The Social Takeover

THE SOCIAL TAKEOVER
A CLOSE LOOK AT THREATS
OLD & NEW ON SOCIAL MEDIA
WHITE PAPER

© ZeroFOX 2015 – All Rights Reserved | ZEROFOX.COM Page 1 of 30
THE SOCIAL TAKEOVER
Authored by:
DR. KENNETH GEERS
SENIOR SECURITY RESEARCH ANALYST
&
SPENCER WOLFE
HEAD RESEARCH WRITER

THE SOCIAL TAKEOVER
1. Executive Summary
2. Introduction
3. The Rise of Social Media Cyber Security
4. Old Attacks are #Trending
4.1. Targeted Phishing & Malware
4.1.1. ZeroFOX Insights: Malicious Links Thrive on Social
4.2. Social Engineering
4.2.1. Information Theft on Social Media
4.2.2. ZeroFOX Insights: The Anatomy of a Social Engineering Profile
4.2.3. ZeroFOX Insights: The Most Impersonated Executives
5. The Newest Breed of Cyber Attack
5.1. Social Account Compromise
5.1.1. ZeroFOX Predictions
5.2. Attack Planning & Hacktivism
5.2.1. Case Study: The Value of 16 Minutes
5.3. Propaganda & Cyber Terrorism
5.3.1. ZeroFOX Predictions
6. Conclusion
6.1. About ZeroFOX
7. References
TABLE OF CONTENTS
3
4
5
7
20
28
29

THE SOCIAL TAKEOVER
The face of cyber security is shifting. With the advent of social media, the adversary has found a new vehicle for tried and true threats as well as a whole
new breed of potential attacks, many of which are only beginning to take full form.
This white paper investigates how old threats, such as spear phishing, malware, and social engineering, have taken on a new form on social media. The
attacker leverages the scale, speed, and trusted nature of social to take these age-old tactics to an elevated level of effectiveness. This white paper
covers Targeted Phishing & Malware and Social Engineering, with an emphasis on executive impersonations.
The white paper also highlights ZeroFOX predictions around some of the brand new threats introduced by social media. These include Social
Account Compromise, Attack Planning & Hacktivism, and Propaganda & Cyber Terrorism.
The business cost for such attacks can range from a full data breach, averaging $5.5 million according to Ponemon, to severe reputation loss and
damage to customer loyalty. Social accounts are extremely public, and any security incident is immediately open source -- exposing executives,
employees, partners, clients, constituents, and customers.
WHITE PAPER HIGHLIGHTS:
• Breakdown of malicious links targeting organizations on social:
1. Malware - 29.9%
2. Phishing - 31.4%
3. Spam/Suspicious - 38.7%
• Vladimir Putin boasts 318 fraudulent accounts.
• Social engineering profiles and fraudulent accounts fall into two categories: Minimally Invested Profiles (MIP),
optimized for bulk creation, and Fully Invested Profiles (FIP), optimized for highly targeted campaigns.
• The average time to remediate a breached social account is 5.5 hours. These attacks are quickly becoming the staple
for aggressive cyber vandalism campaigns.
• Media & Entertainment and Retail organizations suffer from the most executive fraudulent accounts.
• Social media enables less technical hacktivists to participate in cybercrime. The adversary leverages the network as a
command & control tool to coordinate both social bots and huge populations of supporters to execute more traditional
cyber attacks, such as DDoS.
• Terrorism on social media is on the rise. ISIS is now setting a standard that other extremist groups will follow.
• The Joint Chiefs of Staff have 234 fraudulent accounts across the major social networks.
1. EXECUTIVE SUMMARY

THE SOCIAL TAKEOVER
The internet now has a human face. At a technical level, it is still a global information system that speaks the language of TCP/IP. But the influence of
the human/machine environment hovering above the wires is so powerful that global communication is forever altered.
The most recent – and profound – development in cyberspace is the global migration to social media.
2. INTRODUCTION
One of the most pressing aspects of this social media revolution is the parallel revolution in cyber crime. Old attacks have unprecedented reach, power,
and effectiveness. New attacks are emerging rapidly. The adversary is learning quickly, and the cyber security community must keep pace.
The following ZeroFOX white paper examines the security implications of the social media revolution, in which humans are now always intimately
connected to the entirety of the global online community. Worldwide communication has never been faster, simpler or more organic. Today, the internet
is more meaningful, personal, and dangerous than ever before. Just as the internet has evolved, so must cyber defense.
As of March 31, 2015, Facebook had 1.44 billion
monthly active users.1
That is 80 million more
users than China’s population, enough to make
the inhabitants of Facebook the single largest
nation-state population on Earth.2
1.44BILLIONMONTHLY ACTIVE USERS

THE SOCIAL TAKEOVER
Long ago, in the Dark Ages of the 20th century, most computing was done on a large appliance that never moved. But today, most of us walk around
with a super computer in our pocket, littered with catchy icons offering one-tap connectivity to the entire social media population. By January 2014, half
of all adults in the U.S. owned a smartphone and/or a tablet computer.3
By 2020, 80% of the Earth’s adult population will own a smartphone.4
Our growing personal attachment to these devices is undeniable. The vast majority of smartphone owners check their devices within 15 minutes of
getting up in the morning, and 10% admit to having used the gadget during sex.5
In terms of software applications, the most significant trend is a global migration to social media. In the U.S., 71% of online adults now have a Facebook
account, and 70% of those users log in every day. And the number of international users is skyrocketing -- already, 82.4% of Facebook users do not live
in either the U.S. or Canada.6
In descending order, the largest social media websites in the U.S. are Facebook, LinkedIn, Pinterest, Instagram, and Twitter.
3. THE RISE OF SOCIAL MEDIA CYBER SECURITY
In the last year alone, three categories of Internet
user crossed the 50% threshold: senior citizens on
Facebook; young adults on Instagram; and
college graduates on LinkedIn. Multi-platform use
also rose sharply in 2014: over 50% of online adults
in the U.S. now use two or more social media sites.7

THE SOCIAL TAKEOVER
How often do attackers abuse social media? A recent study of 500,000,000 tweets, across a two-week period, found that over 5.8% of them (or 25
million) contained malicious content. They included consumer scams, phishing, malware, and the sale of stolen goods. Furthermore, these malicious
tweets were often sent from legitimate (but compromised) social media accounts.9
Twitter is not alone -- LinkedIn, Pinterest, Facebook, Instagram, and more have all made headlines over the past several years for being hubs for
malicious links, fraudulent accounts, account hijacking, and fraud. Norton reports that some 40% of users have fallen victim to cyber-crime on social
media, 1 in 6 believe their accounts have been compromised, and 1 in 10 admitted to clicking on a malicious link.10
Ultimately, every organization is composed of its human employees. A wired workforce constitutes the soft underbelly of any target network, as attacks
come from within a perceived trusted network of friends and colleagues and are virtually invisible to information security teams.
On social media, the relationship between computer hackers and their victims has never been closer -- or more trusting. The use of “social tactics” in
global cyber attacks began to climb in 2010, from phishing to consumer scams, identity theft, the compromise of banking and system login credentials
and even point-of-sale (POS) attacks. Social media constitutes an ever-increasing portion of these “social attacks.”
According to Intel Security, more employees have
experienced a “security related incident” on social
media than on any other business application,
including file sharing and email.8
Number of malicious posts in two weeks 25 MILLION
Over the past decade, as the security of internet
infrastructure has been strengthened, attackers
are shifting to more accessible and vulnerable
targets: humans. Corporate security perimeters
are now universally amorphous, and the age-
old threat of social engineering is back with a
vengeance.
For a professional hacker, the combination of
social media and information availability creates
the perfect environment to collect intelligence,
steal passwords, run information operations,
and deliver malware.11

THE SOCIAL TAKEOVER
Many of the attacks that thrive on social media are nothing new. Every security professional on Earth can recite a precise definition for spear phishing,
malware, and social engineering. These attacks have circulated via email since its invention, and the security community has responded to the crisis in
force, with every imaginable email protection technology.
But social media lowers the barrier to entry for an attacker -- even an inexperienced attacker can create a fraudulent online persona, find targets, and
spread a malware or phishing link to billions of people across the globe. Worst of all, the targets have never been more trusting.
To get a sense of the problem, compare email security to social media security.
4. OLD ATTACKS ARE #TRENDING
Every Chief Information Security Officer (CISO) on earth can answer the question, “who is your
email security provider?” Very few can do the same for social media, which has become the premier
way for adversaries to target your organization. Social has exploded on the world stage as the most
vibrant and dynamic means of human communication -- and also one of the most dangerous.
OPEN
UNSOLICITED
EMAILS
The email security market is oversaturated, despite social media being the far more significant
information security challenge. It’s time for organizations to understand that the resources and
effort poured into securing email need a counterpart for social media. Social is cyber security’s
newest battleground -- welcome to the FOXhole.
ACCEPTACCEPTOPENOPEN
11 ACCEPT
UNKNOWN
FRIEND REQUESTS39
MINUTES
SPENT ON
EMAIL
MINUTES
SPENT ON
SOCIAL
OF
EMPLOYEES EXPERIENCE
CYBER-CRIME VIA EMAIL14 OF
CYBER-CRIME VIA SOCIAL22
100
100
100
100
100100
1.2 ANDRISING
AS SOCIAL MEDIA CONTINUES TO GROW, SECURITY MUST GROW WITH IT.
DOES YOUR ORGANIZATION
HAVE OVERSIGHT?
1.7
NOYES
BILLION
WHO ARE THE VENDORS?
BILLION
AVERAGE TIME SPENT DAILY
DO YOUR EMPLOYEES
TRUST IT?
WHERE DO THEY
EXPERIENCE CYBERCRIME?
GLOBAL COST OF
PHISHING PER YEAR
OPEN
UNSOLICITED
EMAILS
11 ACCEPT
UNKNOWN
FRIEND REQUESTS39
MINUTES
SPENT ON
EMAIL
MINUTES
SPENT ON
SOCIAL
OF
100
100
100
100
100100
1.2
ANDRISING
HAVE OVERSIGHT?
1.7
NOYES
BILLION BILLION
DO YOUR EMPLOYEES
TRUST IT?
WHERE DO THEY
GLOBAL COST OF
PHISHING PER YEAR
OPEN
UNSOLICITED
EMAILS
The email security market is oversaturated, despite social media being the far more significant
information security challenge. It’s time for organizations to understand that the resources and
effort poured into securing email need a counterpart for social media. Social is cyber security’s
newest battleground -- welcome to the FOXhole.
11 ACCEPT
UNKNOWN
FRIEND REQUESTS39
MINUTES
SPENT ON
EMAIL
MINUTES
SPENT ON
SOCIAL
OF
100
100
100
100
100100
1.2
ANDRISING
HAVE OVERSIGHT?
1.7
NOYES
BILLION
WHO ARE THE VENDORS?
BILLION
DO YOUR EMPLOYEES
TRUST IT?
WHERE DO THEY
GLOBAL COST OF
PHISHING PER YEAR
Old threats have found a new home on social media. Below is an investigation of Targeted Phishing & Malware and Social Engineering in the social
media attack vector.
4.1 // TARGETED PHISHING & MALWARE
Hackers today use social media to spread malware (any
computer software designed to damage, disable, destroy, or
illicitly seize control of your computer) and send phishing links
(URLs directing a targeted user to fraudulent webpage that
harvests credentials). 12
Social media has made the process of aiming a targeted
phishing attack as easy as connecting with an old friend from
high school. Because people and organizations broadcast
information about themselves on social media, the attacker is
able to quickly collect intelligence with which to tailor the attack
to their desired target. Targeted attacks often go after a specific
industry vertical, brand name or class of employee, such as an
executive or a system administrator.
Figure 1 - Clickbait malware

THE SOCIAL TAKEOVER
Today, social media is increasingly supplanting email as the most common way for hackers to send phishing or malware URLs.13
Barracuda reports
that over half of social media users have been the victim of phishing attacks, and roughly 1 in 4 have been sent malware.14
Social media facilitates
an attacker’s job by abusing existing trust relationships -- if hackers are able to get inside the target’s circle of friends, their odds of compromising the
system rise dramatically.
Figure 2 - Spamrun phishing links disseminated on Twitter
On social media, attacks can be launched via direct message or by tagging the target in a post. They are often used in conjunction with social
engineering (see section 4.2.2) or “clickbait” -- web content that uses sensationalist headlines to attract click-throughs or message forwarding via
social media. These links are often accompanied by trending hashtags to amplify the scope of the attack to as many potential victims as possible.
4.1.1 // ZEROFOX INSIGHTS: MALICIOUS LINKS THRIVE ON SOCIAL
Targeted attacks on social media are on the rise.
When data is pulled from the broader social world, spam
makes up a higher percentage of total malicious links
than phishing and malware — roughly 59% (see figure 3).
However, when data is pulled from ZeroFOX customers,
we find that the majority of malicious URLs are phishing
and malware — roughly 61.3% (see figure 4).
The prevalence of phishing and malware links implies that cyber criminals are launching targeted attacks against organizations on social media.

THE SOCIAL TAKEOVER
Total URLs Analyzed Per Minute in March
14k
12k
10k
8000
6000
4000
2000
Mar 1
- Figure 5 -
Mar 8 Mar 15 Mar 22 Mar 29
PST PDT
- Figure 3 -
MALWARE
29.9%
PHISHING
31.4%
SPAM
38.7%
ZeroFOX analyzes tens of millions of URLs daily and categorizes them by maliciousness. We further classify the links as phishing, malware, or spam.
Each URL passes through our Link Analysis Engine, which uses supervised machine learning, expert models, and additional phishing and malware
categorization technology to assess each link. In the wild, we find that roughly .8% of all posts are malicious, and about 1/1000 links are of the highest
severity: of the 163 million links scanned over a period in March, 168,100 were high severity (see figure 5).
- Figure 4 -
Malicious links in the broader social world Malicious links targeting organizations
PHISHING
21.6%
MALWARE
19.4%
SPAM
59.0%

THE SOCIAL TAKEOVER
4.2 // SOCIAL ENGINEERING
Social Engineering is the art (and science) of hacking human beings, especially with the goal of compelling them to do something compromising -- such
as clicking on a malicious link or divulging confidential information. It is often used in combination with some other tactic, such as impersonations (see
section 4.2.3).
Social engineering attacks are notoriously effective, as attackers exploit human psychological “triggers,” such as a deference to authority, the desire for
monetary gain, a sense of moral duty, an existing trust relationship, or simply by overwhelming a target with too much information.15
Social engineering and social media are an effective combination, because once a hacker has entered one of his or her target’s trusted social circles, it
is much easier to get them to click on a malicious link or open a malicious document.16
As early as 2011, 39% of social engineering attacks
were sent via social networking sites, and 48% of
large companies had experienced 25 or more social
engineering attacks. 30% of large companies cited a
per-incident cost of $100,000.17
It is difficult to defend against a well-crafted social engineering attack. Attackers carefully disguise their intentions, add catchy messaging, or attach a
sense of urgency in fulfilling their request. In any large group of recipients, there is typically someone who falls for the ruse.
In a prime example of social engineering, prospective diners received an “exclusive” invitation to the restaurant Alinea on Facebook. The hackers,
claiming to be restaurant employees, then asked the victims to send an electronic payment to secure their dinner reservation.18
Hackers can make a fraudulent account appear more legitimate by first taking the time to attract friends and followers. In this manner, one researcher
called LinkedIn a “hacker’s dream” after he created a fraudulent account, stocked his profile with realistic details, and then fraudulently claimed to be
a company employee. He sent 300 connection requests to real company employees, of which 66 were accepted. From there, he requested – and
received – access to one of the company’s private LinkedIn discussion forums, and had an “audience” of 1,000 company employees.19

THE SOCIAL TAKEOVER
4.2.1 // INFORMATION THEFT ON SOCIAL MEDIA
A critical element in any social engineering campaign is the collection of intelligence. This can be in the form of reconnaissance before an attack or in
the buying and selling of stolen information after an attack.
Today, data means money. Any and all information about you and your organization, much of which is sensitive, embarrassing, or even dangerous, is
available for a price.
Intellectual Property (IP) refers to “creations of the mind,” including inventions, discoveries, music, and literature. IP is protected by copyrights, patents,
trademarks, and other legal protections.
“Personally identifiable information,” or PII, is any data that can be used to identify, contact, or locate a single person, including names, numbers,
dates, places, financial data, biometric records, Internet Protocol (IP) addresses, and much more. Identification algorithms can make even seemingly
tangential information potential PII. Criminals exploit PII to facilitate any number of criminal acts, such as physical violence or identity theft.
Cyber espionage is when a person, private company, or government steals, often with the aid of computer hacking, data of intelligence value.
Former National Security Agency (NSA) Director Gen.
Keith Alexander referred to the loss of IP and other
industrial information through cyber espionage as the
“greatest transfer of wealth in history,” costing U.S.
companies hundreds of billions of dollars per year.20
The concepts of IP, PII, and espionage are not new, but their practical and legal significance has grown considerably in the internet era, as massive
quantities of data can be stolen with ease and sent around the world at the click of a mouse.
Social media, where people have a bad habit of giving away free information, has had an enormous impact on all three of these concepts. Social media
is a largely ungoverned space where attackers can collect intelligence from almost anyone, interactively verify it with follow up questions, and then sell it
-- perhaps in an underground forum on the dark web.21

THE SOCIAL TAKEOVER
4.2.2 // ZEROFOX INSIGHTS: THE ANATOMY OF A SOCIAL ENGINEERING PROFILE
At ZeroFOX, we have found that malicious profiles fit into one of two categories: Minimally Invested Profiles (MIP) or Fully Invested Profiles (FIP).
Some of the time, a social engineering profile is easy to spot for a security professional: indicators include a sparse profile, sexually provocative picture,
or strange connections. This minimalist approach to profile creation capitalizes on only the fields necessary to appear in a search result, or more
importantly, a friend request, and is optimized for bulk profile creation (see figure 6). Accounts like these are considered Minimally Invested Profiles
(MIP).
An MIP is designed to target users who readily accept requests without doing any manual analysis of a profile. The attacker will fill out the fields
necessary to appear legitimate in a friend or connection request. This varies by social network, but generally includes name, picture, job title, and
location. The recipient of the request will only see this snapshot of the profile on their dashboard.
A shocking number of users are comfortable accepting
connection request with such limited information.
Norton reports that well over a third of social media
users regularly accept unknown, unsolicited requests.22
The alternative to an MIP is a more robust profile that is designed to fool just about anyone. The attacker can spend considerable time filling out as
much of the profile as possible, gathering connections to appear legitimate, and taking time refining and editing the profile to pass a basic screening.
Accounts like these are considered Fully Invested Profiles (FIP).
Networks like Facebook are slightly more difficult to build a convincing FIP because so much of the profile is dictated by other users. For instance,
establishing a convincing Facebook “wall” either requires real users to interact with the profile or other fraudulent accounts to post to the main
attacker’s profile. However, for networks like LinkedIn, Twitter, Google+, Instagram, Pinterest, and YouTube, in which the majority of the profile’s content
is self-generated, the attacker can build out the profile in relative isolation.
For a prime example of an FIP (see figure 7). The LinkedIn profile “Dr. Emily Crawley” boasts a compelling professional summary, a multitude of
professional experiences, endorsements, recommendations, volunteer work, education, publications, projects, languages, skills, and actively follows
several groups and organizations. Only after some serious digging does the profile unravel -- the co-authors on her publications do not link to real
accounts, her recommendations comes from a patently-fake Marine Corp General’s account, her connections are suspicious, and a reverse image
search reveals that her profile picture is stolen from a Russian dating website.
One of the best ways for a regular user to manually assess a profile is to look at its connections. Are they mutual? Are they authentic? Are they
numerous? To counter this kind of cross-examination, attackers invest time in building out connections before launching their attack on actual targets, a
tactic called gatekeeper friending.
To this end, attackers must further select whom to engage with based on the identity of their final target. They must connect with the final target’s
connections and interact with other movers in the target’s industry. Social engineering profiles thus frequently “specialize” by industry vertical or
geography. Take Olga Redmon for example (figure 6) -- her connections are mostly automotive employees in the Michigan/Ohio region. Who the final
targets are remains to be seen.

THE SOCIAL TAKEOVER
- Figure 6 -
Olga Redmon – Minimally Invested Profile (MIP)

THE SOCIAL TAKEOVER
- Figure 7 -
Dr. Emily Crawley – Fully Invested Profile (FIP)

THE SOCIAL TAKEOVER
4.2.3 // ZEROFOX INSIGHTS: THE MOST IMPERSONATED EXECUTIVES
Did you know there are 83 Twitter accounts claiming to represent Vladimir Putin? No one seems to be sure which is the real account -- Barack Obama
follows one, the Associated Press another. The investor Marc Andreessen follows a third. At least five different Putin accounts boast over 5K followers.
Across all the major social networks, Putin has 318 different impersonator profiles.
When it comes to fraudulent profiles, some are obvious parodies. Others, however, are a critical element in a cyber attack. Worst of all, the barriers
to creating a fraudulent account are negligible -- anyone with an internet connection and 15 free minutes can construct an impersonator. With only
that as ammunition, the attackers might nonetheless succeed in gathering intelligence, slandering the target company, disrupting customer service,
manipulating stock prices,23
socially engineering employees, or distributing malware. For the organization, there could be a serious impact on
reputation and credibility.24
The hacker can pose as anyone, from IT support to the CEO.25
In the former case, the goal could be stealing network administration credentials or
phishing customers. In the latter, the fraudulent profile can interact with employees, leverage their authority, and manipulate the target. For such a low-
tech tactic, the range of potential attacks is immense.
For networks that scan for duplicate accounts, the attacker can readily deceive the network by leveraging homoglyphs: letters that look identical but,
because they are from different language groups, have a different code point value (see figure 8). Replacing a single letter with a homoglyph in a brand
or celebrity name causes the network’s fraud algorithms to bypass it. Additionally, ZeroFOX has witnessed a number of profiles that have photoshopped
the network’s “verified” seal to appear more legitimate (see figure 9).
- Figure 8 -
Homoglyph tactic:
the “S” in Starbucks
is a Russian Cyrillic
character

THE SOCIAL TAKEOVER
Figure 9 - The top account is the legitimate page, the bottom
account in an impersonator with a photoshopped “verified” seal
ZeroFOX has uncovered high-level fraud in almost every
possible sector. Government agencies and the military,
however, are notorious for suffering from “romance
scams,” which leverage fraudulent accounts to scam family
members, friends, and would-be-lovers. In fact, the U.S.
Joint Chiefs of Staff collectively boasts 234 impersonator
accounts across LinkedIn, Google+, Facebook, and
Twitter. General Raymond Odierno has 63 fraudulent
accounts; Admiral Jonathan Greenert has 42 fradulent
accounts (figure 10); and General Martin Dempsey has
40 fraudulent accounts.
Figure 10 - Fraudulent Admiral Jonathan
Greenert accounts on Google+

THE SOCIAL TAKEOVER
- Figure 11 -
The problem is widespread in the private sector as well. CEOs, board members, athletes, celebrities, and more are frequently impersonated on social
media. Sometimes the accounts are benign, but often they are more malicious.
DEFENSE INDUSTRIAL
BASE POSITION
% OF INDIVIDUALS
WITH IMPERSONATORS
CEO 20%
VICE PRESIDENT 49%
CFO 22%
SVP 20%
COO 33%

THE SOCIAL TAKEOVER
- Figure 12 -
INDUSTRIES WITH MOST
FRAUDULENT CEO ACCOUNTS
1
2
3
4
5

MEDIA
RETAIL
FINANCIAL SERVICES
HEALTHCARE
TECHNOLOGY

THE SOCIAL TAKEOVER
- Figure 13 -
JARED LETO
JENNIFER LAWRENCE
CHANNING TATUM
MERYL STREEP
ELLEN DEGENERES
JULIA ROBERTS
KEVIN SPACEY
BRADLEY COOPER
BRAD PITT
LUPITA NYONG’O
ANGELINA JOLIE
TOTALCELEBRITY
110 138 117 39 34 0 438
220 137 73 52 56 1 539
234 144 84 27 18 4 511
15 80 40 41 41 0 217
24 112 63 30 26 1 256
70 41 14 4 2 2 133
64 33 24 10 8 0 139
379 13 50 23 6 3 474
70 52 32 16 19 11 200
30 24 3 31 2 0 90
64 152 135 50 40 7 448
438
539
511 133 139 200 90
448
256217 474
3
Ellen’s Selfie By Fraudulent Accounts

THE SOCIAL TAKEOVER
With each new technological development comes a new breed of attack -- gunpowder gave us both fireworks and cannons; airplanes offered global
mobility both to visit grandma and to bomb Pearl Harbor; the internet gave us worldwide information sharing -- and the risk of cyber attack.
Social media is no different. Attackers quickly learned how to use social profiles to steal information, hijack personalities, conduct information
operations, and coordinate more traditional cyber attacks. In the news today, the Islamic State (ISIS) has made it all too clear that social media can be
exploited for terrorism.
ZeroFOX predicts a steep rise in these attacks as social media continues to embed itself as an inherent element of modern life. Social media is growing,
and these types of attacks are along for the ride.
In early 2015, more than a dozen high-profile social media account hijackings made headlines around the globe, from CENTCOM to Taylor Swift to
Chipotle. This section outlines new threats introduced by social media, case studies, and ZeroFOX predictions for the year ahead.
5. THE NEWEST BREED OF CYBER ATTACK
5.1 // SOCIAL ACCOUNT COMPROMISE
Although hijacking and vandalism have been around since the dawn of civilization, never has there been a more public target for these attacks. Social
accounts are the ideal target for cyber vandalism, considering that the attack could be seen by hundreds of millions of users.
Every organization (and individual) with a social media account is vulnerable. Depending on the quantity and quality of the target’s friends and followers,
the attacker could hijack the account and use it for criminal, political, military, or espionage purposes.
Figure 14 - Compromised CENTCOM Twitter account

THE SOCIAL TAKEOVER
Take, for example, the recent hijacking in which ISIS supporters compromised the Twitter and YouTube accounts of the U.S. Central Command
(CENTCOM). In terms of sheer propaganda value, ISIS supporters were able not only able to speak from the microphone of CENTCOM to its more than
100K followers, but also to give the impression that it possessed some level of technical skills with which it could do battle with the U.S. in cyberspace
(figure 14). The credibility of the victim takes a tumble, especially in regard to its perceived security posture.
Figure 15 - Compromised Taylor Swift Twitter account
The cost to an organization in the event of a compromised account is difficult to quantify. The attack itself often has little monetary gain for the attacker,
especially in the case of cyber vandalism. This means there is no scrambling to recover stolen data or remediate an infected network. However, that’s
not to say the cost of an account hijacking is small. Because social accounts are public, news of a compromise can spread like wildfire. Errant posts are
reposted and begin trending, triggering the massive information cascade that has made social media so powerful -- for better or worse.
The ultimate cost to the organization comes in the form of brand reputation damage and diminished customer loyalty. A successful attack is an
embarrassing event that demonstrates a lack of basic security knowhow, especially if the target organization is entrusted with customers’ sensitive
information -- such as a bank or a hospital. If the social account has been breached, what else might be compromised? Was the password reused
anywhere else? What other questionable security procedures does the organization have in place? What if the attacker had been more subtle and used
the breached account as a springboard for more serious cyber attacks?
2015 has been a popular year for account compromise. Between Taylor Swift, Chipotle, Newsweek, Delta, CENTCOM, Crayola, International Business
Times, and more, attackers are quickly learning that stolen social profiles are valuable commodities.
On average, it takes an organization over 5.5 hours
to regain control of a compromised account.
On the low end, Newsweek recently reclaimed their account within 14 minutes of the first compromised post being published. ABQJournal on the other
hand, measured the time not in minutes but days before they regained control of their Twitter account from ISIS supporters. In that time, hundreds or
thousands of posts or direct messages could be sent around the world. When an important account is breached, every second counts.

THE SOCIAL TAKEOVER
5.1.1 // ZEROFOX PREDICTIONS
We have already seen a steep rise in the number of these attacks in the past year and half. The majority of these compromises are
highly visible cyber vandalism. However, the consequences can be much more severe -- in 2013, a breached AP account sent the
Dow Jones industrial Average plummeting 150 points after a fraudulent tweet claiming bombs had been set off in the White House
(figure 16). There remains to be seen a case in which a compromised account was leveraged as a springboard for further attacks or
to distribute malicious code, but we anticipate this to occur in 2015.
Figure 16 - Compromised
AP Twitter account
ZeroFOX predicts that in addition to an increased quantity, we’ll see an increase in maliciousness. For a more nefarious adversary, a compromised
account could be used to spread malware and phishing links with unprecedented scale and efficacy. Instead of broadcasting the breach by openly
defacing the account, the attacker could publish more subtle posts in order to spread malicious links and phish followers of the account. This level
of access could be used to steal additional information from direct messages, conduct ongoing reconnaissance, or further attack the organization’s
network.
5.2 // ATTACK PLANNING & HACKTIVISM
Social media has lowered the barrier for participation in nearly every conversation, from revolutions to political discourse to discussion on the color of
#thedress. In terms of “hacktivism” (a combination of hacking and political activism), the door is wide open to political protests worldwide, which often
incorporate some form of computer network attack.
Hacktivist campaigns leverage social media to spread
information about the attack, find volunteers, coordinate
participants, and issue commands. For distributed denial-
of-service (DDoS) attacks, hackers post internet Protocol
(IP) addresses, domain names, attack tools, the time of
the attack, and the desired target. Human volunteers and
automated botnets share the information in advance to
amplify the scope and impact of an attack.
Social media networks are exploited as a command and control mechanism. During times
of political turmoil, such as during the Arab Spring or the Ferguson riots, hacktivists use
trending hashtags to entice and incite social media users to join in international cyber campaigns.
Attackers have left the traditional Internet Relay Chat (IRC) channels behind, and turned to mainstream
social networks in an effort to maximize the size and scope of their attacks. Believe it or not, a hashtag as
simple as #DDoS is widely used to advertise attack tools and intended targets (figure 17).
Figure 17 - A command
tweet for a DDoS attack

THE SOCIAL TAKEOVER
All of this activity occurs on public websites. Therefore, information security teams can learn of many impending attacks -- provided that they are looking
in the right places, and that they have the proper tools and expertise to evaluate what they find.
If organizations can navigate the vast ocean of threat data that exists in the social media space, they will have a critical leg up on their rivals and
adversaries. The real-time and dynamic nature of social media communications means that organization may be able to predict cyber attacks before
they occur.
As a recent ZeroFOX analysis showed, even 15 minutes of foreknowledge can give cyber defenders sufficient time to block or mitigate a coming attack.
Security teams can use this time to prepare a response strategy, such as “blackholing” incoming DDoS packets and bogus web requests. They can
elevate defense procedures, coordinate with other network security teams, obtain outside support, and work with Internet Service Providers (ISP) to
limit damage and potential fallout.
5.2.1 // CASE STUDY: THE VALUE OF 16 MINUTES
How much do you value a minute? Perhaps the value of a minute is derived from what can be accomplished in that amount of time -- or in this case, what
can be prevented. In the following case study, ZeroFOX helped a client get a critical 16-minute head start on the adversary by leveraging social media
as an early warning system.
In late 2014, a large U.S. organization (henceforth, OrganizationXYZ) was targeted in a persistent DDoS attack and social media account takeover
attacks carried out for 4 days. The attacks were carried out by a group of hacktivists who coordinated their attacks via Twitter. Attackers tweeted
instructions and target destinations, leveraging common social tactics like hashtags to popularize the campaign and encourage others to join the attack.
BY THE NUMBERS
DAYS OF ATTACKERS’
CAMPAIGN
DDOS ATTACKS
CARRIED OUT
ORGANIZATIONXYZ-AFFILIATED SOCIAL MEDIA
ACCOUNTS MONITORED BY ZEROFOX
MBYTE/SECOND TRAFFIC SURGE
DURING PEAK OF DDOS ATTEMPT
MINUTES OF DEFENSIVE
PREPAREDNESS
COMPROMISED
ACCOUNTS
SYSTEM
DOWNTIME
Attackers began their campaign by launching multiple DDoS attacks in an attempt to overwhelm their target with incoming IP traffic. In this instance, the
attacker targeted web addresses and IPs associated with OrganizationXYZ’s critical systems. Additionally, the attackers attempted to breach a number
of associated social media accounts, leveraging a combination of brute force and targeted phishing.

THE SOCIAL TAKEOVER
– Figure 18 –
ZeroFOX immediately began monitoring the adversary, their social media assets, and messaging. ZeroFOX identified the attack indicator, the DDoS
command message, 16 minutes before the assault was launched (See figure 19).
The command message was published at 1:07AM, and the surge in traffic came at 1:23AM (See figure 20). ZeroFOX identified and alerted on the
post as it was published, providing 16 minutes of defensive preparation for OrganizationXYZ. Within those 16 minutes, OrganizationXYZ was able to
alert the targets, establish a plan of action, notify DDoS mitigation services, set up redirect points to divert traffic, execute escalation procedures, and
even carry out a dry run of the defense procedures.
This 16-minute window was a critical advantage that allowed the security team to protect their assets and stop the attack. When the surge in traffic did
occur, it resulted in 0 downtime.
In this instance, social media was leveraged as an early warning system, providing OrganizationXYZ’s security teams proactive and actionable threat
intelligence regarding the incoming attack.
– Figure 19 –
Traffic Volume by Average Bits/s
300M
250M
200M
150M
100M
50M
0
1:07 am 1:11 am 1:15 am 1:19 am 1:23 am 1:27 am
PREP TIME
Bits/s
Avg.Bits/s
– Figure 20 –

THE SOCIAL TAKEOVER
Social media gives the adversary a highly effective coordination tool, but at the same time, provides security teams a proactive glimpse into their
operations. For cyber defenders, social media postings are invaluable warning signals that offer critical intelligence -- and time -- to reinforce an
organization’s defensive posture before an attack begins. The ability to see an attack in the planning stages and understand the tactics, techniques,
and procedures being employed is a huge advantage to the security practitioner.
5.3 // PROPAGANDA & CYBER TERRORISM
Al Qaeda was one of the first extremist organizations to leverage the power of computer networks, but today, via social media, the Islamic State (ISIS)
is revolutionizing the nature of terrorist communications. Like its predecessor, ISIS has generated enormous publicity from posting atrocities to social
networks, such as beheading captives.
ISIS has also taken advantage of numerous social media-specific tactics, setting an example that other extremist groups are sure to follow:
• Hashtag Hijacking: ISIS piggybacks on trending hashtags to spread propaganda. In particular, ISIS targets hashtags popular in the western world,
like #ferguson or #worldcup (figure 21).
• Social Botnets: A bot is an automated social network account, and when interconnected with a network of other bots, makes up a botnet. These
botnets work together to spread a message and make tracing the source of the original content an extremely difficult task.
• “The Dawn of Glad Tidings,” or “Dawn,” app: this Arab language app was designed by ISIS to communicate amongst their members. Moreover,
Dawn has the ability to post from users accounts, making their social presence appear all the more vibrant (figure 23).
One recent study on the Islamic State’s use of social media -- including Facebook, YouTube, Twitter, Instagram, WhatsApp, Tumblr, and more -- showed
that its propaganda campaigns are paying real dividends, with over 18,000 foreign fighters from 90+ countries having joined their fight in the Middle
East.
In response, the online hacker group Anonymous has declared “war” on ISIS, and the U.S. State Department created the Center for Strategic
Counterterrorism Communications (CSCC) in an effort to discourage religious and political extremism.26
Figure 21 - ISIS trendjacks western hashtags Figure 22 - ISIS broadcasts
execution video on social media

THE SOCIAL TAKEOVER
A different Twitter “census” estimated that there were nearly 50,000
Islamic State (ISIS) supporters on the micro-blogging platform.27
Attempts by Twitter to delete the most visible accounts were partially
successful, but banishment was unlikely, and perhaps not even
desirable, given free speech concerns, threatened physical retaliation
against Twitter employees, and the general Western need for
intelligence collection on the group.28
In June of 2014, Richard Barrett, a senior vice president at Soufan
Group and former British diplomat and intelligence officer, released
a report titled Foreign Fighters in Syria.29
In the report, Barrett
investigates the influx of Westerners fighting in Iraq and Syria. The
average age of recruits is considerably younger than in other Islamist
movements. People as young as 15 have been leaving the West to fight
-- the average age ranging between 19-25.
Figure 23 - The Dawn of Glad Tidings app
The Soufan Group also analyzed the unique climate surrounding Syria on social media. Posts about Syria are drastically more likely to receive reposts
and replies than posts about other Mideast events, such as oil, cyber attacks, and sports. As Barrett states, “Tweets of the Syrian war appear therefore
to do two things: to generate a sense of personal involvement -- and passion -- that can translate quite readily into action; and second, to create an
information bubble that excludes outside voices.”
Most unsettling of all is the Islamic State’s appropriation of Western social media trends. As Vice states, they are “Social Media Pros.”30
ISIS members appropriate popular memes,
reference Western trends, and post cat pictures.
One such piece of propaganda reads, “YODO – You only die once. Why
not make it a martyrdom?” (figure 24). In another, referencing a popular
video game, the line states, “This is our Call of Duty, and we respawn in
Jannah” (figure 25). In between violent posts, fighters talk about their
lives, chat with comrades, and discuss what they’re eating and drinking.
– Figure 24 –

THE SOCIAL TAKEOVER
ISIS’s social media presence is a double-edged sword. Because they are so vocal, those fighting against ISIS can leverage it as counterintelligence
regarding ISIS’s locations and activities. Recently, the problem became so acute that ISIS demanded its followers be more restrained on social
networks (figure 26).
– Figure 25 –
– Figure 26 –
5.3.1 // ZEROFOX PREDICTIONS
ISIS has set a new bar for extremist propaganda on social media. They have proven that social media is a robust recruiting tool for any enterprise or
cause, including terrorism. They have successfully connected with would-be followers and volunteers across the globe. In the near term, ISIS’s model
will be adopted by other extremist groups. The internet provides a low-cost way to advertise, and the violent nature of many extremist communications
is readily parroted by international news organizations, which serves to amplify the propaganda. Finally, when possible, extremist organizations will hack
the usernames and passwords of influential social media accounts with the goal of speaking to an even wider audience.

THE SOCIAL TAKEOVER
The information challenges of social media are diverse, albeit interrelated. Many of the tactics described in this white paper bleed into one another
to form an end-to-end cyber attack. ZeroFOX has been tracking these attacks for several years, dedicating immense time and resources into
understanding and addressing the intricacies of social media cyber security.
In order to solve the complex problems of social media, cyber security technology must update and repurpose old tactics, such as analyzing links, as
well as developing new ways of addressing unseen challenges. This necessitates searching for both behavioral and technical indicators in order to stop
attackers before they can deliver their payload.
Information security professionals must first understand and appreciate the security-related challenges with social media. Social is no longer in the
marketer’s realm -- security teams must be in constant dialogue with marketers, recruiters, and salespeople about safe and appropriate use. In addition,
security teams need to adopt effective methods of monitoring and analyzing their social fabric for cyber attacks and malicious actors.
This will be an immense, open-ended challenge, but in order to ward off social media-based threats, as well as to take advantage of social media-based
opportunities, vulnerable enterprises must begin by understanding and analyzing the entire, complex fabric of the social media space.
In short, the attackers have kept up with the latest trends in information technology, internet communications, and cyber attacks -- above all, the
migration of global communications to social media. The only way for cyber defenders to keep the bad guys at bay is by doing the same.
6. CONCLUSION
6.1 // ABOUT ZEROFOX
ZeroFOX’s goal is simple: to protect the world’s social media ecosystem and the people and organizations that rely upon it. In an age of constant
connectivity and social sharing, users have become the primary target for the adversary. ZeroFOX protects your people where they are most vulnerable
by continuously monitoring social platforms for cyber attacks, sensitive information loss, social engineering campaigns, account compromise, and fraud.
Leveraging cutting edge technology and proven security practices, ZeroFOX provides both targeted protection and global insights into the world of
social media threats.
At ZeroFOX, we spend an immense amount of time and resources understanding the risks of social media and the costs of falling victim to them. Our
products are an outgrowth of this expertise -- we know how cyber criminals leverage social media to target people and organizations and how to detect
and prevent these attacks. With ZeroFOX, social media is out of the attackers court and back in yours to safely leverage however your organization
chooses.
443.FOX.7259 SALES@ZEROFOX.COM ZEROFOX.COM

THE SOCIAL TAKEOVER
1. Facebook Newsroom
http://newsroom.fb.com/company-info/.
2. “List of countries and dependencies by population,” Wikipedia
http://en.wikipedia.org/wiki/List_of_countries_and_dependencies_by_population.
3. “Mobile Technology Fact Sheet,” Pew Research Center (retrieved 12 Mar 2015)
http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/.
4. “The smartphone is ubiquitous, addictive and transformative,” The Economist (28 Feb 2015)
http://www.economist.com/news/leaders/21645180-smartphone-ubiquitous-addictive-and-transformative-planet-phones.
5. Ibid.
6. Facebook Newsroom (retrieved 12 Mar 2015)
http://newsroom.fb.com/company-info/.
7. “Social Media Update 2014,” Pew Research Center (09 Jan 2015)
http://www.pewinternet.org/files/2015/01/PI_SocialMediaUpdate20144.pdf.
8. “The Hidden Truth Behind Shadow IT,” Stratecast (2013), sponsored by McAfee,
http://www.mcafee.com/us/resources/reports/rp-six-trends-security.pdf
9. “An In-Depth Analysis of Abuse on Twitter,” Jonathan Oliver, Paul Pajares, Christopher Ke, Chao Chen, and Yang Xiang. Trend Micro (retrieved 12
Mar 2015)
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-an-in-depth-analysis-of-abuse-on-twitter.pdf.
10. “2012 Norton Cybercrime Report,” Symantec (2012)
http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_
FINAL_050912.pdf.
11. McAfee® Labs 2014 Threat Predictions, McAfee Labs
http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2014.pdf.
12. Timm, Carl & Perez, Richard. Seven Deadliest Social Network Attacks. From the Introduction. (2010) Elsevier
http://www.sciencedirect.com/science/book/9781597495455.
13. Rachwald, Rob. “Top Security Predictions for 2014,” FireEye (21 Nov 2013)
https://www.fireeye.com/blog/executive-perspective/2013/11/top-security-predictions-for-2014.html.
14. Dr. Paul Judge, “2011 Social Networking Security and Privacy Study,” Barracuda (2011)
http://barracudalabs.com/wp-content/uploads/2013/06/2011LabsSocialNetworkingStudy.pdf
15. Gragg, David. “A Multi-Level Defense Against Social Engineering,” SANS Institute (Dec 2002)
http://www.sans.org/reading-room/whitepapers/engineering/multi-level-defense-social-engineering-920.
7. REFERENCES

THE SOCIAL TAKEOVER
FINAL_050912.pdf.
17. The Risk of Social Engineering on Information Security: A Survey of IT Professionals. Dimensional Research/Checkpoint (Sep 2011)
http://www.checkpoint.com/press/downloads/social-engineering-survey.pdf.
18. Fantozzi, Joanna. “Alinea Warns Diners of Reservation Phishing Scams,” The Daily Meal (20 Oct 2014)
http://www.thedailymeal.com/news/alinea-warns-diners-reservation-phishing-scams/102014.
19. Cowley, Stacy. “LinkedIn is a hacker’s dream tool,” CNN (12 March 2012)
http://money.cnn.com/2012/03/12/technology/linkedin-hackers/index.htm.
20. Rogin, Josh. NSA Chief: “Cybercrime constitutes the “greatest transfer of wealth in history”,” Foreign Policy (9 Jul 2012)
http://foreignpolicy.com/2012/07/09/nsa-chief-cybercrime-constitutes-the-greatest-transfer-of-wealth-in-history/
21. Gardner, Frank. “How the dark web spurs a spying ‘arms race’,” BBC. (19 March 2015)
http://www.bbc.com/news/technology-31948818.
FINAL_050912.pdf.
23. Zeiler, David. “How to Deal with Social Media Stock Scams,” Market Daily News (March 13, 2013)
http://marketdailynews.com/2013/03/12/how-to-deal-with-social-media-stock-scams-linkedin-corp-lnkd-netflix-inc-nflx-herbalife-ltd-hlf/
24. Timm, Carl & Perez, Richard. Seven Deadliest Social Network Attacks. From the Introduction. (2010) Elsevier
http://www.sciencedirect.com/science/book/9781597495455.
25. According to the Websense “2014 Security Predictions” Report, “Attackers will increasingly lure executives and compromise organizations via
professional social networks.”
http://www.websense.com/assets/reports/websense-2014-security-predictions-report.pdf.
26. Schori Liang, Christina. “Cyber Jihad: Understanding and Countering Islamic State Propaganda,” Geneva Centre for Security Policy (GCSP) Policy
Paper (Feb 2015).
27. Berger, J.M. & Morga, Jonathon. “The ISIS Twitter Census,” Brookings (March 2015).
http://www.brookings.edu/~/media/research/files/papers/2015/03/isis-twitter-census-berger-morgan/isis_twitter_census_berger_morgan.pdf.
28. Schori Liang, Christina. “Cyber Jihad: Understanding and Countering Islamic State Propaganda,” Geneva Centre for Security Policy (GCSP) Policy
Paper (Feb 2015).
29. Barrett, Richard. “Foreign Fighters in Syria,” Soufan Group (June 2015).
“http://soufangroup.com/wp-content/uploads/2014/06/TSG-Foreign-Fighters-in-Syria.pdf”
30. Speri, Alice, “ISIS Fighters and Their Friends Are Total Social Media Pros,”
https://news.vice.com/article/isis-fighters-and-their-friends-are-total-social-media-pros

THE SOCIAL TAKEOVER

The Social Takeover

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to The Social Takeover

Similar to The Social Takeover (20)

Recently uploaded

Recently uploaded (20)

The Social Takeover