Twitter scammers have a new weapon with the release of an effective spear phishing tool that lands a victim almost two thirds of the time, dwarfing the usual five-to-fifteen-per-cent-open-rate for spam tweets.
The SNAP_R machine learning spear phishing Twitter bot is a data-driven menace unleashed at the Black Hat security conference that is capable of consuming information from victim tweets to target users. Security experts commented below.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The spear phishing Twitter bot SNAP_R is the inevitable result of bad guys catching up in the machine learning and big data worlds. If you feel like the direct mail you receive, ads you see online, or suggestions you get from Amazon or Netflix have gotten reasonably good at appealing to your tastes, then you have seen the power of the technology behind SNAP_R at work. If you use Twitter or other social media, then you are leaving a big data sized trail full of data for anyone to use. Commercial organizations have been sucking in this data and using it to sell to you for years. Of course it was only a matter of time before the bad guys learned to do the same. After all, spear phishing is simply a more refined sales pitch from the bad guys combined with a product you never want to buy but may if they are slick enough.”
Mark James, Security Specialist at ESET:
How interesting/innovative is this?
“For a lot of people phishing emails can be easily spotted, bad grammar, terrible spelling, completely “out of context” if sent from someone you know. This is the same regardless of the platform it’s delivered from. If we look at the sheer amount of attempts made vs. the actual success rate thankfully it’s quite low. This particular method actually trawls through your previous timeline/tweets and tailors its attack to fit into what you like or follow, thus making its content more appealing and increasing its chances of snagging its target. Tie this in with url shortening and you have a much tastier recipe for success than the average “Dear Sir, can I interest you in this useless topic or object…”
What could be the implications for users?
“When it comes to successful phishing attacks usually one of two things need to happen, either the attack coincides with a real life event:
A recent visit or conversation with your bank regarding a problem is followed up by a random phishing email about bank problems, click.
Or the topic grabs your interest, it could be some juicy gossip on a celebrity or one of those “what harm can it do” attempts at trying to sell/give you an iPad that can’t be sold because the cellophane is damaged, click…. Either way it has to grab you or seem worth your time, once that’s successful some users will click on anything.”
Are we likely to see the attack in the wild any time soon?
“Yes definitely, new techniques and features are being used on a daily basis, cyber criminals will use any method they can find to deliver their content, if it increases the attack footprint and success rate more and more will adapt or modify it for their own use.”
How easy/difficult would it be to protect against this attack?
“As easy as telling anyone not to click links without first validating them, it has, is and always will be one of the hardest topics for business to educate and protect against. Luckily you can install a good regularly updating multi-layered internet security product to help keep you safe in case you do get redirected to a malicious site trying to serve malware or steal your private data.”