From phishing to deep fakes: weaponising social media

With over 4.8 billion global users and the average Australian logging in to 6.1 platforms monthly, social media is part of our lives, how we work, socialise and stay entertained.

While connecting with others through social media has impacted us positively in many ways, it has also heightened the risk of a cyber attack for individuals and organisations. Social media increases an organisation’s attack surface by displaying information that threat actors can use to execute social engineering techniques or other methods to compromise systems and data. Technological advancements, including developments related to artificial intelligence, have only intensified these risks, providing cybercriminals with new ways to manoeuvre around a security team’s gaps.

As the threat of cybercrime continues to grow, understanding how today’s cybercriminals are weaponising social media to harm is critical, as we all have a role to play in managing a cyber threat. Here are three ways social media is putting individuals and organisations at risk.

Social media preys on psychological weakness

We’ve repeatedly seen that hackers can count on user behaviour to provide the openings they need to penetrate network defences. While some look to exploit unpatched vulnerabilities in a system or network, the most efficient way to target a business is through social engineering methods that manipulate users into breaching security policies and giving away information that leads to an attacker stealing data or launching an attack.

According to our 2022 Incident Response Report, attackers used phishing, a form of social engineering, 40% of the time to gain initial access to a system. By studying an employee’s social media profile, cybercriminals can develop a comprehensive profile of their victim, which they can use to launch a targeted attack. These attacks appeal to emotions such as fear, curiosity, urgency and greed and beckon unsuspecting employees to click on a link or attachment, ignoring basic cybersecurity hygiene. Our trends research shows 66% of malware is delivered through PDFs, so just one erroneous button click can lead to disastrous consequences, enabling malicious macros to infiltrate the system.

From catfishing to AI-cultivated deep fakes

Another risk associated with social media is that it involves people establishing connections without necessarily needing to verify authenticity. This requires a leap of faith, which threat actors can easily exploit. From identity theft to catfishing, cybercriminals use social media to capture information and content from unsuspecting victims, assume their identities and commit fraud.

But the breadth of ways impersonations or fake identities are used in security is growing. As technological advancements improve the quality, customisability and accessibility of artificial intelligence-enabled content creation, malicious actors are using this technology to exploit images and videos — often taken from social media platforms — manipulating them into content that can be used for extortion, harassment, misinformation and reputational damage.

When disseminated through social media, convincing fake content — deep fakes — can instantaneously reach millions. A video altered to make it appear as if a CEO was announcing that profits were down could impact a company’s stock price; similarly, a presidential candidate appearing to confess complicity in a crime could lead to an election disruption. Although impersonators don’t necessarily need to be using techniques as advanced as deep fakes to cause havoc, as we saw when a fake account for a US pharma company announced it would be distributing free insulin, causing the company’s stock to plummet.

Malware and ransomware infiltrate the social web

Alongside using social media for intelligence gathering and dissemination, cybercriminals share malicious links on social media directly. These links, harbouring anything from viruses, trojans, spyware and ransomware, help hackers access devices and networks to steal data and take control of systems.

Of these formats, ransomware is seeing alarming growth. Australian organisations were found to be the most severely publicly affected by ransomware in the region, accounting for 14% of the observed leaks in 2022.

As public interest in generative AI grows, malicious actors also use this to their advantage. Recent research found a 910% increase in monthly registrations for domains related to ChatGPT between November 2022 and April 2023; scammers are increasingly creating fake websites that closely resemble the official ChatGPT website to trick users into downloading malicious software or disclosing private information. These lures also spread malware across Facebook, Instagram and WhatsApp. Earlier this year, Meta’s security teams uncovered 10 malware families using ChatGPT (and similar themes) to deliver harmful software to users’ devices. In one instance, cybercriminals created malicious browser extensions available in official web stores that claim to offer ChatGPT-based tools, which were then promoted on social media and through sponsored search results to trick people into downloading malware.

Tackling social media-powered cybercrime

The above are just a few tools among a wide-ranging toolkit that cybercriminals are using to weaponise social media. And with the number of social media users predicted to grow to close to 6 billion by 2027, the risk that these platforms pose is unlikely to go away.

So what can organisations do to protect their employees? Embed cybersecurity education within the workplace curriculum and regularly test the effectiveness of that training. Many companies have incorporated measures like rewarding employees that spot phishing attempts and report them to the security ops team. We know the value these practices can have for promoting cyber safety.

On a company level, organisations should prioritise embedding a safety-first culture, with a plan in place to manage the certainty of a cyber incident. Business leaders should constantly identify, measure and evaluate risks and, where possible, limit access to sensitive information to need-to-know employees. Alongside building a robust defence plan, organisations should establish a social media policy that sets standards around the organisation’s online interactions and consequences for misuse of social media and mandates cyber awareness training for those directly involved with content publishing.

Ultimately, everyone has the right to feel safe online. And with the threat of a cyber attack ever present in our personal and professional spaces, education is critical to ensuring our digital identities and business assets remain protected.

Image credit: iStock.com/hocus-focus