It’s getting harder for criminals to fake their way to social media fame.
Yes, people can still buy followers and engagement. But the process isn’t exactly simple. It’s more expensive and requires more skill.
Researchers at Cybersixgill recently examined the market for social media hacking on the dark web. While we found a thriving underground economy trafficking in “likes,” “views,” followers, and other inorganic engagement, we also found growing frustration on the part of the threat actor community. The tools they rely on have become obsolete, and there has been little to replace them.
Social media platforms like Instagram, Twitter, and Facebook have taken significant steps to crack down on inauthentic content. And while this makes it harder to hack profiles or build massive followings, our latest research reveals that skilled threat actors are finding new, more complex ways to beat the system. What followed is a time-consuming cat-and-mouse game of new techniques that mix bots with real user engagement to develop large audiences over time.
In one post, a user that sold an account for $17,000 shared tips on how to repeat that success. He noted that advertisers valued accounts with engagement rates of between 10 and 15 percent. But purchasing too much engagement - say 18 percent, raised red flags for advertisers that engagement wasn’t authentic.
Another post sharing tips on how to make accounts appear authentic shared this tip: “use REAL accounts,” and “post good content.” The goal, however, wasn’t quite a recommendation to avoid bots altogether. Rather, it served as advice to use bots in moderation.
Which is to say that underground actors continue to use bots to drive up the value of social media accounts. But our research also turned up other uses. Threat actors have begun using “report bots” that attempt to get competing social media accounts banned.
Social media platforms know that users want authentic content. And they’ve begun to verify accounts - users with sufficient fame in real life that their name might inspire copycats - to supply it.
That process has sparked a new service available on the dark web: people to help users get verified.
Though some services will verify accounts with as few as 2,500 followers, the platforms will conduct some research to determine if verification is warranted. Some of the steps that threat actors will go to in order to make an inauthentic account achieve verification include creating “copycats” to make it appear that there is a legitimate base of people trying to impersonate the account, and forging activity to make it appear as if the account does business globally.
Hacking Into Accounts
Unauthorized access to social media accounts can be used to spy on exes, blackmail people, or simply bully and embarrass acquaintances. But the tools to obtain passwords aren’t always effective. Brute force methods that use combinations of letters and numbers take too long and throw up too many red flags. The market for zero-day tools is filled with scams, suggesting that those interested in social media account takeover aren’t sophisticated actors that frequent dark web forums.
Many of them turn to the time consuming tactic of social engineering, which tends to rely not on technical skills but on the ability to trick an unsuspecting target into divulging personal information or opening a file loaded with malware.
But social engineering techniques are becoming increasingly complex. What has arisen in this situation is a set of specialized actors that will attack someone for a fee, usually between $100 and $600.
The popularity of social media platforms drives threat actors to abuse them. But the vast majority of hacking is ignored in the popular press because of the pressing concerns over nation-state electioneering.
This new report shows that social media platforms are making headway against inauthentic behavior. At the same time, it shows that the market for social media hacking is robust. Users can only hope that the battle against bots is a winnable endeavor for social media companies. But users can also help protect themselves by using strong passwords and by exercising caution while clicking links.