Scammers using social media brands to launch phishing, fraud and malware attacks, study says

Businesses are now investing heavily in social media, in efforts to ensure that their brands and products attract attention, but cybercriminals have been found to be exploiting this.

According to cybersecurity firm Proofpoint, the social media victim pool is "huge", especially given estimations that indicate that by 2018, a third of the Earth's population will have created social media accounts. Scammers posing as legitimate brands on social media can trick victims into revealing sensitive information.

"Fraudsters create fake accounts to steal data and disrupt business. Some are as simple as unwanted protest accounts. Others might link to phishing and malware. Through fraudulent accounts, criminals can swipe all kinds of personal information: bank logins, credit cards, and even Social Security numbers," Proofpoint says in a report which highlights social media brand fraud.

Proofpoint VP of Business Development Ray Kruck told IBTimes UK: "Social media brand fraud is highly lucrative. Fraudsters can make money by compromising bank accounts, selling counterfeit goods and services, or scamming followers into giving up their credit card information. The majority of fraudsters target financial service and retail brands. Online banking and ecommerce transactions make these verticals prime targets for moneymaking attacks. The lucrative nature of social media fraud is reflected in the accelerating pace of fraudulent accounts and attacks. We've already seen a 150% increase in social media phishing in 2016 over 2015."

Proofpoint's report is based on research conducted on top 10 brands that made the 2015 Brand Directory list. The brands researched by the firm included Samsung, Amazon, Sony, Starbucks, Nike, Chanel, BMW, Capital One, DirecTV and Shell.

Phishing, malware and scams major cyberfraud tools

Proofpoint says that 600 new fraudulent social media accounts cropped up every month in the second quarter of 2016 alone. Of the over 4,800 social media accounts linked to top 10 brands, 19% were found to be fraudulent and of the 902 fraudulent accounts associated with the top 10 brand names, almost 30% were found to be promoting "scams or offers for counterfeit products and services".

"The highest percentage of fraudulent accounts (18%) spread scams that attempted to lure consumers to click on fake goods or services deals. A scammer posing as DirecTV and tweeting about an 'amazing deal' on a year of service can potentially collect numerous credit card numbers before getting shut down," Kruck said.

A relatively smaller percentage of fraudulent accounts were found to be distributing malware and engaged in phishing scams. Other fake accounts were also created by people motivated by political agendas or those looking to attack a brand. However, according to Kruck, both malware and phishing can pose a major threat to brands.

Kruck said: "Malware definitely poses a big threat to followers. Hackers using malware can access sensitive data stored on personal devices. However, phishing also poses an immediate risk and is the fastest growing social media threat. We have already seen a 150% increase this year vs. the same period in 2015, including campaigns that target major retail bank and online payment service customers.

"In this scenario, hackers create fake customer support accounts and wait for customers to reach out for support on social media. Then the fraudsters respond using the fake account and trick the customer into giving up online credentials and other sensitive information, including social security numbers. These kinds of attacks can result in compromised bank accounts and full-blown identity theft."

Hackers posing as legitimate accounts

Proofpoint's report highlights that social media scammers use several techniques to lure in victims. One involves creating fake accounts that pose as legitimate brands, in efforts to hoodwink users into engaging with them. "Fake accounts so closely resemble the real corporate account that telling them apart can be difficult for novice users. They often retain the company's look and feel, including official logos. The only difference might be something as small as one character in the Twitter handle, such as @askmajorbank vs. @ask_majorbank," Proofpoint explains.

These fake accounts also offer fraudulent services such as free products, discounted services, customer support or even software updates, in efforts to engage with victims. Although both Twitter and Facebook have verified accounts, Proofpoint says that the verification is not necessarily "foolproof". Tweets and posts do not come with the blue verified badge, likely making it easier for hackers operating fake accounts to insert themselves into conversations posing as legitimate brands.

Many customers are unaware of the significance of the verification badge. "Fraudsters often mimic the verified badge. They include the blue checkmark in their profile or background images. Even users aware of the badge may not notice that it is in the wrong spot," Proofpoint says.

How do social media scams work?

According to Proofpoint, hackers launch the attack by creating fake accounts. They then use a variety of methods, including posing as CEOs or customer service accounts and more, in efforts to lure in victims. Proofpoint researchers say that hackers are known to strike at the most opportune time, often waiting for evenings or weekends, when businesses' official customer support teams and employees are less likely to monitor activities, to strike. "When the criminals see a customer contact your brand's account, they hijack the conversation by responding directly to that customer through a fake support page," the firm says.

Scammers also create fake accounts primarily aimed at generating ad revenue. "Enterprising fraudsters use your brand identity to trick followers into visiting junk websites," Proofpoint explains, adding that the sites spam customers with ads, prompting them to download adware.

How to avoid falling victim to social media brand scams

Both businesses as well as social media users can avoid falling victim to social media scams by incorporating certain basic security measures. Kruck said: "Followers should educate themselves on social media verification. Both Facebook and Twitter verify legitimate accounts for major brands. Always check for the blue verification checkmark (it should appear next to the brand name on their profile page, not in the cover image or profile picture.) Many fraudsters put a fake checkmark in their profile picture to trick followers.

"Also, never click links in Tweets or direct messages unless you can verify the sender is in fact a verified brand page. Keep in mind if it seems too good to be true, it probably is. Avoid 'great deals' on social media and buy directly from the secure [https] web page of the brand in question."

He also pointed out that businesses should be more vigilant in tracking social media activities to ensure that their brands are not being misused by hackers. Kruck added: "These scams are already finding success, so they don't need to evolve or change to defraud customers. Instead, they simply need to proliferate.

"The number of fraudulent accounts on social media will continue to rise. It is easy and free for hackers to create fake social accounts, so the barriers to entry are very low. Brands must be vigilant. They need to discover and proactively take down fake social accounts. They should also educate their customers on the risk of social media fraud."