social media

Hiding Malware in Social Media Buttons

Clever tactic:

This new malware was discovered by researchers at Dutch cyber-security company Sansec that focuses on defending e-commerce websites from digital skimming (also known as Magecart) attacks.

The payment skimmer malware pulls its sleight of hand trick with the help of a double payload structure where the source code of the skimmer script that steals customers’ credit cards will be concealed in a social sharing icon loaded as an HTML ‘svg’ element with a ‘path’ element as a container.

The syntax for hiding the skimmer’s source code as a social media button perfectly mimics an ‘svg’ element named using social media platform names (e.g., facebook_full, twitter_full, instagram_full, youtube_full, pinterest_full, and google_full).

A separate decoder deployed separately somewhere on the e-commerce site’s server is used to extract and execute the code of the hidden credit card stealer.

This tactic increases the chances of avoiding detection even if one of the two malware components is found since the malware loader is not necessarily stored within the same location as the skimmer payload and their true purpose might evade superficial analysis.

Social media platforms leave 95% of reported fake accounts up, study finds

One hundred cardboard cutouts of Facebook founder and CEO Mark Zuckerberg stand outside the US Capitol in Washington, DC, April 10, 2018.

Enlarge / One hundred cardboard cutouts of Facebook founder and CEO Mark Zuckerberg stand outside the US Capitol in Washington, DC, April 10, 2018.

It’s no secret that every major social media platform is chock-full of bad actors, fake accounts, and bots. The big companies continually pledge to do a better job weeding out organized networks of fake accounts, but a new report confirms what many of us have long suspected: they’re pretty terrible at doing so.

The report comes this week from researchers with the NATO Strategic Communication Centre of Excellence (StratCom). Through the four-month period between May and August of this year, the research team conducted an experiment to see just how easy it is to buy your way into a network of fake accounts and how hard it is to get social media platforms to do anything about it.

The research team spent €300 (about $332) to purchase engagement on Facebook, Instagram, Twitter, and YouTube, the report (PDF) explains. That sum bought 3,520 comments, 25,750 likes, 20,000 views, and 5,100 followers. They then used those interactions to work backward to about 19,000 inauthentic accounts that were used for social media manipulation purposes.

About a month after buying all that engagement, the research team looked at the status of all those fake accounts and found that about 80 percent were still active. So they reported a sample selection of those accounts to the platforms as fraudulent. Then came the most damning statistic: three weeks after being reported as fake, 95 percent of the fake accounts were still active.

“Based on this experiment and several other studies we have conducted over the last two years, we assess that Facebook, Instagram, Twitter, and YouTube are still failing to adequately counter inauthentic behavior on their platforms,” the researchers concluded. “Self-regulation is not working.”

Too big to govern

The social media platforms are fighting a distinctly uphill battle. The scale of Facebook’s challenge, in particular, is enormous. The company boasts 2.2 billion daily users of its combined platforms. Broken down by platform, the original big blue Facebook app has about 2.45 billion monthly active users, and Instagram has more than one billion.

Facebook frequently posts status updates about “removing coordinated inauthentic behavior” from its services. Each of those updates, however, tends to snag between a few dozen and a few hundred accounts, pages, and groups, usually sponsored by foreign actors. That’s barely a drop in the bucket just compared to the 19,000 fake accounts that one research study uncovered from one $300 outlay, let alone the vast ocean of other fake accounts out there in the world.

The issue, however, is both serious and pressing. A majority of the accounts found in this study were engaged in commercial behavior rather than political troublemaking. But attempted foreign interference in both a crucial national election on the horizon in the UK this month and the high-stakes US federal election next year is all but guaranteed.

The Senate Intelligence Committee’s report (PDF) on social media interference in the 2016 US election is expansive and thorough. The committee determined Russia’s Internet Research Agency (IRA) used social media to “conduct an information warfare campaign designed to spread disinformation and societal division in the United States,” including targeted ads, fake news articles, and other tactics. The IRA used and uses several different platforms, the committee found, but its primary vectors are Facebook and Instagram.

Facebook has promised to crack down hard on coordinated inauthentic behavior heading into the 2020 US election, but its challenges with content moderation are by now legendary. Working conditions for the company’s legions of contract content moderators are terrible, as repeatedly reported—and it’s hard to imagine the number of humans you’d need to review literally trillions of pieces of content posted every day. Using software tools to recognize and block inauthentic actors is obviously the only way to capture it at any meaningful scale, but the development of those tools is clearly also still a work in progress.

Facebook, Twitter ban malicious SDK that removed member info

Policies and Standards Documentation

Stay on top with IT

Documentation plays a pivotal role is establishing any effective management system. It formalises objectives, strategies and processes. Documentation often acts as an adhesive for three components of organisation i.e. people, process and technology. In information security the importance of documentation is increasing with each passing day. New regulations and frameworks demand detailed and comprehensive documentation to effectively implement information security program.

Policies form the back bone of any program. In simple words policies depict the intent and direction of senior management. It determines the entire strategy and course of action. Policies are top level documents approved by senior management to guide the organisation in achieving its strategic goals. Information security policies (like data privacy policy, security policy, access control policy, encryption policy) show senior management commitment and set out rules for entire organisation. It’s pivotal that security policies are written by experience individuals after in depth understanding of organisational objectives and senior management intent.

computer code on screen

Catching the phish

There are various tools to evaluate the readiness of users regarding phishing attacks. They are tested with phishing emails and phone calls to check their awareness level.

A security aware workforce will:

phishing risk on email

Awareness is key

Phishing is one of the major causes of massive breaches. Using phishing, trust of humans is exploited to gain unauthorised information, install malware, bypass authentication mechanisms and steal sensitive data. Phishing uses emails or phone calls. Emails with malicious attachment, links to fake websites or spoofed to look legitimate, are sent to the recipients. In case users are not properly trained to identify or differentiate phishing emails, they fall prey to hackers. One unaware employee can cause damage to the entire organisation as he provides a door for the attacker.

Any business. Every solution.

If you’d like to work with us to help establish or improve your phishing awareness, please get in touch with us today. Or, whilst you’re here, why not have a look at our other services in this category?


IT are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227