Transcription
[Twitter for Phishing: Charting the Discourse about Social Engineering and Ethics]MASTER THESISto obtain the Erasmus Mundus Joint Master Degreein Digital Communication Leadership (DCLead)ofFaculty of Cultural and Social SciencesParis Lodron University of SalzburgFaculty of Economic and Social Sciences and Solvay Business SchoolVrije Universiteit BrusselSubmitted byOyinkansola, t 27, Leuven BelgiumInternal Supervisor: Prof. Laurence ClaeysExternal Supervisor: Ursula Meier RablerTutor: Prof. Prof. Ezer Osei Yeboah-BoatengDepartment of Communication StudiesSalzburg, 11/2/2021
EXECUTIVE SUMMARYKeywords: Twitter, Phishing, Social Engineering, Cybersecurity and EthicsSubject: More than 90% of all social engineering attacks are as a result of Phishing. The trend ofusing Twitter to exploit the deeply curious nature of humans is on the rise as social engineeringtechniques such as phishing are increasingly employed to psychologically maneuver unsuspiciouspeople in a bid to divulge personal data (i.e. passwords); an effect of huge dissemination ofinformation on the platform. Twitter is renowned for relevant conversations and discussions eventhough it is not the biggest social media platform. Due to COVID-19 crisis, Phishing attacks viaemails and social media increased by over 667 per cent. Today, there are increased ethicalconcerns as a result of the ever-changing phishing tactics employed to lure victims. This researchlargely focuses on user behavior and non-technical aspect of social engineering (i.e. Hacking intohumans) on Twitter. The findings are expected to contribute to further research on the concept ofphishing on Twitter.Research QuestionsMain research question: How are phishing attacks performed on Twitter (especially during thepandemic)?R2: How knowledgeable are users on Social Engineering attacks and Twitter phishing (focus onthe prevalent persuasion techniques used in Twitter attacks)?Other questions for discussion in Literature review include:R3: How effective is Twitter in addressing the fast-rising problem of Phishing on the platform?R4: What are the patterns and trends within the Phishing Landscape?Aim and methods: This explorative research examines the current debates and trends on SocialEngineering (SE), labels within SE and ethics (Black, White and Grey Hats) and users’ perspectiveon Twitter Phishing. The research focuses on textual analysis of security events that include databreaches, security incidents, privacy violations, and phishing on Twitter and found themes/patterns.It also investigates how phishing attacks are performed on Twitter (especially in the light of thecurrent pandemic), the prevalent persuasion techniques employed (Cialdini’s principles) and user’ssusceptibility to Phishing based on their personality traits (Big 5 model). This research employsdigital methods to gather and analyze data from Twitter combined with qualitative approaches;textual analysis and survey method (method triangulation) to unveil important insights about theonline discourse on social engineering, ethics and the stakeholders(users) participating in thediscourse. Special attention is given to the online discussion on Twitter Phishing.2
Findings: 1) Most of the most malicious links in our dataset were from India 2) Twitter is neitherproactive nor effective in raising awareness on Phishing to protect its end users 3) YouTube, Twitterand Facebook are the most targeted brands with a high number of incidences 4) Malicious tweetswere mainly on the principle of reciprocity which Cialdini refers to as “the honoured network ofobligation”. Next was the principle of liking or similarity; used in a specific combination in thiscase. 5) Close reading revealed the particular trends in bitcoin and enticement using free itemsthus increasing malicious websites visits or providing sensitive details (scarcity principle in playhere).Recommendation: Based on the review of Twitter’s Financial Scam Policy it recommends thepractical application of the heuristic steps of Contextual Integrity to educate users; employees andmitigate threats.3
TABLE OF CONTENTSContentsEXECUTIVE SUMMARY . 2TABLE OF CONTENTS. 4LIST OF GRAPHS, TABLES, FIGURES AND APPENDIXES . 7Graphs: . 7Tables: . 8Figures: . 9ABBREVIATIONS. 101. INTRODUCTION . 112. THEORETICAL FRAMEWORK . 152.1. Stakeholder’s Theory . 152.1.1.The Psychology behind Phishing: Theory of Social Proof . 182.1.2.The Big 5 Model . 262.2. Cyber Security. 302.3. Social Engineering: The Rise of a Concept . 312.3.1.Social Engineering: A Technical or Social Problem? . 322.3.2. Labels within Social Engineering and Ethics: White, Grey and Black Hat . 342.3.3. Charting the Discourse between SocialEngineering and Ethics . 342.3.4. Types of Social Engineering . 372.4.Phishing . 392.4.1. Defining Phishing in the context of Current Debates: Twitter for Phishing . 422.4.2. Covid19 Blues: A New Level to Phishing . 442.4. Twitter for Phishing Incidences . 452.5.1. Incident 1: The Epic PayPal Phishing . 462.5.2. Incidence 2: Twitter Spear Phishing Case. 472.5.3. Incidence 3: Covid19 Password Dump . 482.6. Role of Language and other semiotic resources in the formation of pretext to establishTrust. . 492.7. Towards a people-centric approach to Cyber security Awareness. 502.8. Informational Privacy and Data Literacy . 512.9. Policy Review: Twitter Financial Scam Policy . 513.METHODOLOGY . 543.1. Quantitative Survey Research. 543.1.1 Survey Sample . 564
3.1.2. Gathering Survey data and Responses . 563.2. Digital Methods as a research practice . 573.2.1 Gathering twitter data and metadata . 593.2.1 Analysis . 603.3.1 Data cleaning and editing . 613.3. Qualitative Analysis- Textual/Close Reading. 623.4. Quantitative Analysis – Digital Methods & Survey Research . 63(1)Textual Analysis . 63(2)Sentiment Analysis . 64(3) Descriptive Analysis . 643.5. Visualization . 654.0. RESULTS . 654.1. General Overview and Description of the Datasets . 654.2. Sentiment Analysis Findings . 674.2.1. “Cybersecurity” Hashtags . 674.2.2. “Hacked” Hashtags . 694.2.3. “Phishing” Hashtags . 704.2.4. “Social Engineering” Hashtags . 724.2.5. Similarities and Patterns . 734.2.6. The Second Criteria: Corona Related Tweets . 734.3. In-depth Analysis: Twitter Spear Phishing Incidence . 754.3.1. Twitter Spear Phishing Incidence: #Hacked . 754.3.2. Twitter Spear Phishing Incidence: #Phishing . 764.3.3. Twitter Spear Phishing Incidence: #SocialEngineering. 774.3.4. Twitter Spear Phishing Incidence: #Phishing . 784.3.5. Twitter Spear Phishing Incidence: #TwitterHacked . 794.4. Cialdini’s Principles; Data Validation . 814.4.1. Word Frequency Approach . 824.5. Descriptive Survey Analysis . 834.5.1. Respondents- Gender Distribution . 834.5.2. Respondents - Age Distribution . 844.5.3. Respondents - Nationality. 844.5.4. Respondents- Country of Residence . 854.5.5. Respondents- Current Job Status . 854.5.6. Respondents- Level of Education . 864.5.7. Respondents- Time on Twitter . 875
4.5.8. Knowledge-Based Questions (KBQ). 875. CONCLUSION. 976. REFERENCES . 99SCIENTIFIC LITERATURE:. 99NON-ACADEMIC SOURCES . 1087. APPENDIXES:. 113APPENDIX NO 1: SURVEY QUESTIONNAIRE . 113APPENDIX NO 2: GENERAL DATA CHARACTERIZATION . 118APPENDIX NO 3: TWITTER GLOSSARY . 119APPENDIX NO 4: CONSENT FOR PARTICIPATION IN THIS STUDY . 1206
LIST OF GRAPHS, TABLES, FIGURES AND APPENDIXESGraphs:Graph 1: Spikes of Phishing attacks in several companies with Italy being the highest. . 44Graph 2: Distribution of Twitter users worldwide as of July 2020, sorted by age group. . 56Graph 3: Overview of sentiment analysis based on all 4 themes . 66Graph 4: breakdown of sentiment analysis based on the theme “Cybersecurity” . 67Graph 5: breakdown of sentiment analysis based on the theme “Hacked” . 69Graph 6: breakdown of sentiment analysis based on the theme “Phishing” . 70Graph 7: breakdown of sentiment analysis based on the theme “Social Engineering” . 72Graph 8: breakdown of sentiment analysis of COVID19 tweets . 74Graph 9: Analysis of the Twitter Phishing Case . 75Graph 10: Analysis of Twitter Spear Phishing case #SocialEngineering . 77Graph 11: Analysis of Twitter Spear Phishing case #Phishing . 78Graph 12: Analysis of Twitter Spear Phishing case #TwitterHacked . 80Graph 13: Questionnaire results regarding sex . 83Graph 14: Questionnaire results regarding Age . 84Graph 15: Questionnaire results regarding Nationalities . 85Graph 16: Questionnaire results regarding the country of residence . 85Graph 17: Questionnaire results regarding Job Status . 86Graph 18: Questionnaire results regarding Level of Education . 86Graph 19: Questionnaire results regarding Time on Twitter . 87Graph 20: How did you learn about Phishing? . 88Graph 21: Question on link clicking experience . 88Graph 22: Questionnaire results regarding Black Hat Link. 89Graph 23: Questionnaire results regarding Twitter’s Proactiveness . 90Graph 24: Scenario 1 . 91Graph 25: Scenario 2 . 91Graph 26: Scenerio 3 . 92Graph 27: Result on Extroversion . 937
Graph 28: Result on Conscientiousness . 94Graph 29: Result on Agreeableness . 95Graph 30: Result on Openness to Experience . 95Graph 31: Openness to Experience . 96Tables:Table 1:Twitter Stakeholder Categories adapted from (Alexander & Viardot, 2016) . 17Table 2: The Number of Personality Traits in Different Models Adapted from (Najm, 2019) . 27Table 3 different facets within dimensions adapted from (Lim, 2020). . 30Table 4 – Ethical concerns in public communication, adapted from Mouton et al., 2015. . 36Table 5 – Ethical concerns in penetration testing, adapted from Mouton et al., 2015. 36Table 6 – Ethical concerns in social engineering research, adapted from Mouton et al., 2015. 37Table 7 - Two common Phishing Lures, adapted from (The Ultimate Guide to Social Engineering, n.d.) 41Table 8 - A summary of some of the prominent phishing attacks so far in2020. Compiled from (Irwin,2020). . 41Table 9.Summary of Paypal case . 46Table 10. Twitter Spear Phishing Case . 48Table 11. Covid19 Password Dump . 49Table 12. Of the 3 media articles/Twitter cases, these were common the common elements. . 62Table 13 :Sentiment by users . 68Table 14: Sentiment by users . 70Table 15: Sentiment by users . 71Table 16: Sentiment by users . 73Table 17: Sentiment by users . 75Table 18: Sentiment by users . 76Table 19: Sentiment by users . 77Table 20: Sentiment by users . 78Table 21: Sentiment by users . 798
Table 22: :Sentiment by users . 81Table 23: Overview of Survey Analysis . Error! Bookmark not defined.Table 24: Scores basedson Scaled . 92Table 25: Big 5 test results . 93Figures:Figure 1:Principle of Reciprocity applied to Twitter DMs . 19Figure 2: Principle of Commitment applied to posts on Twitter TLs. . 20Figure 3: Fake Profile ‘Robin Sage’ to establish trust and authority. Source:medium.com . 21Figure 4: Verified Twitter hacked to send phishing tweets . 22Figure 5: a COVID 19 scam based on the principle of Liking . 23Figure 6: Principle of Scarcity with the urgency in play here. 24Figure 7: With Social Proof in focus . 25Figure 8: Steps within a social engineering life cycle. 32Figure 9:Conceptual Model by (Janczewski & Fu, 2010). . 49Figure 10: Twitter being called out on its ineffectiveness. . 53Figure 11: The release post in September 2019 . 529
ABBREVIATIONSAPIApplication Programming InterfaceBFTBig Five FactorsCTACall to ActionFOMOFear of Missing OutGDPRGeneral Data Protection RegulationSESocial EngineeringNGONon-Governmental OrganizationsSESocial EngineeringSNSsSocial Networking Sites10
1. INTRODUCTIONProblem statementConnections, digital intimacies and data privacy are in crisis. Phishing attacks via emailsand social media increased by over 667 per cent as a result of the COVID-19 crisis inMarch 2020 (Indiana University of Pennsylvania, 2020). Each day, Phishers come upwith new social engineering tactics to manipulate users to click/take actions via black hatlinks. However, a cursory search on the inherent problems shows that most users arenot aware that they can be scammed while on social media platforms. 2018 not onlywitnessed Twitter allowing a fake Paypal account run a promoted tweet which led tousers inputting their details but also saw the loss of 120,000 after Phishers hacked theTwitter accounts of two companies (Matalan and Pathé UK) while claiming to be ElonMusk doing giveaway campaigns. Twitter’s use for phishing attacks lacks adequate andin-depth research especially given the current pandemic. This thesis reviews andanalysed Twitter discourse on #TwitterPhishing, media articles on the subject matter andTwitter’s Financial Scam policy. This master thesis aims to map the current discourseon Twitter phishing, sensitize users on cybersecurity and social engineering threats.“Cyberspace touches practically everything and everyone. It provides a platform forinnovation and prosperity and the means to improve general welfare around theglobe. But with the broad reach of a loose and lightly regulated digital infrastructure,great risks threaten nations, private enterprises, and individual rights. Thegovernment has a responsibility to address these strategic vulnerabilities to ensurethat the United States and its citizens, together with the larger community of nations,can realize the full potential of the information technology revolution.” - (Cyberspacepolicy review: assuring a trusted and resilient information and communicationsinfrastructure, 2009).It’s no longer news that the Internet; Cyberspace has been both a blessing and a curse.A lot has changed dating from the 90s when the World Wide Web was invented andutopian plans of the internet were shared (Aggarwal, Rajadesingan & Kumaraguru,2012). Information and Communications Technology (ICT) has today become the maindriver of the economic growth of most nations, industries and individuals (Cameron,n.d.). Castells (2010) opines that this evolution of the internet is presumably the best11
technological innovation in the digital age (Castells, 2010). However, this innovationwhich has been of huge benefit to the society also has a dark side to it, “because itthreatens the moral foundations of society, most especially the morality of young people”(Ess, 2010).While one of the greatest strengths of platforms like Twitter is its openness and how it canbe easily accessed with the internet (Benkler, 2006). Social Networking Sites (SNSs) havebecome viable architectures where vulnerabilities are explored using social engineeringtechniques (Silic & Back, 2016). There are increased ethical concerns as a result of theblack hat activities on the platform i.e. the ever-changing phishing tactics employed to lurevictims. 90% of data breaches and cyber-attacks begin with phishing frauds making it amajor security concern (knowbe4, 2020).Social Engineering (SE) via Phishing remains a major issue as it continues to ‘threatenfinancial institutions, retail companies, and consumers daily and phishers remainsuccessful by researching anti-phishing countermeasures and adapting their attackmethods to the countermeasures, either to exploit them or completely circumvent them’(Barnes, 2006). March 2020 witnessed an increase of phishing attacks via emails andsocial media by over 667 per cent as a result of the COVID-19 crisis (Indiana Universityof Pennsylvania, 2020). Recently, social media (Twitter) stakeholders are becoming moreaware of the fact that phishers exploit the weakest connection in the security chain:people; with the result most exploitation likely being financial loss as a result of sensitiveinformation and mistrust (Bosworth, Kabay, & Whyne 2014; Xiong, Proctor, Yang & Li,2018).Establishing Trust and Digital Intimacies in Online MediaSocial Engineering is the act of employing "influence and persuasion to deceive peopleby convincing them that the social engineer is someone he is not, or by manipulation. Asa result, the social engineer is able to take advantage of people to obtain information withor without the use of technology."( Mitnick & Simon, 2011). Social engineering not onlyexploits the natural human tendency to trust (Salahdine & Kaabouch, 2019) but alsoappeal to/leverage on 5 human emotions;1. Fear (Gupta & Sharman, 2009).12
2. Greed (Broadhurst & Chantler, 2008).3. Urgency (Workman, 2007).4. Helpfulness (Jewkes & Yar, 2013).5. Curiosity (Rader & M. Rahman, 2013).This master thesis aims to study users’ perspective of the phishing landscape on Twitterand also do a vast analysis of the current landscape on phishing: Twitter Phishing andCOVID 19 themed phishing scams. Furthermore, this master thesis investigates howphishing attacks are performed on Twitter (especially in the light of the current pandemic)and also seeks to examine the link between Twitter stakeholders, Cialdini’s 6 principlesof persuasion and the Big Five personality traits as well as stakeholders responses toTwitter phishing tactics. Finally, this exploratory research aims to explore and addressTwitter’s effectiveness or a lack thereof in addressing the fast-rising problem of Phishingon the platform. The researcher seeks to contribute to this budding field of research byincreasing awareness and educating potential victims from a user’s point of view to blockthese ever-changing tactics upfront.The research questions of this study are the following:Main research question: How are phishing attacks performed on Twitter (especiallyduring the pandemic)?R2: How knowledgeable are users on Social Engineering attacks and Twitter phishing(focus on the prevalent persuasion techniques used in Twitter attacks)?Other questions for discussion in Literature review include:R3: How effective is Twitter in addressing the fast-rising problem of Phishing on theplatform?R4: What are the patterns and trends within the Phishing Landscape?This master thesis is structured in several sections. In the introduction, we present theproblem/subject of the research, its social and scientific relevance, aims and objectivesof the research. Chapter 2 introduces the theoretical framework based on the13
stakeholders' theory, Cialdini’s principles of Persuasion and the Big 5 model. Also, aliterature review of the concepts of Social Engineering. Chapter 3 introduces theresearch methodology. Chapter 4 introduces the results and findings of the research.Chapter 5 concludes the thesis by reiterating the subject of the research and findingsand provides a framework (Contextual Integrity) for mitigating user/emp
Subject: More than 90% of all social engineering attacks are as a result of Phishing. The trend of using Twitter to exploit the deeply curious nature of humans is on the rise as social engineering techniques
