Impersonator accounts on external social and digital channels are a well known social engineering course of action taken by cybercriminals. Impersonators spoof a company’s brand or executive persona, hijack their logo, messaging and exec or product photos, and try to mimic the authentic account in order to attack employees and defraud customers. Once trust is established, victims are more willing to engage with the impersonator, click when sent malicious links and comply when prompted for credentials, personal information, or direct money transfers. Impersonator accounts are so pervasive and lucrative that social networks have introduced verified blue badges as a way to help everyday users disambiguate them from legitimate users.
But why impersonate an account when you can own it outright? Given the success of impersonator campaigns, hackers have turned to more aggressive and sophisticated techniques to compromise target accounts altogether, assuming complete control over their online identities. Once compromised, defenses like verified badges become a vulnerability for would-be victims: users don’t stand a chance when they’re targeted by hackers who actually manage to gain control of legitimate accounts.
On the heels of recent high profile social media account takeovers comes news that the cryptocurrency investment platform Enigma had its Slack channels compromised by scammers. Using the official Enigma staff accounts, hackers posted messages to the Slack channel of over 9,000 users who logged in to learn more about its upcoming ICO, urging them to send Ether coin to their crypto wallet. Obliging users have collectively suffered about a half a million dollars in losses and counting.
Enigma’s response to the breach.
Cryptocurrencies are one of the more lucrative brands targeted by impersonators and account hijackers. They’re decentralized, making it hard to recover any losses; they’re pseudonymous, making real-world attribution difficult; and they’re practically irreversible, rendering it nearly impossible to recover losses after attacks like scams and ransomware delivery. For these reasons among others, cryptocurrencies have blossomed into hackers and scammer’s preferred method of payment, especially in the realms of DDoS and ransomware. Social channels like Slack provide access to a key demographic of digitally connected people who are most interested in getting into the booming crypto game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer.
How did the hackers manage to control the Slack accounts in the first place? As allegedly carried out in other recent social media account takeover incidents, attackers compromised accounts through “credential stuffing,” which relies on victims using weak or overlapping passwords among multiple digital accounts. When attackers discover a password that was dumped as part of a previous third party breach, they can pivot and try to use the same password or slight variations of it to login into the victim’s other associated digital accounts.
To mitigate credential stuffing attacks, ZeroFox Alpha Team recommends the following actions:
- Enable multi-factor authentication on all of your social and digital accounts.
- Check to see whether one of your accounts has ever been compromised in a large-scale data breach using a service like https://haveibeenpwned.com.
- Be aware of too-good-to-be-true offers, especially when they involve sending cryptocurrency payments.
- Be vigilant when engaging with the social media accounts of legitimate cryptocurrency brokers or trading platforms, as they are frequently victims of convincing impersonations.