Don't Get Scrooged on Social Media

The festive season shines like a bright light in the darkness for that benighted (but likely pretty well-off) class known as cyber-criminals. Like a cat going after a sparkly glass ball ornament on the tree, they really can’t help themselves. There are sales, sales, sales, and essential requirements for all and sundry to part with their money in the service of gift-giving and party-throwing and annual Christmas-dinnering and general jolliness.  So. Much. Money.

Thus, faster than Santa does his thing (how does he gets down all of those chimneys in a single night?), holiday scammers have rolled out their lures, guided by greed and sugar plum dreams of making money-angels in a big ol’ pile of Benjamins. And social media has become their favored avenue of choice.

As ZeroFox warned, “[They] hijack this excitement and abuse the trust between consumers and brands on social media by creating fraudulent accounts, crafting fake, eye-catching promotions and driving unsuspecting consumers to a variety of malicious ends, including phishing pages, malware exploits and other nefarious schemes.”

That’s a veritable cornucopia of cybercrime holiday surprises. In fact, as of the start of the month, the ZeroFOX Alpha Team had uncovered 2,868 fraudulent accounts peddling holiday scams across social media—a number that is sure to at least have doubled by this point. The accounts are part of several distinctive attack campaigns that each exhibited different tactics and end goals to target those poor saps shopping online. Scammers quickly make copies of the brand’s owned account, steal clicks and revenue, attack customers and drive away huge volumes of would-be business for brands.

“The vast majority of these scam accounts leverage a similar core tactic: brand impersonations,” ZeroFox explained. “The holiday scams use official branding and imagery, often taken directly from the brand’s verified account, to make a profile that looks identical to the real one. Targeted retail brand categories included fashion, technology, sports, ecommerce, jewelry and food.”

That’s pretty much…everything that people buy during the holidays. 

The holiday scams were advertising either phishing links, malware exploits or fame farming schemes. The latter refers to when a profile advertises fake coupons or giveaways to rapidly gather large numbers of followers, likes and shares. They typically promise fake holiday gift cards and offers in order to fraudulently amass followers, extract personal information and redirect users to malicious external websites. After the fake account amasses enough digital popularity, it can be repurposed to launch larger attacks or commit other fraudulent activity.

“ZeroFOX believes many of these accounts fall under several highly structured attacker campaigns, as they drive to a small number of similar links and use redundant language across profiles,” the firm said. “This shows the power of social media for attackers, who can quickly create many accounts and thus can reach victims at scale. With the buzz around the holidays, a few quick hashtags can ensure their posts are seen in popular search queries and pop-up in topical conversations.”

Bah humbug!

There are lots of ways to avoid shopping online, like battling the crowds at the mall, creating handmade gifts for everyone, or giving everyone a bottle of your patented homemade kombucha. But you can also stay safe by boosting your awareness. 

ZeroFOX Alpha Team recommends a few common-sense precautions:

  1. Beware of coupons and promotions distributed through sites other than the official retailer.
  2. Ensure two-factor authentication is enabled on your social media accounts when available.
  3. Be wary of links on social media. Hover over them to get a preview and look closely for impersonator URLs and characters meant to look like others. When in doubt, copy the link into a free analysis tool like VirusTotal.
  4. Ensure that your anti-virus and anti-malware is kept up-to-date on your device, whether it’s a PC, Mac, or mobile device, and that your device remains patched at all times
  5. Curate who you follow. Following suspicious accounts increases your chances of being exposed to social media holiday scams, and even benign accounts can be hijacked by or sold to scammers.
  6. Beware of brand impersonations. Unless it has the blue verified checkmark, do not click anything that accounts posts as it is likely an impersonations of the real profile.
  7. Above all, be careful what you click on social media! If it looks suspicious, it may very well be.

What’s Hot on Infosecurity Magazine?