The proliferation of social media and cloud based tools in everyone’s business and personal lives means that an ever-increasing percentage of your inbox is filled with emails that were generated from these disparate platforms. In addition to emails from Linkedin, Facebook, and Twitter, many people receive a steady stream of notifications from project management tools, file sharing platforms, and more.

This can be useful for productivity, but it’s also a huge security hole for the bad guys to hit your network with phishing and spear phishing emails that hide behind the legitimacy of a third party sender.

“Facebook Phishing”

“Facebook phishing” is a generic term for phishing and spear phishing attacks that leverage third-party email notifications from all kinds of social and productivity tools like:

  • Social networks like Facebook (obviously), Linkedin, and Twitter
  • Cloud storage tools like Dropbox, Box, and Google Drive
  • Project management tools like Trello, Basecamp, and Asana

These kinds of third-party senders can be particularly problematic as most of the leading spam and phishing filters are helpless to identify them. These solutions look at a relatively limited set of warning signs to flag a message as malicious. If there’s no immediate malware hosted on a link (or no link at all) standard phishing and spam filters using fingerprints technologies, will see these messages as legitimate. This leaves your employees and executives highly vulnerable to a Facebook phishing attack.

How it Works

Some third-party attacks essentially take the form of a mass-phishing attack conducted via social media. While annoying, these mass attacks are usually contained relatively quickly.

Figure 1 – Phishing link included in a twitter post.

The most damaging attack is a highly targeted approach to one of your executives or other employees with sensitive data access. This type of “spear phishing” attack is almost impossible for standard email security filters to find or stop.

The attacks come from two sources:

  • A spoofed address where the original contact appears to come from a trusted source such as Facebook or a cloud-based project or file management system but is actually a false email address.
  • A legitimate (and possibly highly familiar) account from one of these third-party senders. The hackers may have gotten access to the legitimate user’s account via a prior phishing scam or otherwise found or guessed the legitimate user’s credentials. Many of these third-party passwords are reused or otherwise not very secure… and since they are not generally governed by corporate IT, there is little corporate security can do to protect those accounts.

Either way, most users are much more likely to respond to these requests than a standard email as the 3rd party system inadvertently is seen to be vouching for their authenticity.

Once the attacker has started a conversation and established a level of trust, they can begin the attack in earnest by asking for credentials, moving the conversation to another less-policed venue, or directing the victim to a one-off booby-trapped URL.

At this point, your network and files are likely compromised.

Take a Facebook email that one of your employees receives that appears to come from a friend “John” as an example. Whether or not the attackers have actually hacked John’s account or are just spoofing it isn’t important at this point as the recipient thinks it’s from “John”. The email asks your employee to register on a website to organize a birthday party for a mutual friend of your employee and John: “Mary”. As usual, new users for this “birthday planning tool” are required to setup an account, and as usual, your employee enters their email address and their standard password… Now, the hackers can try this “standard” password on your network and SaaS services. You’ve been pwned.

The worst part is:

  • Traditional email security and spam filters were never triggered.
  • Virus protection was useless as no viruses are needed for this attack to succeed.
  • Web filtering software is unable to catch a well-constructed time-bombed once-off booby-trapped URL.

So not only is your network compromised, but you probably don’t even realize it.

Spear phishing attacks like the one described above underlie the importance of not relying on traditional spam, virus, and malware protections for network security. Rote pattern recognition will not succeed in the face of such rapidly evolving attack vectors.

A specific anti-phishing solution is needed to bolster your existing network defenses. You need a solution that can recognize the unique traits of both mass phishing emails and more targeted “one-off” spear-phishing attacks– whether or not they occur over traditional email or behind the veil of third-parties like Twitter and Facebook.

Luckily, we’ve developed such a solution. Vade Secure employs heuristic analysis to spot even the sneakiest phishing emails. Our solution has been trained to detect suspicious emails based on an analysis of hundreds of millions of emails over a ten-year period. The resulting artificial intelligence is so clever that it can protect your employees even when the threat is hidden inside an otherwise legitimate third-party notification.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.