The price of phish
As a recent convert to the cyber security world, a message that popped up from a friend in late January via Facebook Messenger made my cybery senses go off.
“look who has passed away. I think you know them?? https[:]//views[.]tvynews[.]online/?5j “
From a human point of view this is an alarming piece of news to receive. From a cyber security point of view this is an excellent example of a social engineering attack.
In the heat of the moment, while a mind races about who this person could be and how and what happened, it would be all too easy to click on that link. In just 10 words it ticks a number of telltale traits that are commonly used in successful social engineering attacks:
- A sense of fear (that someone I knew had passed away)
- A sense of urgency (who could this person be? I need to find out)
- A sense of trust (a friend has sent me this; and through a socially trusted mechanism — facebook messenger)
- Concise (not lots of info, but just enough, which hides any possible clues around the use of grammar / spelling)
All of these emotional manipulation techniques are conveyed succinctly within this one sentence to create an emotional response. It is carefully designed to attack the most well known and undoubtedly the weakest link in cyber security — the human.
At the point of realising that a message like this is very likely malicious in nature, it is wise for the receiver to let the sender know (through a different means of communication), report it as phishing to facebook, delete the message, be glad they hadn’t clicked on the link, and subsequently move on with their life.
As a new convert to the industry though I couldn’t help thinking more about this message and what the ‘link’ actually did. What actually happens when someone clicks on it? Also of interest was the means of communication — why facebook messenger? How had it got through facebook security checks and what kind of protection would any of the big internet firms provide against this link?
With the cyber security hat on and a burning interest to find out more I thought I would go digging. That digging ended up leading me down multiple rabbit holes, many hours of reading and lots more questions. So for the sake of brevity and focus I have split this into two posts — this first post will be about the attack vector and style of attack and a second post will be about the anatomy of the attack and what protection is out there once the link is clicked. I will also showcase some of the tools I used and what information I found out behind the link.
OBVIOUS WARNING ALERT — Don’t go clicking on random weblinks to see what happens. I have shown the weblink with [] around the periods within the web address. I would recommend not removing these.
The Message
“look who has passed away. I think you know them?? https[:]//views[.]tvynews[.]online/?5j “
As already stated this type and style of message is known as a social engineering attack and more specifically — phishing. So common has phishing become that most people reading this will not only recognise the term but (according to a recent ONS study) 1 in 2 UK adults will likely have received at least one example of it in the last month. Phishing messages have been a part of the internet since the dawn of email and they have continued to be a source of pain in cyber security with 83% of UK businesses who suffered a cyber attack in 2022 reporting it as initialising in some kind of phishing message.
As email defences improved (Google claims to block around 100m phishing emails a day in 2022), and the internet became an ever present in our hands, phishing has evolved and expanded to text messages (smishing) and of course — this message attack surface — social media.
Returning to the ONS study, the stats presented around the problem of phishing within the UK alone are truly mind boggling. Detailing a 12 month period between March 2021 and 2022, the ONS report estimates that over 700,000 people would have clicked on a phishing link or replied to a suspected phishing message (this is across email, social media, whatsapp etc). Of this, 80,000 people would have provided some type of useful information to fraudsters.
Here phishy, phishy phishy….
Once you understand the amount of success that comes from a type of attack that can be executed at scale and usually far away from the longest of arms of the local law, it becomes easy to see why they are sent. It is important to note that a successful phishing attack has a wide range of possible uses and likely depends on the person compromised and the malicious actor’s goals. It also depends on what that cyber criminal has the malicious link do. In some cases these messages have redirected a person back to their facebook page where they must re-login in (username and password would now likely be keylogged at this point by the cyber criminal). On other occasions, the link takes the person to a random website or ‘seems’ to do nothing.
Goals
From a cyber criminals point of view there are a number of potential options depending on what the link was designed to do. The most obvious one would be just taking over the compromised account if the person has ‘re-logged’ back into facebook. From this point, automated scripts could send out more messages to that person’s friends and the cycle continues. Another potential issue with a compromised login is that the facebook single sign-on (SSO) authentication process could be abused to allow an attacker an opportunity to login into other linked services. If an account takeover does not occur then a click on the malicious link could lead to an unsuspected download of malware. This malware provides further avenues for the cyber criminal — from using that machine to launch anything from botnet attacks to potentially opening up access to work I.T systems and possible ransomware attacks if work / life technology crosses over.
Evolution rather than revolution
Even though most people recognise the concept of Phishing and know it exists, many people would, and do, still click on malicious links. From the comfort of reading this article it is easy to say “I would never fall for / click on this?” but in the real world these types of simple messages work exceptionally well. In work, just as in life, we are constantly making human decisions at quick speed and in real time.
The evolution of phishing from email to other channels accelerated due to Covid and the sudden need to be working from home. As the distinction between work and home life blurred and people turned to their laptops and phones to do both, cyber criminals were given new opportunities to target people through channels such as Slack, WhatsApp, LinkedIn as well as Facebook Messenger. As the email industry gets better at detecting phishing email on their platforms (Google claims to block 99.9% of them from even reaching the user), cyber criminals get better at finding new ways to go around these protections.
The rise of the personal touch for more personal mediums is an obvious response to the increased use of these new channels. We can see the evolution of this within our original suspicious message. The first variation of this message appeared on Messenger and TikTok in early July 2022 and simply said “Look who died” or “ Died in an accident” with a link.
It disappeared for a few months before raising its malicious head again in October 2022 with the addition of “I think you know them” and then in January 2023 it changed the “died” to a “passed away”. Some of these changes will be to avoid spam filters but also, for anyone from a marketing background, it’s very similar to an A/B campaign where messages will be tested and refined further to maximise clicks.
The start of 2023 has brought articles and news stories around the fear that a revolution in AI will lead to the perfect phishing message. Often it is easy to forget that a human can already use well established techniques, tactics and practices to create a simple message that can bypass a large part of our rational brain and make us click before we think.
Whether AI provides a positive or negative in cyber security, there is no doubt that we are in an arms race with online threats. This type of social media phishing attack described is just a tip of an iceberg that the public occasionally comes across. How can these types of messages be stopped, slowed down or even defended against?
Defence in Depth
Within industry there has been a growing realisation and move to the concept of ‘defence in depth’. This is improving a company or systems strength with a multi-layered approach that applies numerous defences in place to stop, or at least slow-down, an attacker. Using this concept to defend against the original message there are two obvious areas that could be improved — the human and the technological element.
The human element is a difficult one to fix due to the ‘human’ part. Not only are these messages becoming more personal but they target and manipulate human emotions that we have as a species evolved and hardwired over millennia — so not exactly easy to tweak. The one thing that can always help is for the person to slow down, to stop and think before clicking. As cyber security professionals, how we help to introduce that appropriate moment of hesitation is an area of great interest, debate and research.
As these types of attacks can have a large impact on the places we work, improving current training and staff awareness programs can play an important part. The benefits to the workplace of stopping these attacks are obvious but with the right type of training there can be wider social benefits too. Too often cyber training at the workplace is about ticking boxes for compliance reasons. Changing the focus of how this training is implemented can also bring greater awards for both the company and the individual. A key insight from Cisco’s 2022 Security Outcome Report found that companies who made part of their training focus on teaching staff about their own personal digital security at home & how to secure their family, found that the same staff brought those habits and practices back into their workplace. This helped to increase the company’s overall security posture as the employee could identify,and were alert to, phishing emails and social engineering attacks.
Improved work awareness and staff training will of course help. In reality, societal changes due to this will likely take a number of years to really filter through. The technological element seems then to be the one part that could have the quickest reward. As we have seen from email, companies like Google are detecting most incoming spam before it even hits your inbox. Microsoft have upped their game too and have just released more details around an automated attack disruption software that helps stop ransomware before it infects a whole network. As email becomes better protected it is likely that social media attacks will increase further so what are the big companies — Facebook, Instagram, TikTok etc — doing about it? Unsurprisingly their attention is more focused on the more public, and larger issues, of nation state linked mis-information campaigns and cyber espionage that occur across their platforms.
Sweet (2)FA?
One technological solution that could help slow down these types of attacks already exists but is currently not widely implemented. 2FA or MFA (Two or Multi Factor Authentication) is an added layer of authentication that would help provide that needed hesitation and thought. This added friction in the login process does annoy some customers but when executed correctly it is a proven defence mechanism that reduces account compromise and would slow the further spread of these style of messages. It won’t stop malware being downloaded through the links in the message but reducing the spread and scale of those downloads would be a start in making it less rewarding for cyber criminals.
Unfortunately the uptake of MFA on social media accounts is shockingly poor. On Twitter only 2.6% of Twitter users have MFA enabled with 78% of those using SMS messages as their second factor (and this is something which Twitter is about to remove in 2023 for non subscribers due to internal cost reasons). Facebook knows the power of MFA for account protection as they made it mandatory for ‘high-risk’ accounts such as politicians in 2021. Its use by its regular customer base though is shockingly small at less than 4% of its global user base. TikTok also offers MFA but no numbers around its uptake could be found which probably means it is similarly low to both Twitter and Facebook.
2FA / MFA is not a silver bullet and it does have its own issues (such as Evilgenix & ‘Pass the Cookie’ attacks) but it would undoubtedly stop many of these messages spreading, making it more unattractive for cyber criminals to pursue. Successful rollout of 2FA by technology companies can happen as shown by Amazon’s Ring smart camera company mandating two-factor for its few million customers in early 2020 after a wave of break-ins on Ring accounts (and subsequent lawsuits by customers). Cyber criminals would undoubtedly go elsewhere but we will never be able to stop criminals trying bad things, all we can do is reduce their opportunities to do so and increase their paths of least resistance. Improving customers’ knowledge and use of 2FA/MFA to increase friction at emotional times like these would certainly help to reduce the cyber criminals success rate.
What can I do?
4 top tips to help reduce and protect yourself (and others) from these style of attacks
- Stop and think before you click.
- Enable MFA, ideally from an authenticator app such as Google Authenicator. Try not to use SMS as this is becoming more ripe for abuse.
- Use a password manager — browser based ones are free and much better than not having ones.
- Tell your friends and family about 1, 2 & 3.
2nd part of this, focused on what the message actually does, coming soon…
Afterthought
As I researched this post I kept thinking back to a famous Mark Zuckerberg internal facebook motto that its engineers should “move fast and break things”. In the era of the 2010’s this was almost a rallying call for many entrepreneurs’ and a wall-poster-motto for start-up internet companies who mutated this engineering term to a strategy. This wasn’t helped by VC’s knocking on their door and looking for Minimum Viable Products and fast growth. This then led to holes that people either didn’t worry about or thought “we’ll fix that tomorrow” leading to many of the leaky doors that are being exploited today. Throughout the research I kept thinking that it is likely that much of the 2020’s will be spent trying to mend these broken doors and whether “move slower and fix your sh*t” would be an appropriate poster.
References and Further reading
What to do if you think you’ve been facebook hacked: https://www.facebook.com/hacked
The Latest 2023 Phishing Statistics (updated February 2023): https://aag-it.com/the-latest-phishing-statistics/
What is Social Engineering: https://www.kaspersky.co.uk/resource-center/definitions/what-is-social-engineering
SlashNext’s State of Phishing Report: https://www.prnewswire.com/news-releases/slashnexts-state-of-phishing-report-reveals-more-than-255-million-attacks-in-2022-signaling-a-61-increase-in-phishing-year-over-year-301659518.html
Look who died facebook: https://www.distractify.com/p/look-who-died-in-an-accident-scam
Wired 2FA: https://www.wired.com/story/facebook-protect-two-factor-authentication-requirement/
O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web — https://www.cs.uic.edu/~polakis/papers/sso-usenix18.pdf
https://www.linkedin.com/pulse/modern-cyber-attacks-how-sophisticated-really-uk-cyber-week
Phishing Exploit Hacks LinkedIn 2-Factor Authentication, With Kevin Mitnick: https://www.youtube.com/watch?v=xaOX8DS-Cto
CyberRes 2022 Annual Report: https://publications.cyberres.com/view/679673707/36/
Cisco Security Outcomes Report: https://mysecuritymarketplace.com/reports/security-outcomes-report-volume-3-achieving-security-resilience/