The Anatomy of an Enterprise Social Cyber Attack Infographic

By now, social media has clearly established itself as a dominant force in our lives: Nearly three-quarters of adults who go online use a social network of some kind. More than two of five use multiple social network sites. As a result, cyber criminals are flocking to these sites to trigger attacks, targeting users and organizations. In fact, one-third of data breaches originate via social networks, and companies suffer an average of $5.4 million per attack. [1] Still only 36 percent have instituted the bare minimum of social media training for employees and even fewer have active Social Risk Management programs. [2] Employees are directly in the crosshairs and the “Anatomy of an Enterprise Social Cyber Attack” serves as an introduction to the attack methodologies of adversaries. Through the following tactics, seven in ten individuals fall prey to a cyber attack – putting their employer organizations at risk in the process. Here’s what you need to safeguard against…

When new technology becomes mainstream, it’s sure to quickly attract the cyber criminal. Social media has become part of our every day lives, both personally and professionally. It has changed the way we communicate with our friends, family, colleagues and customers…and it also has become one of the fastest growing cyber attack vectors. Cyber criminals use social networks, including sites such as LinkedIn, Facebook, Twitter, Skype, and VKontakte as mediums for launching targeted malware and phishing schemes.

Cyber Criminals Build and Prepare Social Media Bot Armies

Bot Armies* are key to Enterprise Social Cyber Attacks. Cyber criminals aim to masquerade their bots as trustworthy social media profiles. To achieve this goal, they populate their bots with relevant popular content. By posting viral videos and popular articles, and even buying ‘likes’, cyber criminals create social media profiles that potentially reach millions of users.

*There are essentially two types of bots. One is a bot account that is created and operated remotely via software. The other is a “sock puppet” – a false account operated by an individual pretending to be someone or something they’re not. Facebook estimates that between 5-6 % of all accounts are bogus. When a group of these bogus accounts are created together to accomplish a common goal, the output is a bot army.

  • Lazy criminals can buy software-controlled bot armies for as cheap as 6¢ per bot
  • Human-verified social bots can fetch a price as high as $1.25

Selecting a Target

Once bots are created, the next step in the preparation phase is selecting a target. In order to increase effectiveness, the cyber criminal will either focus attacks against specific organizations, an organization’s customers or against the general public via popular topic hijacking (trendjacking)*.

*Trendjacking is a common PR tactic that subverts trending topics and discussions to inject a different message into the conversation. Much like a PR team, the cyber criminal injects malware and phishing attacks, masquerading as another interested party (e.x. #MileyCyrus is trending and the attacker posts – “#MileyCyrus OMG did you see this video of Miley?![email protected]”)

Making Connections

In order to initiate an attack, the cyber criminal needs to connect his bots with the targeted victims. More bot connections mean more potential victims. To make connecting more successful, the manager of the bot armies will fill the bots profiles with attractive photos, funny images or anything else to draw the attention of the targets based on their interests.

Even the most savvy can fall victim, think about the business development or sales rep that gets enticed by a bot pretending to want to do business.


The cyber criminal sets up a phishing website disguised as a reliable site.

For example, the phishing site could look just like a bank’s, and ask customers to enter their login credentials.

Phishing is the act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.


Cyber criminals hide malscript or Malware on websites that can consequently launch or download without the target even knowing! All it takes is one errant visit or click to the malicious URL and the attacker has hooked another victim.

Malscript is a type of code similar to javascript that can control the functions of a user’s internet browser and alter user files.

Malware is a file that infects devices, networks and systems and is usually repackaged and hidden from traditional anti-virus and anti-malware technologies.

A fraudulent website is built→ website is shared with the target→ Website prompts the target to enter sensitive information.

Malware is bought or created→ A shortened link to the disguised malware is shared with target→ Target clicks link that executes malscript/downloads malware.

The cyber criminal either uses “clean” domains (no bad reputation data) to host these malicious pages or rapidly changes the end location so as to avoid detection by traditional web filters or advanced firewalls.

Cyber criminal now has access to account and personal information*

*People will commonly use the same passwords for work accounts and personal accounts. Even a personal phishing attack is of concern to organizations as this might result in privileged access credentials leaking out.

Cyber criminal now has access to your device*

Malware can be written for any platform and can effect anything from cell phones, tablets, laptops and desktops as well as servers and storage devices.

The Result → Company breached via social.

The unfortunate truth is 7 in every 10 individuals will fall for a scheme similar to those shown above.

Whether it’s a work laptop or a personal device that gets infected, malware now has access to data, passwords, and anything else worth stealing! In fact, when malware is introduced to an environment, it typically tries to replicate and infect any other systems on the network, even home networks.

Once infected targets connect to the company network, malware can capture data from anywhere across the enterprise.

This means important company data could be easily transmitted back to the cyber criminal.

Consequently, in 2013, one-third of data breaches originated via social → resulting in an average loss of 5.4 million dollars per attack.

Get protected→ get the ZeroFox platform to stop social threats.

  • Phishing
  • Social Engineering
  • Malware and Viruses
  • Fraud and Impersonations

The Set Up: Bot Armies

It’s easy for crooks to disguise a planned bot-army attack. They post viral videos and articles and build a profile which can reach millions of users. In addition, they commonly “trendjack” by joining popular social conversations and posing as someone with something to bring to the discussion. Because these posts and profiles actually “belong” to the bots, the criminals target companies, customers and members of the public by getting them to click on seemingly harmless links, such as that of a funny animal video. There are two primary attack methods that these “bots” use, Phishing & Malware.

Distribution: Phishing

Adversaries can set up sites that appear just like any perfectly legitimate corporate property. They can take a logo and establish a presence for a bank which looks every bit as “real” as the financial institution’s, and then proceed to trick customers into entering their login credentials. Ultimately, the phishing culprit seeks to acquire all forms of sensitive information – user names, passwords, credit card numbers, etc. – through these convincing acts of deception. Because users tend to stick to either the same or very similar passwords for both their work and personal accounts, their organization’s network security is immediately placed in jeopardy.

Distribution: Malware

Malware is code similar to JavaScript, and it can control functions of a user’s Internet browser and alter files. It infects devices, networks and systems, and its creators are highly skilled at hiding it from traditional IT security tools. The code is surreptitiously posted on websites that launch or download without the victims even being aware of it. Victims don’t have to click on malware to activate it; computers and devices can get affected just by visiting the troublesome host site. Once the attack is successfully initiated, malware can access all data, passwords and other valuable informational assets on the victim’s machine. In many cases, it will attempt to then replicate and compromise any other system on the network – including a company’s. Given the wealth of Bring Your Own Device (BYOD) acceptance, organizational leaders should take a position of high vigilance when it comes to social media, their employees and cyber threats. There is too much at stake – proprietary information, customer data, financial statements, etc., as well as systems operational assurance – to dismiss the concerns. At ZeroFox, we deliver an Enterprise Social Risk Management suite to enable organizations to identify, manage and mitigate social media-based information security risk. If you’re interested in learning more, contact us.

[1] Source: Duggan, M. and Smith, A. (2013, December 30). Social Media Update 2013. Pew Research InternetProject. Retrieved June 11, 2014, from

[2] Source: Gesenhues, A. (2013, September 27). Survey: 71% Of Companies Concerned Over Social Media Risks, But Only 36% Provide Employee Training. Marketing Land. Retrieved June 11, 2014, from

Subscribe to our Blog

Best practices, the latest research, and breaking news, delivered right to your inbox.