Phishing is big business for attackers, and being able to craft the right message to a target is a valuable skill. Social networks are great resources for potential attackers, both to learn about a target victim and to deploy a phishing message that will be clicked.
At the recent Black Hat USA conference, researchers from security firm ZeroFox detailed their research using neural networking skills to build an automated spear phishing capability that goes after Twitter users. ZeroFox Senior Data Scientist Phil Tully earned a Ph.D. in neural networks by doing research to understand how patterns and spikes could be simulated in software to model and describe how networks and neurons store memories.
In an interview with eSecurityPlanet, Tully noted that he’s often asked by former colleagues why he’s working at ZeroFox on IT security. He explained that fundamentally understanding the neural network of the human body is somewhat similar to understanding an artificial environment like IT.
“In the same way that our eyes, ears and nose receive different stimuli on a millisecond basis and then make sense of it for conscious thought and memory, the way the ZeroFox platform also works on a second-by-second basis,” Tully said. “With the scale of Twitter for example, our platform is able to monitor social networks and is able to distill the large amount of posts into actionable information.”
That actionable information could include data on potential phishing links and fraud, which leads to the research with a new tool dubbed SNAP_R (Social Network Automated Phishing with Reconnaissance). Most attacks to date on social media including Twitter have largely been low-effort phishing attempts that have low-success rates. Rather than using this scattershot approach, the SNAP_R tool starts with an automated target discovery capability, said John Seymour, a data scientist at ZeroFox.
The output of the discovery is that a number of different Twitter users can be targeted with tweets that contain the target’s username, so it’s more likely targets will click on them. The targeted tweet is also appended with a shortened URL. The SNAP_R tool can be used to grab usernames that follow or post to a certain hashtag, for example #infosec. The algorithm will then be able extract information from the user’s Twitter account, including the user’s biography, posting frequency and how many followers they have.
“Our tool will help select users that we then deem to be high-value targets,” Tully explained. “SNAP_R then relies on a neural network to generate a tweet out to the high-value user.”
The neural network uses what is known as an LSTM, which is an acronym of Long, Short-Term Memory. The ZeroFox LSTM neural network was pre-trained with several million tweets, so it could produce Twitter messages that seem authentic.
SNAP_R can go to a target victim’s timeline, extract information and then select a topic that is important to the victim. The system is also able to understand what time of day the user is most active. The LSTM neural network is loaded with information on the given topic, and SNAP_R is able to tweet a relevant message to the target at a time when the target is typically active.
The SNAP_R system is able to target thousands of users at a time. As part of the research, the appended links were benign and not malicious. In one experiment, ZeroFox researchers sent out 90 phishing posts to people that had posted on Twitter using the hashtag #cat. After two hours, the SNAP_R-generated link had a 17 percent clickthrough rate, which grew to 66 percent after two days.
“People make a split second judgment whether to click a link,” Seymour said. “If I see a post, with a profile picture, posting on a topic that I engage with frequently and it seems to be legitimate, my initial reaction is to trust it.”
Seymour added that the goal of the research is help bring awareness to the issue of social engineering on social networks.