Tag: social media

No, I still won’t accept your LinkedIn invitation.

No, I still won’t accept your LinkedIn invitation.

I made the above statement on LinkedIn once my invitation queue hit 40, and you could say it went a bit viral. That wasn’t surprising, but what was surprising was the reaction from some people who (based on their job titles) were either in tech or even in cybersecurity.

43 and counting…

LinkedIn IS used for recon. It is used for phishing. It is used for creating sockpuppets and spreading fake networks. Accounts are taken over, ransomed, or otherwise used to further malicious intent. All of this is well-known and easily verifiable with a quick search.

Yet these professionals essentially all get stuck on “if your profile is public (even partly), then not accepting invites doesn’t increase your OPSEC.”

My brother in Christ, OPSEC is not a constant state, is it the end-all-be-all. If nothing else, I don’t want to be the guy who accepted the shady invitation from an account that was later used to contact and phish our CEO.

On top of everything, since I published that original post, we’ve learned that Topline has basically scraped all LinkedIn user data (or repackaged a lot of older scraped data) and is using it to sell their service. In October, LinkedIn also sued ProAPI for scraping legitimate data through more than a million fake accounts.

So once again, I’ll remind everyone: everything you do on LinkedIn publicly will get scraped. Everything you do on LinkedIn privately will get used to train their AI LLM.

LinkedIn is brainrot, and joke’s on me for having a profile. The only winning move is not to play.

X is the Signal

X is the Signal

X is not like other platforms. It’s not even close. It’s the signal in a collapsing system of noise, and that’s exactly what people outside it don’t understand.

As a tech product, Twitter never was particularly remarkable. It could largely attribute its success to the fact that it was so early in the game. Sure, it was (and X still is) the only “direct line” to world leaders from Vatican to White House, and you could already see certain crowds like journalists and tech community to gather there.  However, signal-to-noise ratio was abysmally low from the get-go, and the legacy 140-character format (imposed by SMS protocol’s limit) didn’t help.

The company got bloated. Innovation died. It got ravaged by the parasitic ideology that swept across most of Silicon Valley in the 2010s. So called “Verification” system was based on the whims of the ideologues, where blue checkmarks were given and taken away based on reasons we can only guess, all the while the regular users got shadownbanned or worse. At least now we know (thanks to the #TwitterFiles) the latter happen at least partly by US government pressure, and to his credit, being a cog in the censorship industrial complex wasn’t something that the founder Jack Dorsey was particularly happy with.

But the platform was still worth saving. Twitter had never made any money, and everyone knew it was a bad business deal for Musk. He himself said the primary reason for the purchase was to make sure there’s at least one bastion of free speech among the popular social media platforms. As Bret Weinstein says, zero is a special number. if even one platform (or university, newsroom, science journal…) allows truth-seekers to speak freely, the establishment can’t own the entire Overton window.

Joe Rogan said it bluntly: “Elon may have very well saved humanity in some way.”

That might sound dramatic, but I bet the impacts of the $44B deal will be studied by historians. It was a fork in the timeline, for sure.

Continue reading “X is the Signal”

Zuckerberg revealed details about Meta’s countermeasures on the Joe Rogan podcast

Zuckerberg revealed details about Meta’s countermeasures on the Joe Rogan podcast

As someone who has been studying social media countermeasures and the way cybercriminals evade them for several years now, I always find it fascinating when these companies openly discuss their strategies. Of course, the technical details of these countermeasures remain closely guarded secrets—”it’s an adversarial space” as Zuckerberg aptly described—but it’s good to hear confirmation about the overarching principles behind detecting and addressing inauthentic content.

Here’s a transcript of Mark Zuckerberg’s latest appearance on the Joe Rogan Experience podcast, episode #2255, January 10, 2025:

Continue reading “Zuckerberg revealed details about Meta’s countermeasures on the Joe Rogan podcast”

What are social media countermeasures?

What are social media countermeasures?

As the guy who pretty much owns the #socialmediacountermeasures on Twitter, I figured it makes sense to give the term some proper definition beyond just 280 characters.

In short, social media countermeasures are those techniques – both automated and manual – of which social media services use when trying to detect, flag, and remove malicious content. And by malicious, I mean the actually harmful content created by scammers and other cyber criminals. Therefore, these countermeasures do not involve enforcing narratives, shadowbanning, or other forms of suppressing freedom of speech in the name of “fighting disinformation (1, 2)”.

The countermeasures these social media platforms use are, of course, a trade secret, and very little amount of information about them is publicly available. Keeping them that way is a competitive advantage and makes criminals’ lives harder. We can however deduce that all major platforms have long since evolved beyond using simple blacklist of words or URLs as means of detecting malicious content. Behavior analysis seems to be the area of focus these days, as the social media companies can hoover up massive amounts of usage data from real users and then build a model around that. This behavior model alone isn’t enough though, as it only gives us some sort of average, or an acceptable variance, of typical behavior, but it lacks context. Without context a model like that can still detect for example bot-driven copypaste spamming campaigns easily, but when a person writes (at least seemingly) manually messages aiming to scam or phish a specific individual, detecting becomes a lot harder.

That’s way I’ve seen criminals deploy automated tactics that simulate normal behavior, such as introducing a false delay before auto-answering a message or a tweet, or sometimes even creating fake conversations between bots, and in those “conversations” they happen to promote a scam service and so forth.

These could be called counter-countermeasures. It’s a forever cat-and-mouse game between defenders’ tools and attackers’ criminal-cunningness. This is the reason why while most of the spam messages, e.g. YouTube comments, will end up automatically in the “Held for review” folder (so countermeasures caught them), a few will evade detection and end up among the legitimate comments.

Recently I saw a very interesting malicious campaign in YouTube comments, utilizing stolen accounts and impressively contextual and real looking comments. I did however immediately recognize it for what it is, and this once again begs the question: how on earth it didn’t get detected by YouTube’s countermeasures, while it was so blatantly obvious to me? Unless you get a job working in YouTube’s countermeasures unit, you’ll never know.

I will make another blog post about that campaign though. It’s a very interesting example of using multiple layers of the site’s features in order to lure victims into a specific website. It’s a bit NSFW so I need to figure out first if I need to sanitize my screengrabs or not.

EDIT Here it is: Uncovering a long-lasting porn spam campaign on YouTube (NSFW, maybe)

Finally, I’d like to remind everyone to report all scam messages. Reports do improve the detection rate in the future! I shared this tip also in November 2022 issue of F-Alert, the monthly threat report by F-Secure. Feel free to download the report and read my article about a curious Facebook scam targeting Page Admins.

Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram

Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram

For the past few years, I’ve been documenting, screenshotting, and sharing examples of criminal campaigns on the three big social media platforms: Facebook, YouTube and Twitter. I’m not that interested in speculating whether or not something is fake content, falsely amplified by nation-state sponsored threat actors (i.e. coordinated inauthentic behavior), but instead I’ve been focusing on two (a lot less media-sexy) themes:

  1. low-tier criminals using these platforms to promote their services
  2. so called “support scams” targeting mainly Facebook page owners

What is common across these two is the fact that they keep getting through social media platforms’ automatic filtering. I call this filtering – the good-willed type, not the censorship type – social media countermeasures. A term I think I picked up from Destin who runs Smarter Every Day YouTube channel, but I haven’t really seen it used. In a nutshell, social media platforms are trying to create countermeasures to prevent malicious behavior on their platform, and at the same time cyber criminals are developing counter-countermeasures to bob and weave their way around detection and filtering. Sometimes these criminals simply operate in a grey area not covered explicitly by a platform’s Terms of Service, making developing effective countermeasures even harder. Let’s take a look at few examples.

Continue reading “Social Media Countermeasures – Battling Long-Running Scams on YouTube, Facebook, Twitter and Instagram”

The Curious Case of Automated Instagram Influencer Sponsorship Emails

The Curious Case of Automated Instagram Influencer Sponsorship Emails

If an email sounds too good to be true, we’ve learned to dismiss it as phishing or otherwise fraudulent, even if it managed to evade the email client’s junk filters. However, I’ve seen a rise of new type of automated emails that deserve a closer look, as they behave quite differently from your average spam. These emails are from seemingly legitimate businesses, targeting specific email addresses associated with Instagram Creator accounts, and offering some type of an influencer marketing deal.

Global influencer marketing spend is growing rapidly, and Instagram grabbed a lion share – 8 billion dollars – of it during 2020. So, it’s not out of the question for even smaller Creator accounts to get approached by (smaller) brands, but there’s definitely something fishy about the following emails. Let’s look at some examples.

Continue reading “The Curious Case of Automated Instagram Influencer Sponsorship Emails”

Freedom of Speech in the Age of Privacy Policies

Freedom of Speech in the Age of Privacy Policies

(I got access to thinkspot beta and this was my first post on that platform. I decided to crosspost it here to increase awareness of thinkspot, and also because the issues I raise here are relevant on other social media platforms as well.)

 

Hi, I’m Joel, and I eat Privacy Policies for breakfast.

I’m thrilled to be among the first users a social platform that encourages free speech and exchange of ideas, driven by the idea of diversity of minds – the true diversity – not the superficial diversity of how we look or where we come from. However, there can be no free speech without privacy. In a similar vein, Snowden famously wrote few years ago that “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.” Well I care about both. It makes a lot of sense then for my first contribution on this platform to be an analysis of thinkspot’s Privacy Policy.

All comments are made about Privacy Policy that’s dated to be effective starting August 8, 2019. It seems that they don’t keep an archive of old policies, so I took the liberty to archive this one myself. They do however notify users “in advance of any material updates to this Privacy Policy by providing a notice on the Website or via email”, so that’s a good thing. Here’s some of the most notable parts of the policy.

Continue reading “Freedom of Speech in the Age of Privacy Policies”

Instagram Hardening – Private Profile is NOT Enough!

Instagram Hardening – Private Profile is NOT Enough!

First things first: Instagram is owned by Facebook. As such, no matter your settings or how you operate the app, you can never obtain real privacy on the platform. There exists a decentralized, ad-free alternative called Pixelfed that seems to have been getting some praise, but without personal experiences I can’t say much about it. Still worth the look if you’re thinking about migrating from Instagram.

Alright, now on to the guide. Here are the concrete steps you should take in order to increase your privacy and security on Instagram.

Continue reading “Instagram Hardening – Private Profile is NOT Enough!”

On Twitter Bots, Censorship and Social Media Manipulation

On Twitter Bots, Censorship and Social Media Manipulation

During the past couple of months, there’s been an uptick in discussion regarding social media weaponization, censorship, bots and other manipulation. I’ve been following and participating in this public dialogue with keen interest, especially from the privacy and free speech perspectives. Whereas 2018 was the year of Facebook fiascos, it looks like in 2019 the spotlight has turned on Twitter.

So here’s a blog post about Twitter, made with embedded tweets. Let’s go full meta.

Continue reading “On Twitter Bots, Censorship and Social Media Manipulation”

How to Setup LinkedIn for Better Privacy and OPSEC

How to Setup LinkedIn for Better Privacy and OPSEC

NOTE: Due to changes in LinkedIn features, privacy settings, and their policies in general, this guide is now mostly outdated. A more up to date article can be found on F-Secure’s site: https://www.f-secure.com/en/articles/is-linkedin-safe-how-to-spot-fake-profiles-and-secure-your-account 

When it comes to privacy and social media platforms, LinkedIn is the necessary evil we have to put up with. While it’s a no-brainer to delete your Facebook account, but as so much of job recruitment revolves around LinkedIn, it’s a lot harder to severe ties with it. Many companies don’t even post their career opportunities anywhere else than on LinkedIn, and prefer applications that come directly through the platform. It’s also a great tool for headhunters to find suitable candidates.

So let’s assume you have a LinkedIn profile, you want to build up your online resume and personal brand, and want to be able to jump on an opportunity if it presents itself. However, you can accomplish all that without revealing every aspect of your professional self for the whole world to see by default. Let’s start of with LinkedIn settings and then move on to behavior on the platform, and other tips.

Continue reading “How to Setup LinkedIn for Better Privacy and OPSEC”