The profile below was flagged in RiskIQ’s system as an unauthorized Twitter account. It was impersonating Wikipedia and sending out suspicious links using free gift cards and other promotions as clickbait.
In addition to detecting rogue profiles, RiskIQ’s virtual users can interact with posted content to detect malicious behavior. For instance, they can browse the hyperlinks embedded in tweets. And since they interact with actual browsers, they can capture the full redirect sequence and DOM to see exactly what would happen to a real user that follows that link from the same source and loads the resulting pages in their browser.
To the human eye, the URL leads to the following landing page with a web form:
A closer look at the data captured by RiskIQ reveals a long chain of redirects through affiliate infrastructure before hitting the landing page:
Common sense tells us that Wikipedia doesn’t promote cleaning products. This detailed data about the link’s behavior after the user click demonstrates how the cyber threat actors behind this rogue profile leverage this false brand association for their benefit.
How We Found It
RiskIQ automatically searches and navigates social media content from the perspective of end-users with our proprietary virtual user technology. RiskIQ’s technology experiences phishing, malware distribution, fraud, and other scams as the intended audience of these cyber threat actors—the brand’s customers or users—based on their location, browser, and other characteristics.
After discovering a suspicious profile, RiskIQ’s virtual users automatically analyze the profile and intelligently sort known, official profiles from unknown, unauthorized profiles. Then, it extracts key account attributes and detects indications of fraud.
All discovered profiles are checked against our whitelist of predetermined official social profiles. The remaining profiles are marked for review and segmented into categories based on their ability to cause harm.
Important Takeaways from This Example
In this example, the threat is relatively benign. While the Wikimedia Foundation doesn’t condone using Twitter to impersonate its well-known brand to drive traffic to landing pages for other brands, it could certainly be worse.
However, similar profiles can use social media for more nefarious purposes by using phishing or malware links instead of affiliate links. And if the cyber threat actors refined the post and landing page content to reflect what Wikipedia might legitimately send (i.e. a request for a charitable donation to support Wikipedia), they would seem more credible and thus be even more dangerous.
When organizations use social media to offer customer service, recruit employees, send promotional vouchers, or otherwise transact business and exchange information with their users, rogue social media profiles impersonating the brand or one of its executives becomes more than just a marketing or brand-protection problem. It becomes a serious security problem and the victimized organization should treat it like one.
Savvy organizations recognize social media’s potential as another attack vector for phishing and malware distribution and are bringing social-based threats into their security and anti-fraud programs alongside their web and mobile initiatives.
Our Solution to This Growing Problem
RiskIQ Social Threats contextualizes social threats through connections with related threats and threat infrastructure in web and mobile channels, which gives security teams a holistic view of phishing, brand impersonation, and malware across organizations’ external threats landscapes.
RiskIQ has seen an increase in malicious activities using branded accounts on social media. Our Social Threats product captures defacements, defamations, or unlicensed logo/trademark usage and detects external threats harming customers like phishing, malware, and scams like the one demonstrated above.
To learn more about the Social Threats product or to discuss a use case, please contact us and you will be followed up with immediately.