Social engineers targeting social media accounts

Why is it profitable for attackers to target social media account credentials? Well, unfortunately, around two-thirds of people use the same password for multiple websites. This means that the attackers will not only get the password for your social media account but may gain access to more important accounts such as your work account, or even your bank account

Recently, we discovered a phishing scam that tried to takeover user accounts on TikTok. This social media platform has grown in popularity in recent years and continues to grow. TikTok is no longer just popular among private individuals, but many companies have begun to use this platform in their marketing. This gives attackers a new way to target corporate accounts. Impersonating social media platforms is not totally new but the wide range of different attack types and growing set of platforms keeps the attacks relevant.

In most cases, these phishing messages are notifications related to your account. The example below impersonates TikTok and notifies you of a new sign-in attempt with an unknown device and asks you to confirm this by verifying your account. The link in the message takes you to a very authentic looking login page also shown below. It is no wonder if this scam is hard to spot. The scam site steals user credentials and then redirects them to the real TikTok front page.

‍

‍

These social media phishing campaigns try to take over log-in information in various ways. The most popular ways are shown in the below examples of Instagram and Twitter.

“You have 24 hours…”

The first campaign is informing a user that their account violated copyright rules and threatens to remove the account in 24 hours unless some action is taken. This attack exploits the sense of urgency and prompts the user to act. It arouses emotions when the email claims that you have violated copyright rules and the desire to know what you have done wrong might lead to immediate action.

‍

‍

The coveted blue badge

In the second campaign, the attacker claims to be an admin of a platform and informs the user that their account is eligible for a “verified badge” (Ooh la la!). They just need the user to confirm their account or to reply to the email so the account can be rightfully verified. Another twist of this “verified badge” campaign is that the badge will be removed from the user due to inactivity, incomplete profile, or some sort of violation. This removal can be prevented if the user follows a set of instructions which includes a login. Usually, there is a button “Confirm My Account” or “Verify your account” where the links lead to a credential harvesting site or to another platform: WhatsApp, Facebook Messenger, or even Microsoft Teams have been known to be used in these type of attacks. On these sites, the attacker starts a conversation with the user. The aim of these conversations is to gather more information such as the user’s phone number that is linked to their profile so the attacker can bypass verification protocols.

‍

‍

Staying off the hook

Use complex passwords and do not reuse them

‍Your passwords should be 16 characters long or a long phrase. You can keep all your passwords in a vault meant for storing them.

Enable 2FA when you can

Two factor authentication protects your accounts by adding another layer to the login. Even if someone has your password, they won’t be able to access your account.

Set your accounts as private

Public profiles are in constant threat as personal information is available for anyone who is interested. Prefer private account settings especially on your personal accounts, so you can determine who can see your profile and who does not.