Endpoint security provider Avast has warned of stranger danger on social media. Such warnings are nothing new. There have been several campaigns aimed at both adults and children about this issue.
Even before social media became a thing, rock bands such as Dio were warning of stranger danger with lyrics such as: “Don’t talk to strangers, ’cause they’re only there to do you harm.”
This latest warning from Avast deals with a cyberattack on a customer that started with strange messages in Facebook. According to the blog: “The messages came from fake Facebook profiles belonging to attractive, but fictitious women. These women encouraged him to download another chat application to continue their conversations.”
Such fake Facebook messages are commonplace. The problem is when curious, bored or lonely members of staff respond to them.
Tempting Cedar Spyware
The attack targets victims that use Android devices. They are told to download a messenger app which turns out to be a fake version of the Kik Messenger app. This is an app which has been around for several years and has an established user base. To get victims to download the app they are directed to a website setup by the hackers. This site, claims Avast, is a convincing copy of the real Kik Messenger app website.
To download the software the victims had to make changes to their personal devices. This meant that the app was not downloaded through an official app store but direct from the hackers website. This should have been an immediate red flag to users but according to Avast, it was not. While they have no stats on how many avoided infection at this point, they have said that the attack caught a number of victims.
The fake Kik Messenger app has the Tempting Cedar Spyware built into it. When Avast investigated the code, they found similarities with other fake messenger and reader apps.
Tempting Cedar Spyware is designed to steal contacts, call logs, SMS, and photos, as well as device information, like geolocation. It was also able to record conversations that the victims had while their phone was within range.
A threat to company and personal data
This is where this attack becomes a serious danger to enterprises. Bring Your Own Device (BYOD) means that users are increasingly using their own technology. When they download spyware such as this it means that it has access to their personal and business data. It also allows the hackers to listen in on business meetings.
Interestingly the source of the malware was traced to Lebanon. The majority of infections that Avast has traced were in the Middle East and North Africa. Given the geopolitical situation at the moment, this points to groups associated with one regional power.
What does this mean?
The key takeaway from this is that bored or curious staff will click on things that should always be red flags. What is not known here is the age range of the victims. Were they young victims who are socially predisposed to widen their social networks? A younger victim profile might also explain why they were so willing to bypass device security by downloading direct from the fake website. One of the risks is victims being persuaded to take photos or videos that can be embarrassing. In this region (MIddle East), such attacks are coupled with blackmail and have been effective in the past.
It is also possible the target audience were older victims who would see the social media phishing messages as interesting.
Avast was able to show that the three fake accounts interacted. This may also have helped fool victims into believing it was more than just a hacking attack.
Organisations, be they businesses, schools or universities, need to do more to educate users. Showing people how to validate the images used on accounts to see if they are real is easy. It is also important that users understand the risk of downloading mobile software outside of app stores. Unless better education of users takes place, attacks like this will continue to spread increasing the risk to businesses.