The PhishLabs Blog

Social media account compromise is nothing new. If you haven’t had an account hacked in the past, most of us know someone who has. According to a study by the University of Phoenix, almost two-thirds of US adults have had at least one social media account hacked. Another report found that 53% of social media logins are fraudulent.

On August 30, Twitter CEO Jack Dorsey became the most notable victim of one of the fastest-growing cyber threats: SIM Swapping. SIM Swap Attacks are increasing because they only require social engineering and access to a SIM card, which makes it another form of phishing.

On a daily basis, most people will use some form of social media. From checking photos of your friends and pets, to communicating with coworkers and loved ones, social media is a large part of the connected world.

Unfortunately, this also means that the more social media is used, the more likely that threat actors will try to exploit it. 

Every day our teams analyze millions of phish across the web, detected through emails, social media, text messages, and most other common digital vectors. Many phishing sites are easy to review and analyze. However, some threat actors that we track take steps to hide their attacks from people other than their intended victims. This is a defense mechanism that makes it harder to analyze their techniques, allowing them to keep their campaigns active for longer periods of time.

Business Email Compromise (BEC) attacks have plagued organizations all over the world for almost a decade. In fact, the phishing threat has become so pervasive and effective for threat actors that the reported losses to date have already hit more than $26 billion. 

Stakeholders expect to see a return on their investment in training. In some cases though, they struggle to conceptualize the best way to evaluate the effectiveness of their security awareness training. They are in good company. Training evaluations can be complex, expensive, elusive, and baffles even seasoned pros.

Today’s marketing organization uses countless SaaS-based tools and platforms that live outside of an organization’s network. As their digital footprint grows, so does their potential for digital risks targeting their enterprise, brands, and customers. Even if they don’t join the latest social media platform, in most cases there are not proper security systems in place to ensure a person or brand is even verified. They just can’t scale with pesky things like security and privacy controls in place.

Social media is undoubtedly a huge asset to modern organizations. It helps them spread their message, promote their products and services, and communicate directly with customers, and users.

Most phishing campaigns attempt to take over accounts by tricking the victim into divulging their credentials. PhishLabs has uncovered a previously unseen tactic by attackers that uses a malicious Microsoft Office 365 App to gain access to a victim’s account without requiring them to give up their credentials to the attackers.

PhishLabs’ Email Incident Response analysts recently identified a phishing campaign leveraging novel tactics in the ongoing war between threat actors and security teams. In addition to presenting a unique twist on a popular lure theme, the campaign leverages a clever combination of tactics by attackers attempting to defeat email security technologies to great effectiveness.