Phishing is such a malicious technique of hacking that it involves ill-fated users clicking malevolent links, and now it just got blessed with a powerful new weapon. Black Hat scammers have created a Twitter phishing tool that seized a victim almost two-thirds of the time, way more than the conventional five-to-fifteen-percent open rate for spam tweets.
Named as SNAP_R, this bot is the brainchild of Baltimore security firm ZeroFox and is claimed to be “the world’s first automated end to end spear phishing campaign generator for Twitter.” This bot is a data-driven menace, made as a proof-of-concept for the next generation of phishing mechanisms and unleashed at the recent Black Hat security conference. Creators John Seymour and Philip Tully of ZeroFox explained the methods in a paper named “Weaponizing data science for social engineering: Automated E2E spear phishing on Twitter,” saying that the bot can be useful scammers, penetration testers, as well as staff recruiters.
“The model is trained using spear phishing pentesting data, and in order to make a clickthrough more likely, it is dynamically seeded with topics extracted from timeline posts of both the target and the users they retweet or follow,” the paper says.
Using machine learning, SNAP_R reads victims tweets and those of their followers, then sends a dynamic message that matches their interests. The message comes with a shortened URL that will lead the users to hacktown. Based on their social engagement, such as followers and retweets, the bot identifies high-valued targets using clustering. The company made this bot as an education and security assessment tool.
Twitter has known as the incubator of phishing thanks to the outbreak of typos and shortened URLs that make it really difficult for the user to sniff out shifty URL destinations. Spotting irrelevant content and poor grammar is the quickest way to look into malicious intent. The researchers say they have made this publication of the tool in the name of awareness.