What are social media countermeasures?

What are social media countermeasures?

As the guy who pretty much owns the #socialmediacountermeasures on Twitter, I figured it makes sense to give the term some proper definition beyond just 280 characters.

In short, social media countermeasures are those techniques – both automated and manual – of which social media services use when trying to detect, flag, and remove malicious content. And by malicious, I mean the actually harmful content created by scammers and other cyber criminals. Therefore, these countermeasures do not involve enforcing narratives, shadowbanning, or other forms of suppressing freedom of speech in the name of “fighting disinformation (1, 2)”.

The countermeasures these social media platforms use are, of course, a trade secret, and very little amount of information about them is publicly available. Keeping them that way is a competitive advantage and makes criminals’ lives harder. We can however deduce that all major platforms have long since evolved beyond using simple blacklist of words or URLs as means of detecting malicious content. Behavior analysis seems to be the area of focus these days, as the social media companies can hoover up massive amounts of usage data from real users and then build a model around that. This behavior model alone isn’t enough though, as it only gives us some sort of average, or an acceptable variance, of typical behavior, but it lacks context. Without context a model like that can still detect for example bot-driven copypaste spamming campaigns easily, but when a person writes (at least seemingly) manually messages aiming to scam or phish a specific individual, detecting becomes a lot harder.

That’s way I’ve seen criminals deploy automated tactics that simulate normal behavior, such as introducing a false delay before auto-answering a message or a tweet, or sometimes even creating fake conversations between bots, and in those “conversations” they happen to promote a scam service and so forth.

These could be called counter-countermeasures. It’s a forever cat-and-mouse game between defenders’ tools and attackers’ criminal-cunningness. This is the reason why while most of the spam messages, e.g. YouTube comments, will end up automatically in the “Held for review” folder (so countermeasures caught them), a few will evade detection and end up among the legitimate comments.

Recently I saw a very interesting malicious campaign in YouTube comments, utilizing stolen accounts and impressively contextual and real looking comments. I did however immediately recognize it for what it is, and this once again begs the question: how on earth it didn’t get detected by YouTube’s countermeasures, while it was so blatantly obvious to me? Unless you get a job working in YouTube’s countermeasures unit, you’ll never know.

I will make another blog post about that campaign though. It’s a very interesting example of using multiple layers of the site’s features in order to lure victims into a specific website. It’s a bit NSFW so I need to figure out first if I need to sanitize my screengrabs or not.

Finally, I’d like to remind everyone to report all scam messages. Reports do improve the detection rate in the future! I shared this tip also in November 2022 issue of F-Alert, the monthly threat report by F-Secure. Feel free to download the report and read my article about a curious Facebook scam targeting Page Admins.

Everyman’s Cyber Defence

Everyman’s Cyber Defence

The following is my translation of “Jokamiehen kyberpuolustus”, Everyman’s Cyber Defence, a short snippet from publicly available document #kyberpuolustus : kyberkäsikirja Puolustusvoimien henkilöstölle (2019) by Laari, Flyktman, Härmä, Timonen and Tuovinen. Source material is encrypted in Finnish and free to download from National Defence University of Finland’s website. I intend no copyright infringement and share this as cyber security awareness material for public interest.

Continue reading “Everyman’s Cyber Defence”

Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram

Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram

For the past few years, I’ve been documenting, screenshotting, and sharing examples of criminal campaigns on the three big social media platforms: Facebook, YouTube and Twitter. I’m not that interested in speculating whether or not something is fake content, falsely amplified by nation-state sponsored threat actors (i.e. coordinated inauthentic behavior), but instead I’ve been focusing on two (a lot less media-sexy) themes:

  1. low-tier criminals using these platforms to promote their services
  2. so called “support scams” targeting mainly Facebook page owners

What is common across these two is the fact that they keep getting through social media platforms’ automatic filtering. I call this filtering – the good-willed type, not the censorship type – social media countermeasures. A term I think I picked up from Destin who runs Smarter Every Day YouTube channel, but I haven’t really seen it used. In a nutshell, social media platforms are trying to create countermeasures to prevent malicious behavior on their platform, and at the same time cyber criminals are developing counter-countermeasures to bob and weave their way around detection and filtering. Sometimes these criminals simply operate in a grey area not covered explicitly by a platform’s Terms of Service, making developing effective countermeasures even harder. Let’s take a look at few examples.

Continue reading “Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram”

Did Oura Ring Gen3 Address the Big Issues or Not? Let’s Have a Look.

Did Oura Ring Gen3 Address the Big Issues or Not? Let’s Have a Look.

My most popular article ever, Before You Buy an Oura Ring (a List of Missing Features), seems to be gathering a lot traffic since Gen3 Ring was launched. I figured it would be helpful to list those Gen2’s missing features and see if they have been fixed in Gen3. Here’s what I’ve learned after a few weeks of using the brand-new Oura ring.

Continue reading “Did Oura Ring Gen3 Address the Big Issues or Not? Let’s Have a Look.”

Oura Ring Gen3 Upgrade Offer FAQ (and Launch PR Fail)

Oura Ring Gen3 Upgrade Offer FAQ (and Launch PR Fail)

TL;DR
Current Gen2 ring customers will get “early access” (no idea what this means), 50€ discount, and a free lifetime Oura membership. To get these benefits, you must order the new ring within next 14 days through the link in the in-app pop-up message or related email you should’ve got from Oura. I didn’t receive that email, but apparently it should’ve been sent to all existing customers.

EDIT 1: There seems to be more than one type of offer for existing customers. A friend who bought Gen2 ring recently, got 100€ discount instead of 50€ discount offer. Rest of the offer is the same as the one I got.

Also, instead of receiving the “personalized offer” email, some have received an email saying that their personalized offer email is coming within the next 48 hours. So, an email about an upcoming email…  And I haven’t received either one those.

EDIT 2: Here’s my referral link for 50€ / $50 discount and 6 months of Oura Membership for free. This discount works for new customers as well!

FAQ

There’s still A LOT of questions up in the air for which Oura hasn’t provided official FAQ yet. EDIT 3: There’s now an official Oura Membership FAQ. Here’s the original FAQ I had put together from their social media comments:

Continue reading “Oura Ring Gen3 Upgrade Offer FAQ (and Launch PR Fail)”

What is Ransomware 3.0?

What is Ransomware 3.0?

I believe there’s a pretty clear consensus within the industry that ransomware should not be mistaken anymore to limit itself to just encrypting files and demanding payment for a decryption key. Dubbed by F-Secure “Ransomware 2.0”, now the standard practice for ransomware groups includes also stealing files from the target company in order to increase the leverage for ransom. Proper backups are an antidote to encrypted files but won’t help against the threat of stolen data being leaked.

Although this double extortion scheme has been the new modus operandi only since late 2019, cyber criminals are already looking for additional ways to apply pressure to their victims. This is where Ransomware 3.0 comes in.

Continue reading “What is Ransomware 3.0?”

The Curious Case of Automated Instagram Influencer Sponsorship Emails

The Curious Case of Automated Instagram Influencer Sponsorship Emails

If an email sounds too good to be true, we’ve learned to dismiss it as phishing or otherwise fraudulent, even if it managed to evade the email client’s junk filters. However, I’ve seen a rise of new type of automated emails that deserve a closer look, as they behave quite differently from your average spam. These emails are from seemingly legitimate businesses, targeting specific email addresses associated with Instagram Creator accounts, and offering some type of an influencer marketing deal.

Global influencer marketing spend is growing rapidly, and Instagram grabbed a lion share – 8 billion dollars – of it during 2020. So, it’s not out of the question for even smaller Creator accounts to get approached by (smaller) brands, but there’s definitely something fishy about the following emails. Let’s look at some examples.

Continue reading “The Curious Case of Automated Instagram Influencer Sponsorship Emails”

Cyber Security in Gaming – Extensive Show Notes for KOVA Podcast X F-Secure

Cyber Security in Gaming – Extensive Show Notes for KOVA Podcast X F-Secure

Recently I was invited to KOVA Esports podcast to talk about cyber security, online privacy and identity management from the perspective of gamers and gaming industry in general. Hosted by KOVA’s General Manager Timo Tarvainen and joined by their streamer Teemu “Spamned” Rissanen, we had a great one-hour long discussion. This post covers my own notes about the things we mentioned, source links included, and further expands on some of the topics. Links to the podcast episode can be found on the bottom of the page. Enjoy!

Continue reading “Cyber Security in Gaming – Extensive Show Notes for KOVA Podcast X F-Secure”

YouTube Channel Phishing, Part 2: The Enemy Evolves

YouTube Channel Phishing, Part 2: The Enemy Evolves

Last year I took a first look at a phishing campaign that was interestingly targeting YouTube channel owners’ email addresses. The aim of the campaign was to guide people to fake YouTube sign in page and phish their login credentials. Note, this did not target YouTube accounts in general, but actual channels. These were my main findings:

  • Despite being hilariously obvious, first four of these were not caught by ProtonMail’s spam filter
  • Out of several YouTube channels I manage, only one has been targeted
  • Same email was CC’d to others
  • Unclear where they have found my email address
  • Senders’ email service providers started as Russian. Little to no typosquatting involved.
  • After few iterations, phishing content seems to have reached its final form (for now)

The campaign came in a burst, stopping as suddenly as it had started. Now after a couple of months it has started again, and it’s time to re-examine what has changed.

Continue reading “YouTube Channel Phishing, Part 2: The Enemy Evolves”