
Just for fun, these are some last minute concerns we have: Who is “immediately” paying him “a million dollars?” Why does he refer to himself in the third person at the end? What does it take to “finish this task successfully?” What are grammar? There are just too many questions. It cannot end here. The show must go on.
The Analyst, again, plays the part of a naive victim and takes the impersonator’s bait. Because, why not? We’ve already made it this far. It would be unfair to not know how this ends.
If we were all young, naive children, the conversation up to now would be bizarre, at most. However, these particular comments are strong indicators that prove this conversation to be a serious social media security threat.
Note the casual nature of the comment and the continued use of pathos. He also mentions other volunteers, promoting a bandwagon-type sentiment. People like to feel like they are a part of something.
Social media security 101: Never share your personal information to anyone on social media — particularly if it’s a talk show host that is requesting money via MoneyGram. This is next-level shadiness, and further implicates this to be a real social media security threat.
In case it was not clear, this solidifies the issue. Fake Jimmy is requesting a direct payment to Nigeria, rather than through himself. This is the final red flag, and ultimately illuminates Fake Jimmy’s intent.
So there you have it. A real-life social engineering attempt caught on record. It’s important to note that not all social engineering attempts are this easy to sniff-out. Many cyber criminals do a bit of research to understand their target before attacking. The adversary used a simple technique called impersonation, exploiting the familiarity of a certain individual. Social engineering can happen in any situation and is used frequently against large enterprises to obtain passwords, sensitive information, and PII. [cue applause]
Social media is a powerful tool that organizations should learn to leverage. Unfortunately, social media also makes cyber attacks, such as social engineering, easier and more effective. Don’t let your organization become victim to social media security threats. Follow these easy steps to use social media safely and have a wonderful night, folks. [cue applause and credits]:
- Be cognizant and aware of who is trying to befriend you. On any network, always think twice before accepting a friend request.
- Never disclose information over social media that has the possibility of compromising you or your organization.
- When posting something on social media, make sure it is compliant with the regulations of your organization and industry. Understand that the things you post can impact your organization’s brand and image.
- Be cautious when clicking on shortened links. There are many links in the wild that are malicious.
- If something seems fishy (or phishy), report it. It’s better to promote a risk-aware culture than to compromise your organization’s security.