Check Point Email Security | Blog

Social Media Spoofing Gains Popularity with Hackers

Written by Jeremy Fuchs | October 28, 2021

For the first time this year, according to Check Point Research, social media was among the top three sectors to be imitated via phishing. In their quarterly list of the most frequently imitated brands, social networks like WhatsApp, LinkedIn and Facebook all appeared in the top ten. 

The full list is as follows:

1. Microsoft (29% of all attacks)

2. Amazon (13%)

3. DHL (9%)

4. Best Buy (8%)

5. Google (6%)

6. WhatsApp (3%)

7. Netflix (2.6%)

8. LinkedIn (2.5%)

9. Paypal (2.3%)

10. Facebook (2.2%)

LinkedIn is particularly interesting and has been the subject of numerous Avanan attack briefs. Recently, we wrote about how hackers have taken advantage of their shortened URL policy. By default, LinkedIn automatically shortens any URL over 26 characters. Scammers have used that to hide phishing links. 

Additionally, we uncovered an attack in 2020 where a spoofed LinkedIn notification email was used to direct users to a phishing link.

LinkedIn also has an incredibly high open rate for phishing emails, at 47%, according to an estimate. That makes sense, as end-users will often be interested in LinkedIn messages promising a valuable connection or a new job lead. 

In general, impersonation attacks often fool users. With Avanan, though, you are protected. 

Avanan uses the hundreds of thousands of data points it collects to undergo impersonation analysis, scanning the sender and message content for impersonation. The algorithm looks for user impersonation, and whether a single sender exists in the organization with a different address. Avanan can do that by cross-referencing several fields, such as sender and signature.

To protect against domain impersonation attacks, Avanan will check if the sender is sending from a domain that’s similar to a known domain, but with a different mail-flow path. That’s similar to the analysis we do for brand impersonation, where we detect if the mail-flow path doesn’t fit the sender. That’s buffeted by the scanning of files and email (inbound, outbound, and internal) to look for URLs—even if recursively embedded—and by actively following redirected links to measure domain risk and perform individual page analysis.

Because hackers are so good at spoofing login pages to look like the real thing, Avanan uses dynamic analysis tools that simulate the action of the file or link in a sandbox environment. That means we can follow a URL and compare the rendered image to known login pages.

Hackers are betting that end-users will be distracted enough to click on links that look close enough to the real thing.

Often, that is the case. But anti-phishing technology that leverages AI to know when something is impersonated is an essential tool in your arsenal to stay protected.