The overall number of social media impersonators increased 11-fold from December 2014 to December 2016, with the bad actors bent on collecting credentials and PII.
Impersonators are most commonly found on Facebook, Twitter, Google+, though impersonators were also found on Instagram, YouTube and LinkedIn.
ZeroFOX analyzed nearly 40,000 identified impersonator profiles to uncover trends over time and the commonly observed tactics, techniques and procedures (TTP) and payloads. It found that the tactics used by these fraudulent accounts are devious and diverse, ranging from traditional social engineering ploys to actually paying money to advertise the scam to reap higher rewards.
Nearly half of all nefarious social media impersonators disguise their payload as a fake coupon or giveaway using the brand to attract promotions seekers. And more than a third of all nefarious social media impersonators send their target to a phishing page to steal social media account credentials, credit cards and personal information.
Also, the report found that verified account impersonators are systemic across the networks, and were found on Facebook, Twitter and Instagram; while also using YouTube to promote them. Verified account impersonators are also advertising their payloads through promoted ads.
“The networks’ attempts to provide ‘verification’ to real corporate accounts has led to a new breed of impersonations and verification scams,” the report noted. “The broader impersonator landscape revealed many tactics meant to lure the user into buying competitor or counterfeit merchandise, providing personal information to unknowing fake recruiters, entering fabricated contests to steal personal information or money, engaging in fraudulent money-flips and more.”
In terms of avoiding detections, impersonators have a varied bag of tricks. For one, they regularly wipe accounts and leave them dormant to avoid detection between attack campaigns—later weaponizing them in new ways. Some impersonators create locked accounts to hide their malicious activities, allowing them to take the activity out-of-band through email, direct message, or phone and thus evade detection; they also often crop or modify company images to evade rudimentary image matching and hashing detections.
And finally, impersonators will often post a link to another social network with the malicious link and payload. This cross-network pivoting makes it difficult for the primary network to detect attacks.
“We’ve only scratched the surface when it comes to combatting impersonators. While we encountered traditional payloads such as phishing and malware, were found a larger set of threats unique to impersonation on social media,” the firm said in the report. “These included unseen scams, fraud, brand abuse and follower farming. This broader threat landscape extends beyond targeted threats and represents a more systemic issue of risks impacting enterprise security, privacy and reputation. If allowed to go unresolved, these threats impact the organization’s bottom line and damage fundamental customer trust in the organization. Therefore, we prescribe a new defense-in-depth approach tuned for social media to arm organizations with a tried and proven methodology for identifying and combatting impersonators.”