Hackers Using Impersonation Scams and Phishing Emails to Hack into Corporate Social Media Accounts
Hackers are sending phishing emails that impersonate major social media channels to steal corporate targets. The emails urge the recipient to take immediate action to avoid account suspension or deletion. The targets of these scams are large corporate users in media conglomerates, talent agencies, print and digital services, and hospitality sectors. In the past two months, the attacks have increased 60 percent says a report by Abnormal Security.
If the hackers are able to gain access to these enterprise-level social media accounts they’ll be able to hijack or delete the account. They may then access and message all of the account’s followers.
Emails that look like they come from Instagram, Facebook, and Twitter are being used in email phishing campaigns. The goal is to steal login credentials. The emails claim that the victim has violated a platform policy or copyright law and threatens them with account suspension or deletion. The email phishing campaigns contain a malicious link disguised is a link to appeal the suspension.
Like most email phishing scams, the target is urged to act immediately to avoid some sort of negative action if they don’t follow the instructions in the email. If the email recipient clicks on the link in the phishing email, they are taken to a spoof web page that prompts them to enter their account login credentials. The spoof landing pages look almost identical to their legitimate counterparts.
“Abnormal Security has observed attackers impersonating of social media platforms like Instagram, Facebook, and Twitter to steal the login credentials of employees major enterprise organizations. In the past two months, we have seen a 60% increase for several organizations with key social media presences,” says Abnormal Security
Earlier this month, hackers were spotted using Office 365 to target LinkedIn users with another phishing scam. This campaign attempted to steal LinkedIn credentials. The emails may have compromised up to 50,000 users and if compromised exposes all of their contacts to the hackers.
This week, phishing scams were reported circulating on WhatsApp. In this scam, the hackers are sending fake tech support messages using the native messaging platform. They then prompt the victim to send their account PIN code. IF the user does so, the hacker can hijack their WhatsApp account or access all of their contacts.
In the following phishing email scams, the users are threatened with account deletion or suspension.
In this Instagram phishing scam, an email is sent to the target claiming the account has a copyright violation. The target is urged to click on a link to appeal the decision. The target is threatened with account deletion if they do not comply with the instructions. If the target clicks on the link in the phishing email, they are taken to a spoof website that prompts them to enter in their Instagram login information. The domain may, at a glance, appear that it is an official Instagram support website, but it is clearly not. The spoof website, Instagram.suppercenter.ml, is used to phish targets for their account logins.
Facebook Phishing Scam
Abnormal Security has also spotted Facebook phishing emails. The hackers use an email address which appears to come from Facebook itself. The email messaging claims that the users Facebook has received a high number of complaints. Again, the recipient is urged to appeal immediately, or their company Facebook page may be unpublished.
The Facebook phishing email works differently than the Instagram version. Rather than taking the user to a spoof website, the malicious link leads the target to a Facebook notes page – which is hosted on Facebook itself. Because notes forms are a Facebook feature, the target must already be logged in to see the notes form. They are prompted to enter the email address used for the account.
Twitter Email Phishing
Just like the Instagram phishing email, the Twitter phishing email also claims that the target’s account has violated a Twitter policy. The target is again urged to click on a link to appeal the decision. The email address used for the phishing email was chosen by the hackers because it looks very similar to the official Twitter domain name. The emails come from a domain name the hackers registered – with only one letter difference from the official Twitter.com URL. The letter “i” in Twitter is replaced with a lower-case “L. – so the email comes from “Twltter” URL rather than the legitimate “Twitter.” See the difference? It’s VERY hard to spot!
In these attacks, Instagram, Facebook, and Twitter all being used to steal company social media account login information. The goal of the hackers is to hijack social media accounts that are very valuable to enterprise corporations.