Anatomy of a Phishing Attack V

Today saw a friend copy and paste a Facebook post claiming that (once again), FB was going to start charging everyone’s account. I thought I’d take a moment to talk about the content (bait), what they want you to do (hook), and what they hope to expect (reel).

The Bait

The post at first glance appears to be urgent, local, and specific. It suggests that the platform is going to start charging for regular service. On a deeper look, this appearance falls apart.

The Hook

The cyber actor hopes you react emotionally to the post instead of think about it. By reacting emotionally, you’d do what they ask and spread the disinformation to new areas. Thankfully, there are no bad links nor obvious monetization to this type of post, but it could be used like a weight in fishing. This trolls the bottom of the lake or river, stirring fish up who then notice a different piece of bait.

The Reel

The first goal is to spread the message, in order to make a follow-up phishing or fraud attack more likely to succeed. If the post gets spread enough, people will start to hear the same piece of information from what seems like multiple sources, thus making it “sound more true” even though it isn’t. Later on, someone might get an email from a “facebook-payments dot com” or other similar-looking domain that is the request for your credit card to stay on FB. As a MITRE technique, I believe this fits best with Resource Development | Stage Capabilities.

Another goal is mistrust of the social media platform it is on. They play to people’s fears, which will both make you distrust factual posts and possibly make you leave the platform, driving you into further isolation.

A not-so-obvious goal is to identify people who will believe and share this kind of hoax. This is more difficult with an unshared post, but not impossible.

Some of the spelling and grammar errors may have been made on purpose. The cyber actor can then search on the “misspelled” phrase to get a list of posts visible to them. On a platform like Facebook, such searches have limited value – most people post by default to their “friends,” but occasionally, someone sends this post into a public group they’re in. On a platform like Twitter, everything you write is visible to all.

The cyber actors use this information to target these accounts with either more disinformation, account cloning, or phishing attempts to gain control of the account itself. As far as MITRE goes, this is closest to Reconnaissance | Gather Victim Identity Information.

The Catch

Facebook and most social media already offer a paid account option. Your account psychological profile – who you are, what you click-through on the app, what you post – IS their primary commodity. Advertisers pay social media more for the ability to target their wares to people more likely to buy their goods and services.

With something like this, it’s better to nip it in the bud. Direct message your friend to let them know; this allows them to save face. Or kindly point out the flaws in the post (see below) as a comment, as other people likely have already seen it. Unless the account shows other signs of compromise, it’s not good to report your friend. The platforms tend to make it really difficult for folks to recover a blocked account, which leads folks to create second accounts.

Anatomy of the Attack

The Post

“Opting Out!
So now they are doing it, just announced on Channel 4 News. (1) Facebook is charging all users starting Monday. (2) You can do a opt-out by this. (3) Hold your finger over this message and copy (4), it can’t be a shared. (5) I do not give permission for Facebook to charge $4.99 a month to my account (6), also; (7) all my pictures are the property of mine (8) and NOT Facebooks!!! Opt-out!”

The Clues

1. “Channel 4 News” is an illusion of being specific and local. In reality, this is different for every media market. My local area doesn’t have a native “channel 4!”
   • Examples include: ABC (Charleston, NC), CBS (Denver, CO), NBC (Milwaukee, WI), FOX (Dallas/Ft. Worth, TX), or BBC’s Channel 4 (UK).
   • Cable companies originally assigned the old UHF channels to empty spots, so all local TV was in the first 15 spots.
2. Ask yourself, “Which Monday?” This is another illusion, but about time. When you read this, your brain fills in “this upcoming Monday” – a deadline to make you react quickly. The lack of a date allows this hoax to linger, as it is evergreen every 7 days.
3. “…by this” is not an American phrase. We’d use “by doing this”…  no, we wouldn’t. We’d put the direction first in the sentence. “Follow these steps to…”
4. Two reasons for not sharing the original post.
   • If the social media platform takes down the original, then everything linking to it suddenly has a “we cannot find the media linked here” box. Copying and pasting propagates the message, making it harder to clean up.
   • A shared post identifies the original source. This cyber actor wants to be anonymous.
5. “..be a shared” is another grammatical mistake in English.  I’m not aware of any terms that would mean ‘a shareable post’ in English. If there is one, then that would give a clue to the native language of the original poster (the cyber actor). Thus, I think this is more a purposeful mistake, a phrase that can be searched on later to determine spread.
6. See To Ve(rify) or Not to Ve(rify) to understand that the social platforms already have a monetized option.
7. “, also;” – This conjunctive adverb has its punctuation backwards. The semicolon comes first. Pic below from Grammar-Monster.
8. “Property of mine” – This is an error in translation; the cyber actor picked the correct words, but they are listed in the order of their native tongue. Someone with a better knowledge of other languages should be able to guess which language uses (noun of mine) instead of (my noun).