Anglin' for Your Creds: Phishing via Social Media Connections

This past week Lunavi employees found an invitation to connect in their LinkedIn inboxes from one Coleman Anglin, who claimed to be a Marketing Specialist at the company (unsurprisingly, no one in the marketing department received this invitation). 

Of course the humorous last name of "Anglin" belies the true nature of this connection: phishing. While our security team was swift to send out a notice not to connect to this individual, the attempt highlights a growing trend of phishing attacks reaching beyond e-mail to the social media realm. 

But why bother posing as a fellow employee or a friend on social media? Several employees asked what the threat could be from this seemingly innocuous connection, even if it was made in bad faith. 

Why Phish Through Social Media? 

Connecting to threat actors on social media can lead to several threats to your organization. Often a combined approach is used to gain further access to the business or your clients, with the goal of malware infection, extortion, or identity or data theft. 

The first step is connecting to you as a friend or colleague. From there the threat actor can scrape non-public information from your profile while also gaining the appearance of legitimacy from being connected to employees at your organization. With this ammo a more targeted phishing attack is possible. 

The perpetrator may be able to discover vital information on your private social channel now that they are connected, like pet names, addresses, or other clues to help hack security questions and login to other accounts under your name. 

Of course, legitimacy can also come into play should this individual choose to use your brand name under their false profile – or by impersonating your actual personnel – to publicly attack others on social media or to go after your clients under the guise of your organization. Any miscreant activity they pursue while appearing as a legitimate employee is a black mark against your brand. 

Impersonation is not the only way attackers may try and probe your organization. Phishing can take a variety of forms on social media, including spoofed or misleading links. With URL shorteners commonly used for link tracking, sending users to a different website than the link appears is easier than ever. 

 These links can lead to a command and control infection which can spread from the user device throughout a corporate network. Indeed, command and control installation code can even be hidden within social media components themselves, allowing the hacker to create an app on the platform that can spread access via direct messages. 
 

Critical Thinking is the Best Defense 

Like all phishing attacks, training your users to think critically and report suspicious behavior before clicking on unknown links or replying to unknown individuals. If something seems off, it probably is. If users follow links, they should check for https security and the URL structure itself to ensure the website is legitimate.