Social and Messaging Sites

S
Written By Threat NG Staff

Social and Messaging sites are digital platforms that enable individuals to connect, communicate, and share content in real-time, forming massive global networks. In a cybersecurity context, these sites pose a colossal risk because they are the primary domain for social engineering, information warfare, and credential harvesting. They handle massive volumes of PII and private communication, making them persistent targets for phishing, account takeover (ATO), and the spread of malicious content.

General Social Media

These are broad-reach platforms used for general communication, content sharing, and community building, such as Facebook, Twitter, TikTok, and VK.

  • Cybersecurity Context:

    • Phishing and Account Takeover (ATO): Attackers routinely create fake profiles or compromise existing ones to send direct messages containing malicious links, impersonate friends, or direct users to fraudulent login pages to steal credentials. Facebook and VK are heavily targeted for ATO to facilitate scams or spread malware.

    • Disinformation and Influence Operations: Platforms such as Twitter, Yandex Zen Channel, and Wykop are central to information warfare. Threat actors create large networks of fake accounts to spread targeted disinformation about organizations, manipulate public opinion, or incite brand attacks.

    • Data Leakage and PII Exposure: A breach of a large platform (e.g., Tumblr, MySpace, OK) results in the mass release of PII, which is then used in credential stuffing attacks across other services. Users frequently post excessive PII (e.g., birth dates, location) on profiles like About.me or Ameblo.

    • Examples: An attacker uses a compromised Tagged or fotostrana.ru account to message a target, claiming they have been tagged in a compromising photo, which is actually a link to a keylogger. An employee posts a corporate event photo on Instagram (linked from ImgInn), inadvertently revealing security badges or network information in the background.

Live Streaming & Video

These sites focus on real-time, on-demand video content, enabling live interaction with viewers.

  • Cybersecurity Context:

    • Malicious Link Spamming: The chat and comment sections on live streaming platforms like Twitch and YouTube are high-velocity environments where attackers rapidly post malicious links to phishing sites, gambling scams, or malware downloads, often leveraging automated bots.

    • Malvertising: High-traffic video platforms like DailyMotion and YouTube are frequent targets. Attackers inject malicious advertisements that bypass platform filters, redirecting users to sites hosting exploit kits or ransomware.

    • Content ID and Copyright Scams: Attackers use false copyright claims on platforms like Vimeo and YouTube to extort content creators or gain access to their accounts.

    • Examples: A user watching a popular stream on Twitch clicks a link in the chat promising "free in-game currency," which redirects them to a fake login page that steals their Steam credentials. An advertiser's account on YouTube is compromised and used to push a video ad that contains a malicious redirect.

Photo & Image Sharing

These sites are dedicated to hosting, organizing, and distributing visual media, often with social interaction features.

  • Cybersecurity Context:

    • Malware Disguise (Steganography): While rare, malicious code can be hidden within the metadata or data stream of seemingly benign image files on sites like Imgur or Flickr.

    • Embedded PII and Geolocation: Photos uploaded to sites like 500px, Smugmug, or Pbase often contain EXIF data, including geolocation, camera model, and timestamps, giving threat actors valuable PII for physical and cyber targeting.

    • Brand Attack and Copyright Fraud: Attacker profiles on design communities like DeviantART or stock sites like Shutterstock and Unsplash can be used to spread malicious content or commit fraud. Print-on-demand sites like Redbubble can be used to print and sell counterfeit or illicit products.

    • Examples: An attacker scrapes photos from an executive's Instagram or VSCO profile that were taken near the corporate office, extracting the exact GPS coordinates from the EXIF data to plan a physical security breach. A seemingly innocuous image shared via giphy.com is used as a tracking beacon to monitor a recipient's email opening behavior.

ThreatNG is a potent solution for managing the pervasive risks posed by Social and Messaging sites, which are the primary habitats for phishing, disinformation, and credential harvesting. ThreatNG focuses on continuous external surveillance to detect the abuse of these sites before it impacts an organization or its personnel.

External Discovery and Continuous Monitoring

ThreatNG’s External Discovery process serves as a continuous surveillance layer, automatically mapping an organization's exposure across the vast landscape of social media. Continuous Monitoring ensures that new threats or leaked information are identified instantly.

  • Dark Web Presence: This is the most crucial component. ThreatNG constantly monitors the Dark Web and high-risk forums for mentions of organizations and, critically, for Compromised Credentials. Breaches of large social platforms like Facebook, Twitter, Tumblr, or VK result in massive credential dumps. ThreatNG detects whether any employee's corporate email address appears in these dumps, flagging it as an immediate threat vector.

  • Archived Web Pages: ThreatNG searches archived content across the web for exposed documents, emails, and usernames. If an employee posted a photo of a whiteboard containing sensitive information to a site like Imgur or 500px, or if an old profile on LiveJournal or MySpace contained PII, ThreatNG’s index can still discover and flag the leaked Image Files, Txt Files, or User Names.

  • Technology Stack: ThreatNG identifies the technologies an organization uses, including Blogging/Microblogging and Media (Livestreaming) tools. Detecting the use of platforms like YouTube or Twitch helps prioritize the monitoring of these services for brand impersonation or malware links.

External Assessment for Social and Messaging Risks

ThreatNG's External Assessment scores quantify the risk of social media abuse, which is almost always related to phishing and brand attacks.

  • BEC & Phishing Susceptibility: This score directly measures the organization’s vulnerability to attacks originating from social channels.

    • Example 1 (Brand Impersonation): ThreatNG detects the creation of fraudulent accounts impersonating the organization on platforms like Instagram, TikTok, or Twitter. These profiles are used to run fake contests or post malicious links to phishing sites. ThreatNG flags this Brand Impersonation, which increases the organization's phishing susceptibility score and demands immediate platform-specific takedown requests.

    • Example 2 (Malicious Links): The assessment constantly scans comment sections, bios, and posts on high-traffic sites like YouTube, Reddit, and Twitch for links to Malicious Content or newly registered typosquatting domains. The discovery of a link in a popular YouTube video description that redirects to a credential harvesting site is flagged as a high-risk phishing vector.

  • Data Leak Susceptibility: This score is severely impacted by the discovery of compromised credentials. The finding of Associated Compromised Credentials from breaches of platforms like AskFM or Pinterest that match employee corporate emails immediately elevates this score, due to the high probability of password re-use leading to system compromise.

Investigation Modules and Username Exposure

The Investigation Modules are key to linking the high volume of public social activity back to specific internal security risks.

Social Media Investigation Module - Username Exposure

This module is essential for combating social engineering and identity theft that originates from the pervasive use of social and messaging sites.

  • Passive Reconnaissance: The module performs broad checks for usernames and handles of key personnel across a massive number of sites, including General Social Media and Photo & Image Sharing platforms. It identifies usernames on sites such as Tumblr, Tagged, DeviantArt, VK, and Twitter.

  • Example: ThreatNG discovers that an employee’s Twitch gaming handle matches their username for internal applications. Furthermore, the Username Exposure module confirms that this handle was included in a large credential dump from a LiveJournal breach. The module correlates high-risk credential reuse with site presence, prompting the security team to enforce strong password changes and MFA for the employee's internal accounts, neutralizing the risk of an attacker using the stolen password to gain internal access.

Intelligence Repositories and Reporting

ThreatNG's Intelligence Repositories provide the decisive context needed to prioritize the flood of threats originating from these public platforms.

  • DarCache Dark Web and DarCache Rupture (Compromised Credentials): This tracks breaches of social media platforms. A data dump containing millions of user credentials from a platform like Facebook or Ameblo is ingested. DarCache Rupture filters this data to flag all employee corporate email addresses found, classifying them as Associated Compromised Credentials and triggering an instant alert due to the imminent risk of account takeover.

  • DarCache Vulnerability (KEV, EPSS, PoC Exploits): This tracks threats embedded in these platforms. Suppose a new exploit is actively used in malvertising on high-traffic video sites like DailyMotion or YouTube. In that case, ThreatNG flags it as a Known Exploited Vulnerability (KEV), allowing the organization to patch the vulnerable software targeted by the malvertisement.

Reporting compiles all these external findings—from the discovery of an internal document in an archived Pinterest post to a credential on the Dark Web—into Prioritized reports. The MITRE ATT&CK Mapping correlates findings (e.g., Twitter impersonation) with adversary tactics such as "Initial Access" or "Influence."

ThreatNG with Complementary Solutions

ThreatNG's external intelligence from social and messaging, complementary security solutions.

  • Integration with an Email Security Gateway (ESG) Complementary Solution: ThreatNG's BEC & Phishing Susceptibility module detects a widespread campaign using links camouflaged by Imgur and redirects from Teletype to bypass email filters. ThreatNG shares the specific malicious redirect domains and link patterns with an ESG complementary solution. The ESG solution can then immediately create a custom rule to block all incoming emails containing those specific redirection domains, neutralizing the phishing threat before it reaches the end-user.

  • Integration with a Data Loss Prevention (DLP) Complementary Solution: ThreatNG's Archived Web Pages module discovers that an employee posted a high-resolution, internal schematic photo to their profile on Flickr or DeviantART. ThreatNG extracts the unique image signature and shares solution. The DLP solution can then use this signature to automatically scan all internal endpoints and cloud drives to identify and quarantine the source file, preventing further unauthorized distribution.

Threat NG Staff
Previous

Travel and Lifestyle Sites
Next

Shopping and E-Commerce Sites