Researcher-created Twitter bot phishes two out of three users

Phishing, the malevolent hacker technique of getting hapless folks to click malevolent links, just got a powerful new weapon. Black Hat researchers have created a Twitter bot that reads your tweets and sends you a message catered to your interests — along with a shortened URL leading to hacktown.

Baltimore security firm ZeroFox made the SNAP_R bot as a proof-of-concept for the next generation of phishing techniques, explaining its methods in a paper released at the recent Black Hat security conference. It uses machine learning to churn through a victim’s tweets and those of their followers, then sends a dynamic message relevant to their interests. It uses clustering to identify high-value targets based on social engagement, like followers and retweets, and measures the bot’s success by tracking clickthrough rates. In summary, the researchers claim it to be “the world’s first automated end ­to ­end spear phishing campaign generator for Twitter.”

The ZeroFox team created SNAP_R as an education and security assessment tool: like many firms, they are often hired to attack clients using cutting-edge methods that real hackers would use. Machine learning is often used defensively, so this method is one of the first to turn it around to target victims in the “spear” phishing school of anti-security.

Since links in tweets are automatically shortened, users largely aren’t able to sniff out shifty URL destinations, so spotting poor grammar or irrelevant content is the quickest way to suss out malevolent intent. Catering messages is a clever way to keep from arousing victim suspicions and ultimately getting them to click on links they would be too cautious to otherwise. Britain’s GCHQ intelligence agency exploited this technique when it used its own innocuous URL shortener to track activists and incite pro-revolutionary messages during the Arab Spring and Iranian uprisings. That ZeroFox tricked an unbelievable two-thirds of victims into clicking links, far higher than the five to 15 percent success rate for normal phishing methods, is evidence of a serious vulnerability in social network users’ security behaviors.

Source: The Register

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On