Hackers, spammers and scam artists see social media as an opportunity to easily distribute their wares to massive audiences. We see it all the time in association with large brands. A single phishing or scam lure posted to a big brand can reach ten thousand potential victims. The same phenomena extends to current events like the World Series, the Super Bowl, natural disasters, holidays…. and major movie openings like Star Wars! We investigated the universe of social media accounts linked to Star Wars as well as the content posted to the main verified Star Wars social accounts during the weeks leading up to the opening. Sure enough, the bad guys could not resist the opportunity to profit from one of the most popular movie brands in history.
The Star Wars Universe – Both Sides of the Force
We started by scanning Facebook, Twitter, YouTube and Instagram using the Star Wars brand and found a whopping 985 accounts. The break down by social network is shown in Figure 1 to the right.
Of these accounts, only five percent (53 total) are verified authentic by Facebook and Twitter. The rest are a mix of the Social Force – both light and dark. On the Light Side are hundreds of fan pages, reviews, communities and even authorized but unverified brand pages. On the Dark Side are over 50 suspicious accounts (more than 5% of all accounts) with a more nefarious purpose.
Many Dark Side accounts revolve around offers for a free movie ahead of the December 18 release, but instead contain posts that lead to adware, spam scams, and other suspicious links. The Facebook page shown below represents one example.
Figure 1: Fraudulent Facebook Account Promising a Free Movie - but Delivering Adware
The page above includes the post below with an embedded link which ultimately uses more deception to install an adware. If a Chrome browser is detected, for example, a Chrome extension (NewtabTV(Gama) ) is installed that collects browsing data, redirects to sponsored Web pages, presents unwanted advertisements, slows the computer, and leads to junk mail, robocalls, etc.
Figure 2: Fraudulent Star Wars Post with Malware Link
The link leads to the following download page.
Figure 3: Malware Download linked to Fraudulent Facebook Page
The Dark Side Invades Official Star Wars Accounts
We looked at comments posted to official Star Wars accounts. Again, we see a mix of Light and Dark Sides of the Force. Over 15 million Star Wars fans are sharing their excitement over the big event. Unfortunately we also find adware, spam, and other suspicious link being sent to the massive Star Wars fan base. We identified over 87 such malicious posts in the last week alone. As observed with the fraudulent accounts described above, many posts promise free movie downloads but instead lead to malicious content. Here are a few examples….
Posts like these and the fraudulent account examples above illustrate how attackers use social media context to craft more effective lures. In this case, they present malicious links as a Star Wars movie download to an audience that’s specifically interested in Star Wars. A random email with a similar link would be far less effective because it would be received by targets out of context.
A Tough Moderation Challenge
Many branded social media accounts rely on manual moderation to try to keep their sites clear of malicious content. However, as brands like Star Wars become (wildly) successful, the numbers work against manual moderation. A single Star Wars post can attract thousands of comments in a single day. So the large audiences drawn to big social events not only increase the opportunity for attackers, they also decrease the likelihood of getting caught by moderators. The Social Wars favor the bad guys until brands find ways to implement automated social media security. Maybe they can use the Force (or Proofpoint social media security).