Threat Actor using Social Media to Scam Credit Union Members

Recently, PhishLabs mitigated an attack using a fake social media page to steal the credentials of a credit union (CU) customer. The below demonstrates how the attack was executed.

The Scam

Initially, the threat actor sends the victim a text message from an unknown number claiming to be the CU. In the message, the threat actor invites the customer to "follow" their social media page. The page is fake, and uses trademarked material to impersonate the CU. It is likely that the threat actor is using SMS as the primary driver for traffic to the page.
Direct messages through the platform
Once the victim joins the page, the threat actor sends them direct messages acting as the CU. In the first message, they indicate the victim has won a prize and prompts them to reply once they are ready to claim it. When the victim engages with the actor, they are sent a shortened link to click on. While interacting with a shortened link on social media is not uncommon, its use in this example prevents the victim from identifying whether or not the destination is suspicious. 
It should be noted here that requiring the victim to join an “official” CU page before communicating with the victim adds credibility to the message. Additionally, the page itself will appear more legitimate to future victims as it accumulates members. 

Fake login page
Once the victim clicks on the link, they are redirected to a login page where they are prompted to register a new account. This will give the threat actor the victim’s email address and, if the victim’s behavior is similar to 65% of the population, potential access to a reused password. 
Fake page and link
After registering, they are redirected to a page that again abuses the CU’s logo. On the page they are told that in order to claim their prize they must click on another shortened link. At the time of mitigation, the link no longer resolved. 
In addition to providing their email address and created password, the victim has revealed they are likely a member of the CU by following the fake CU page. Also, if they have a publicly available profile, the threat actor has access to its information and may harvest that data for future attacks. 
The rapid sharing nature of social media means users are less careful with personal information than they might otherwise be when communicating through email, and this leaves them susceptible to attack. With more than half of the global population on social media, organizations using these platforms to build their brand presence and interact with customers often find their trademarked material used for malicious purposes. Profiles, posts, and tweets are vehicles for attacks, and impersonated brands can face instant, far-reaching, consequences. PhishLabs Social Media Protection proactively protects enterprises from threats on social media. 

Additional Resources:

Article Link: