BLOG

The Dirty Dozen Worst Social Media Attacks We’ve Seen

In recent years, social media has become a hotbed for cybercriminal activity. Attackers are drawn to these channels because they make finding and engaging targets trivial, are easy and cost effective to use, are simple to create fraudulent accounts, and allow the spread of malicious content at an unprecedented scale and efficiency.

From the recent Vevo breach stemming from a LinkedIn phishing attack to Russian operatives using Twitter to spearphish and distribute malware to the United States Department of Defense, advanced, large-scale cybercrime on social media has become mainstream. The worst social media attacks are getting more dangerous and more frequent. In light of National Cybersecurity Awareness Month, the ZeroFOX team compiled a list of the dozen worst, press-covered social media attacks of all time to demonstrate the growing need for safeguarding these platforms. In no specific order, here’s the worst social media attacks we’ve seen:

  • 10K US government employees spearphished with malware-laced posts
    • TIME: http://time.com/4783932/inside-russia-social-media-war-america/
    • Early 2017
    • Targeted Phishing/Malware, Fraudulent Accounts
    • In early 2017, Russian operatives sent over 10,000 custom phishing messages via social media, each link laced with malware enabling the attacker to access and control the victim’s device. This attack represents a major advancement in cyber capabilities and an escalation of Russia’s cyberwar against the US. This is the most well-organized, coordinated attack at the nation-state level we’ve ever seen.
  • Fake social media persona sends malware to employees via social media
    • SecureWorks: https://www.secureworks.com/research/the-curious-case-of-mia-ash
    • July 2017
    • Targeted Phishing/Malware, Fraudulent Accounts
    • Attackers created an incredibly compelling fake persona, a London-based photographer named Mia Ash, and connected with corporate employees. The attacker disseminated a Remote Access Trojan (RAT), called PupyRAT, via the social media honeypot accounts to hijack the controls of victims’ devices. The persona had accounts across several popular social networks.
  • 3rd-party app leads to hundreds of high-profile account compromises
    • TechCrunch: https://techcrunch.com/2017/03/15/twitter-counter-hacked/
    • March 2017
    • Account Takeover
    • A vulnerability in a 3rd-party app called TwitterCounter, allowed Turkish-language attackers to hijack controls of hundreds of high-profile accounts. They posted aggressive messages against the Netherlands after a contentious week of deteriorating relations between the Netherlands and Turkey and pivotal elections in both countries. The posts used swastikas and called the Dutch “nazis.” The breached accounts included a number of global brands and well-followed, verified accounts, including Forbes, the official Bitcoin Blockchain account, Starbucks, the European Parliament, UNICEF, Nike and Amnesty International.
  • HAMMERTOSS malware uses social media as Command & Control tool
    • FireEye: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf  
    • July 2015
    • Malware/Data Exfiltration
    • The HAMMERTOSS malware automatically searches social networks for commands posted by attacker profiles, allowing cybercriminals to control the malware via social media posts. The attacker group behind this malware is also responsible for attacks against the White House, the Joint Chiefs of Staff, the State Department and other nation-state governments, such as Norway. This novel approach to weaponizing social media shows the need to analyze social media as a full lifecycle attack vector.
  • Financial crime runs rampant on social networks
    • TechCrunch: https://techcrunch.com/2016/08/26/tracking-instagrams-money-flipping-scammers/
    • August 2016
    • Fraud & Scams
    • ZeroFOX researchers revealed the vast underground world of financial crime on social media, in which scammers prey on the followers of verified banks with fraudulent financial services offerings, including card cracking and money flipping. The scale of the problem is massive, with nearly a quarter-million posts for a single type of scam on a single social network. The problem was found on every major social media channel and results in hundreds of millions of losses annually.
  • LinkedIn hacked, exposing 117 million credentials
    • Motherboard: https://motherboard.vice.com/en_us/article/78kk4z/another-day-another-hack-117-million-linkedin-emails-and-password
    • May 2016
    • Data Breach, Account Takeover
    • The networks themselves get breached as well. The 2016 LinkedIn data dump was the 7th largest in history by sheer number of compromised items, according to HaveIBeenPwned.com. The breach, which originally occurred in 2012, resulted in an eventually 117 million exposed email and password combinations, which were sold on the dark web for 5 bitcoin.
  • Nation states abuse social networks for targeted attacks and propaganda
    • Newsweek: http://www.newsweek.com/russia-putin-bots-linkedin-facebook-trump-clinton-kremlin-critics-poison-war-645696?amp=1
    • Targeted Phishing & Malware
    • Nation states, notably Russia, have a long history of weaponizing social media, including spreading fake news to flame contentious political scenarios in other countries, starting events for controversial groups, identifying possible influencers, building automated, bot-driven like farms to inflate dangerous posts, and spreading propaganda. Recently, Facebook disclosed that Russians even used paid advertisements to promote salacious propaganda and controversial public gatherings. Sometimes, these are soft, social tactics meant to push the needle in one direction or another. Other times, like that covered in part 1 of this list, are outright technical cyber attacks. Over the years, the tactics have been diverse and effective.
  • Phishing direct messages (DMs) sent to customers from compromised brand account
    • Softpedia: http://news.softpedia.com/news/Bank-of-Melbourne-Twitter-Account-Hacked-222511.shtml
    • September 2011
    • Account Takeover, Targeted Phishing & Malware
    • In September of 2011, an Australian bank suffered the worst case scenario for an account takeover, in which attackers didn’t immediately vandalize the account or post inflammatory messages, but instead sent DMs to followers asking them to disclose sensitive financial institutions. While most account hacks are merely embarrassing and costly from a brand and public relations perspective, they can also be used for large scale cyber attack against a brand’s most loyal and engaged followers.
  • Vevo hacked via targeted LinkedIn phishing attack, 3.12TB exfiltrated
    • Gizmodo: http://gizmodo.com/welp-vevo-just-got-hacked-1813390834
    • September 2017
    • Targeted Phishing and Malware
    • Streaming service Vevo suffered a breach when one of its employees was phished via LinkedIn. Hackers were able to obtain and publicly release 3.12TB worth of the company’s sensitive internal data. The professional social network allows attackers to rapidly identify their target at a specific organization and send them a personalized message, all under the auspices of professional networking or recruitment.
  • Enigma’s Slack and website hacked, a half million in Ether coin stolen
    • TechCrunch: https://techcrunch.com/2017/08/21/hack-enigma-500000-ico/
    • August 2017
    • Fraud & Scams, Account Takeover
    • Social collaboration tools are an often overlooked genre of social platforms that pose a new security risk. In 2017, the Slack community channel of Enigma, a startup exchange for the cryptocurrency Ethereum, were breached by attackers. The attackers impersonated the executives of the company and instructed the community members to send their Ethereum coin to a specific coin wallet, stealing roughly a half million worth of the cryptocurrency.
  • Extremist groups weaponize social media to spread propaganda, hack accounts and recruit new members
    • ZeroFOX: https://www.zerofox.com/wp-content/uploads/post/ISIS_Terror_Social_2015.pdf
    • 2014-2016
    • Extremism
    • Although not a cyberattack in the traditional sense, this list would not be complete without mention of extremism, which is perhaps the most notorious abuse of social media. Several extremist groups have built sophisticated and effective online propaganda engines, exploiting many mainstream networks such as Facebook, YouTube, Twitter, Telegram, WhatsApp and Diaspora. Their efforts resemble a well-oiled marketing department, employing experts in PR and design to ensure a legitimate appearance. Using social media, extremist groups have has mastered the art of making the voices of a few sound like the voices of millions. Finally, they use the global scope of social media to recruit members from around the globe.