Hackers turn to social media to phish for credentials

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.cnbc.com/2015/10/23/hackers-turn-to-social-media-to-phish-for-credentials.html

Getting a company's attention over Twitter is becoming an easy and often
effective way for consumers to achieve what they want, when they want. Yet
the increase in hackers creating fake accounts to interact with consumers —
and "phish" for private information — is a growing concern.

It goes something like this: Someone tweets at a company because they may
be upset about an issue. A fake account on Twitter
<http://data.cnbc.com/quotes/TWTR> replies directly to that person, and
asks them to log in to a fake website. The victim then exposes their
personal information to hackers.

A 2014 report by EMC noted that various phishing scams cost companies
a combined
$5.9 billion in nearly 500,000
<http://www.emc.com/collateral/fraud-report/rsa-online-fraud-report-012014.pdf>separate
attacks. Meanwhile, cybersecurity experts at Kapersky Lab found that last
year, more than a quarter of phishing scams targeted users' financial data
<http://www.kaspersky.com/about/news/virus/2015/Over-a-quarter-of-phishing-attacks-in-2014-targeted-users-financial-data>
.

Proofpoint <http://data.cnbc.com/quotes/PFPT>, a cybersecurity solutions
firm, is just one of the companies seeing a significant increase in fake
retail banking and retail customer service accounts phishing for bank
account credentials. These breaches are becoming especially prevalent on
Twitter and Facebook <http://data.cnbc.com/quotes/FB>. A representative for
Twitter did not immediately respond to CNBC's request for comment.

Devin Redmond, vice president at Proofpoint, said that as more businesses
adopt to social media to address customer concerns, other people with bad
intentions are also watching.

"The bad guys go wherever the conversation is," he told CNBC. "The bad
actors know they can actually leverage that to steal and defraud people."

Experts say the names of fake social media accounts are often very similar,
but are not exactly the same as actual companies. For instance, a fake
account may add "the" or add a space or an underscore symbol in its handle,
in order to appear as though it's real.

The scam is perceived as far more convincing to consumers than similar
email-borne threats, since there is a direct and relevant response to a
consumer.

It may also be easy to fall for it. On Twitter, many users may not even see
if an account is verified unless they actually click on the profile of the
account.

Proofpoint's Redmond attributes the increased hacks to the ease of adopting
a fake account.

"You can fairly easily trick someone into thinking you're the brand they're
interacting with," he said.

The American Bankers Association acknowledged that as customers use social
media more frequently, the industry anticipates phishers will follow.

"Banks have every regard to make sure their information isn't being used by
criminals because they have their own reputation to protect," Doug Johnson,
senior vice president of payments and cybersecurity policy at ABA, told
CNBC.

The trade group advises customers be extra diligent before signing into
websites, especially to a link that is given over a social media site.

"Customers need to be aware that they have the need to recognize that when
they see something that looks remotely suspicious, be suspicious," Johnson
said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!