Twitter scammers have a new weapon with the release of an effective spear phishing tool that lands a victim almost two thirds of the time, dwarfing the usual five-to-fifteen-per-cent-open-rate for spam tweets.
The SNAP_R machine learning spear phishing Twitter bot is a data-driven menace unleashed at the Black Hat security conference that is capable of consuming information from victim tweets to target users. Mark James, Security Specialist at ESET commented below.
Mark James, Security Specialist at ESET:
How interesting/innovative is this?
“For a lot of people phishing emails can be easily spotted, bad grammar, terrible spelling, completely “out of context” if sent from someone you know. This is the same regardless of the platform it’s delivered from. If we look at the sheer amount of attempts made vs. the actual success rate thankfully it’s quite low. This particular method actually trawls through your previous timeline/tweets and tailors its attack to fit into what you like or follow, thus making its content more appealing and increasing its chances of snagging its target. Tie this in with url shortening and you have a much tastier recipe for success than the average “Dear Sir, can I interest you in this useless topic or object…””
What could be the implications for users?
“When it comes to successful phishing attacks usually one of two things need to happen, either the attack coincides with a real life event:
A recent visit or conversation with your bank regarding a problem is followed up by a random phishing email about bank problems, click.
Or the topic grabs your interest, it could be some juicy gossip on a celebrity or one of those “what harm can it do” attempts at trying to sell/give you an iPad that can’t be sold because the cellophane is damaged, click…. Either way it has to grab you or seem worth your time, once that’s successful some users will click on anything.”
Are we likely to see the attack in the wild any time soon?
“Yes definitely, new techniques and features are being used on a daily basis, cyber criminals will use any method they can find to deliver their content, if it increases the attack footprint and success rate more and more will adapt or modify it for their own use.”
How easy/difficult would it be to protect against this attack?
“As easy as telling anyone not to click links without first validating them, it has, is and always will be one of the hardest topics for business to educate and protect against. Luckily you can install a good regularly updating multi-layered internet security product to help keep you safe in case you do get redirected to a malicious site trying to serve malware or steal your private data.”