The Phishing Shame Game: Attackers Scare Victims to Steal Social Media Credentials

Phishing is the commonly seen cybersecurity attack where scammers send malicious messages to unsuspecting victims with the goal of stealing some sort of information from them or infecting them with malware. The attackers pose as legitimate, reputable companies or entities to try and effectively trick individuals. This traditionally has been in the format of an email scam sent with an urgent request for fear of some sort of repercussions, but in recent years, phishing has evolved and scammers utilize many means to target their victims. One of the most common new methods for delivering these phishing scams is through social media.

A new social media phishing scam shames victims into handing over their account credentials for sites such as Twitter and Discord, a VoIP and instant messaging platform.

The Twitter scam utilized the site's direct message feature; specifically, the attackers would direct message individuals that their account had been flagged for using hate speech. This message goes on to request the user to authenticate the account in order to avoid their account being suspended for use of the alleged hate speech. The message includes a link to a fake help page which asks for the credentials to be reentered in order to do the authentication needed to resolve the false hate speech issue. This is a commonly seen feature of the classic email phishing scam where the scammers claim that there is some sort of issue with your legitimate account with this company, so they ask you to simply reenter the login credentials to verify your identity. If you ever receive a message via any means of communication which asks you to click on a link, do not click that link. If you believe the request may be legitimate, instead of clicking on the link, type in the website URL yourself so that you can be sure that you are not navigating to a false homepage, like we saw in this scam.

The phishing scam affecting the messaging app, Discord, sent users a massage that accused the recipient of sending explicit photos that are available on a server. The message includes a link to prove that the pictures are in fact on the server, but of course, as we saw with the Twitter scam, this is not going to take them to a legitimate server. If someone did click the link and fell for the scam, they were asked to login via a QR code which leads to the account being taken over by the hackers perpetrating the attack. This particular scam is very vicious because not only is the victim now unable to access their account, but all of their friends on the site are sent the same scam, with it appearing to come from the infected user.

Both of these attacks capitalized on people's fears which causes the brain to panic and results in people acting quickly to try and resolve the alleged issue. If you receive a message like this on social media or elsewhere, be sure to take a moment, check the sender and see if they are legitimate. If it is a scam appearing to come from a person you know, be sure to reach out to them via another means of communicating (text, email, phone call, etc.) and ask if they meant to send that to you. If you have no other way to contact the sender, take a second to Google the social media platform and the type of scam you are seeing to see if this is something that has been reported (for example, Twitter hate speech scam or Discord explicit photos scam). Phishing scams are often easily identifiable because they request quick action for fear of retaliation, demand you to click on a link in that specific message, and they try to invoke fear. Try to stay calm and use logic, not emotion, when it comes to dealing with a phishing attack.

Image by pikisuperstar for Freepik.