When you are on social media you are “among friends,” right? Perhaps not, or at least not exclusively. Threat actors continue to get more creative and more difficult to detect, and now they’ve gone social—hiding cyber attacks in the form of malicious links in social media posts.
Here’s what to look out for.
Fake news has gotten so much media attention the very term may elicit an eye roll. That’s understandable. But bear with this a moment.
Some of those attention-grabbing headlines were generated to get clicks, and those clicks accumulated ad revenue dollars. It was a big situation leading up to the last election when people were apt to believe fake news and quickly spread it via social media.
Social media sites like Facebook were slow to respond, not wanting to become the censors of internet news. Measures are in place now to report fake news, and of course, it is incumbent upon each of us to verify data before sharing it.
But in some types of cyber attacks, that fake site doesn’t care whether or not you share it. Just clicking on it is enough to get you, and then it’s programmed to replicate itself.
Here’s another angle, and it worked on no less than a Pentagon official: a fake link in a robot-generated post. In that case, it was a Twitter post offering a link to a possible family vacation.
Robot-generated links are virtually untraceable. Here are some possible ways fake links can fool you:
- A robot post that looks legitimate
- A “news” article with a link within it
- A message from a “friend” on social media, whose own account was compromised
- A text message with a malicious link
Any of these methods may look very similar to the real deal, but think before you click.
Websites can be faked in two primary ways:
- The real website has been hijacked by a threat actor. This is not common because the skill involved is much higher than average run-of-the-mill cyber criminals. This requires a hacker of some skill.
- The website can be given a legitimate sounding name, so people will click on it. Sometimes this fake name, fake site, is very similarly named to another site with the purpose of fooling others. This even happened to the New York Times, where a fake website had the same address, “com” with then only an extra “.co” at the end. If you looked too quickly, you might not spot that extra “.co” and dismiss it. Or, an unused fake address, seeming to promote their product, can be used by threat actors. This type of fake requires very little skill on the part of the threat actor.
What To Do?
Unfortunately, these new cyber threats are remarkably effective. Unless trained to spot them, many people will not identify the threat. Like so many friends whose emails or Facebook accounts have been compromised, the individual involved may not even know they experienced a cyber attack, until someone else chimes in and tells them.
Just as we train people to spot fake calls “from the IRS” and malicious links attached to emails in the form of phishing scams, we need to train our friends and employees on spotting cyber attacks hidden in social media posts.
The security of all such social interaction is threatened when people continue to allow threat actors a victory.
One more thing you can do: without clicking on it, screenshot and send the suspected cyber threat to a professional. That individual can investigate it safely and verify the threat.
So think before you click.