Don’t click on the link! Chris Batson/Alamy Stock Photo
Careful of that clickbait. Phishing, where cybercriminals try to trick people into clicking links to malware or sites that steal your personal information, is common on social networks like Twitter. Now a machine learning system that reads our past tweets to craft personalised traps could make clicking links that show up in your feed even riskier.
Crafting a successful phishing campaign isn鈥檛 easy. Throw garbage at people and they probably won鈥檛 click 鈥 and Twitter will ban you. So some criminals take the trouble to tailor their phishing tweets to specific individuals by hand 鈥 known as spearphishing.
For example, @NatWest_HelpTC is a scam account that responds to anyone tweeting a customer service question at NatWest鈥檚 real Twitter account. The imposters direct users to a fake NatWest site in an attempt to harvest bank login details. A NatWest spokesperson told New 女生小视频 that attacks like this have plagued them – and other companies – for a while now.
Advertisement
Keep an eye on your emails too: How your private emails can spread all over the world
Success rates for spearphishing are estimated to be around 45 per cent. The technique is time consuming, however. 鈥淚t is a very labour intensive way for fraudsters to phish,鈥 says the spokesperson.
Banks shouldn鈥檛 count on the difficulty of phishing protecting their customers though – researchers have created a system that can go spearphishing automatically.
Targeted trick
By mining people鈥檚 past Twitter activity, their machine learning system first hunts down a potential target. It looks for high-profile or well-connected users – such as those who list a job title like recruiter or CEO in their profile 鈥 and people who are particularly active.
Philip聽Tully, part of the team who created the system at Zerofox in Baltimore, Maryland, says they also targeted people by looking the hashtags they used in their tweets, as well as what the person likes to retweetand the times they are most likely to be using Twitter. Using this information, the algorithm generates tweets that the individual is likely click on. In other words, personalised clickbait.
The team tested the system on 90 people and managed to trick more than two-thirds of them into clicking the link. The team thinks that the approach could reach far more people with a greater success rate than hand-crafted approaches. They also say the system would work on other social media sites, including Facebook. The work was presented at the Black Hat conference in Las Vegas last week.
But it鈥檚 not just about getting someone to click on a link. A recent suggested that 60 per cent of people don鈥檛 click on or read the links they retweet. Tully says that鈥檚 a boon for the technique his team is warning about.
Tweet laundering
These retweeters are effectively laundering the dodgy tweets, lending them the sheen of a legitimate user鈥檚 reputation and making it more likely that the next person will click the link.
鈥淧eople are used to not clicking links in strange emails,鈥 says Tully. But on social media people are more trusting, he says.
鈥淲e had one tweet that was hashtagged #infosec – targeted at information security professionals – and a particularly high number of people clicked the link,鈥 says team member John Seymour, also at Zerofox.
What can we do to avoid falling into a trap laid by such a system? For a start, we should think twice before clicking. 鈥淚f that tweet is coming from someone I don鈥檛 follow, maybe I shouldn鈥檛 trust them,鈥 says Matt Devost at cybersecurity firm FusionX in Washington DC.
We should also keep our computers and phones updated. 鈥淚f I have an up-to-date browser on an up-to-date operating system, the probability of infection from a malicious link is minimal,鈥 he says.
Topics:
