New Attack Channels on the Rise – How Search Engine Ads, Social Media and Apps Are Used to Perpetrate Fraud

Share Button

It’s much easier for fraudsters to trick victims into divulging sensitive information than it is to hack usernames and passwords. That’s the key reason scams via social media, search engine ads and mobile apps are on the rise. These scams fall under the umbrella of social engineering, which consists of various techniques employed by cybercriminals to lure unsuspecting users into revealing confidential data, unknowingly launching malware attacks or opening links to infected sites.

In this digital transformation era, every organization can easily become a target for social engineering, leading to a dangerous viral spread of misinformation. This article will identify scams that have appeared in various online channels and offer insight on how to best avoid online fraud.

Impersonated Facebook Accounts

This scam consists of offering airline tickets at a very cheap price (Figure 1). In the example below, a fraudster offered first class airplane tickets and gift bags containing cash using a Facebook profile. Even though it sounded too good to be true, people actually asked for more information.

Social engineering attacks
Figure 1

But cybercriminals don’t stop there. They have been known to imitate social media profiles of other well-known airlines around the world such as Southwest Airlines, American Airlines and Emirates Air.

Fake Promos Through Social Media

Fake promotions invite social media users to take advantage of offers and discounts such as those shown in this fake Facebook profile of a popular financial institution (Figure 2).

Social engineering attacks
Figure 2

The images and information are very similar to the original fan page, making users more likely to provide sensitive data. There are also updates encouraging people to buy at a special price, but once they click this link, it will immediately direct them to a phishing site (Figure 3).

Social engineering attacks
Figure 3

Twitter Account Takeover

Facebook isn’t the only social media network companies have to protect. Twitter is an important source of information for many consumers. Since the platform specializes in providing information rapidly, organizations need to be able to combat abuse quickly so misinformation about a company or issue doesn’t spread.

Take the instance when someone hacked the Twitter handle belonging to the Associated Press.  Hackers sent a false tweet about explosions at the White House that injured President Barack Obama to the Associated Press’ nearly 2 million followers (Figure 4). The Associated Press quickly announced the tweet was fabricated (Figure 5), but the Dow Jones still plunged more than 100 points in the span of two minutes as a result of the tweet.

Social engineering attacks
Figure 4

 

Social engineering attacks
Figure 5

This incident exemplifies just how much of a negative impact hackers can have on an organization, and the rest of the world, just by gaining access to one social media platform.

Attacks Through Search Engine Ads

Cybercriminals are also using Google AdWords to trick your customers. Users will click on the phishing link that appears at the top of the Google search results (Figure 6). Instead of that link taking the user to a legitimate site, potential customers will be routed to a fake website that requests sensitive information. Since Google does not require ad buyers to show proof they are affiliated with that company, any person can create an ad using any brand. This is also true for ads on Bing, AOL and Yahoo. Organizations that fall victim to these attacks can lose revenue, website traffic and customer loyalty.

 

Social engineering attacks
Figure 6

The Rise of Rogue Apps

Companies need to reach customers on-the-go, but they also need to recognize that mobile applications can open the door to fraud. More than 1.8 million fake Android apps are downloaded each year alone. Apple’s App Store and the Google Play Store implement strict security protocols with the goal of ensuring only legitimate apps are available to users. Third-party or unauthorized app stores do not mandate the same security policies, meaning apps available from these outlets pose a much higher-risk of being malicious or illegitimate.

Below is an example of how rogue apps found in a third-party app store can lead to fraud (Figure 7).

 

Social engineering attacks
Figure 7

A third-party app store is offering unauthorized downloads for the Google Chrome app, but users are not aware of the contents of this app because it is not being offered through an authorized store. The apps pictured could be an exact copy of the original Google Chrome app, or they could be modified to infect devices with malware. Moreover, just because the app is not harmful at the time of download does not mean it is safe. Fraudsters are able to change the app’s properties after download to make it malicious and expose the user to fraud.

Recommendations for Companies

Although social media platforms provide an effective way for companies to interact with customers, they also leave companies vulnerable to becoming vehicles and victims of fraud. It is easier for fraudsters to penetrate a company’s social media account or create an ad than it is to penetrate an actual website, which is why it is so important to have procedures in place to monitor various social media platforms, email channels and search engine ads. Moreover, it is no surprise that cybercriminals are taking advantage of digital platforms because they allow for direct communication between customers and companies.

Here are some tips to help organizations avoid being caught in the middle of online scams:

  • Always diligently monitor social media platforms, even if your organization does not have an account on a certain platform.
  • Convey the importance of staying vigilant online by educating customers with simple, but effective instructions that will prevent them from being influenced by attackers.
  • Find a professional solution that offers effective phishing detection.
  • Ensure that fraudsters are not using your company name or logo to create unauthorized apps that could be harmful.
  • Be proactive about protecting your brand from abuse by arming your business with the capability to take down attacks and social media impersonations, and monitor domains and search engine ads.

The more a company is trusted, the more it becomes a target for abuse through social media. Don’t lose customer loyalty and revenue by failing to properly defend your assets against fraudsters.

Related Posts

Is Your End-User Education Enough to Stop the Next Phishing Attack? Phishing is one of the oldest forms of digital fraud, and it shows no signs of going away anytime soon.
Video: See How Trickbot Works Trickbot has recently been making headlines, with a new version and new targets coming out almost every day.

Leave a Reply

Your email address will not be published. Required fields are marked *