Hackers. Bots. Trolls. Cybercriminals. We’ve all heard these terms used – sometimes interchangeably – to describe alleged perpetrators of cyberattacks and other malicious online activity. But as social media grows as the cyberattack vector of choice, it’s important for businesses to understand and be able to recognize the differences so they can spot the real attackers from the benign.
When Good Bots Go Bad
First, it’s important to understand that bots are not
inherently bad. Many organizations use bots to automate social posts because
it’s easier and requires less effort than having humans manually send tweets or
post articles on LinkedIn. For example, many major news publications’ social
accounts qualify as “bots” simply because of the sheer volume of content being
Bad actors use bots for the same reason many legitimate
organizations use them – the fully automated entities usually run with scripts
that allow them to post at volumes that would be impossible for a human. Some
bot accounts are also programmed to pick up specific hashtags or other
Bad actors primarily
take one of three different forms on social media. In addition to bots, there
are trolls, which are human actors tasked with responding in a certain way
or amplifying certain content, and hybrids, which are human actors using software to communicate through multiple
accounts at the same time. This tactic may be used to avoid bot detection
So just how can you determine whether a bot qualifies as a
bad actor? It’s not an exact science, but there are dozens of signatures that
can be used to at least understand the probability of whether or not an account
is bad. Some of the most obvious indicators include the volume of content an
account posts or seeing how much or little profile information is filled out.
Those signatures can then be used to rank accounts across the following areas:
- Bot: Account posts at such a frequency and volume, among other factors, that it appears to be artificial.
- Malicious: The account’s posts include malicious content or show attempts to lure other users, including sharing links that are phishing attempts or spam.
- Suspicious: Posts exhibit characteristics that warrant further analysis, i.e. it appears that based on a variety of information, the account is not who they are purporting to be and thus is generally suspicious in nature.
- Disinformation: Posts contain content known to be shared for misinformation purposes or are not factual.
Bad Actor Motives & Methodology
While the motivations of bad actors may differ – from
stealing IP for financial gain to executing disinformation campaigns to
influence election outcomes – it’s important to understand how they work. Lately,
we have seen bad actors successfully exploit social media channels for social
engineering attacks, and there is no sign they are slowing down. Whether it’s
targeting an official corporate account or personal employee account, the
attack vector is growing because it’s a relatively easy and low-effort option for
bad actors to launch social engineering attacks.
Social engineering schemes routinely target employees and
executive-level staff, most often higher-ranking employees with access to a
wealth of high-value data and business accounts. But they also reach what we
call MVPs, or most-vulnerable people, who are mid-level
employees with access to sensitive information, like HR and procurement
In addition to compromising employees, bad actors also use
social media to research public information to target an account. Users
routinely publicly post personal information like birth dates, anniversaries,
and the names of children on social media, which presents serious vulnerabilities
to employees and businesses. Even if a specific employee is not the end target,
bad actors use the information posted online to create a
personalized phishing attack on someone else.
Having access to reliable, personal information is one
reason it ends up being harder for victims to identify when they have been attacked,
which is what makes personalized and spear-phishing attacks so successful. Bad
actors can also quickly compromise employees and organizations because
traditional security controls and firewalls do not extend to social accounts.
That, compounded with the fact that there are billions of accounts on social
networks, makes them difficult to detect.
Whether your business relies on social media for
communicating with customers and marketing or simply has employees who use
social media channels in their personal life, identifying bad actors in real
time is critical to every company’s security.
Otavio Freire, president and CTO at digital risk protection company SafeGuard Cyber