Black Hat: A free tool to generate spear phishing on Twitter

Black Hat 2016 (from July 30 to August 2 in Las Vegas) will take place in a few days now, the annual conference devoted to techniques, research and analysis of hacking and other discoveries of vulnerabilities. It is also there that researchers from Zerofox will unveil a free tool allowing spear phishing via Twitter. Unlike “classic” phishing, spear phishing is distinguished by the fact that phishing emails/messages come from sender addresses known to the victim (friends, colleagues, etc.) most often sent because they had their email accounts hacked.

Called SNAP_R (social network automated phisher with reconnaissance), this tool, which runs on a Twitter account, targets and collects data relating to the centers of interest of subscribers to this account. He is then able to compose a tweet embedding a link to a site containing malware before sending it. The Zerofox researchers who developed this tool, John Seymour and Philip Tully, said that SNAP_R allows them to scale up phshing campaigns targeting Twitter accounts. It takes them 5-10 minutes to write a single spear phishing email for example, but only a handful of seconds or minutes to generate hundreds of spear phishing tweets, depending on how much hardware they have.

More effective than traditional email phishing

Manual phishing has a 40-45% click-through rate compared to automated methods which average 33%. But due to the speed at which tweets are generated, the net return is much greater. “It’s a little less successful but much more effective,” said John Seymour. Twitter accounts are a good place to try spear phishing due to the mix of languages ​​used, rich API data and the use of short links. Because tweets are short and informal, the language doesn’t have to be perfect, and the messages are short, victims may not pay attention to mistakes, unlike email where the user is generally more attentive.

The Twitter APIs allow the tool to post automatically as well as collect meaningful data about the victims so that it can be used to design tempting tweets. Not to mention that the short links hide the real URL which could then raise the alarm and make it possible to realize the lack of authenticity of the tweet.

Tweets inseparable from those written by humans

SNAP_R, which runs on Ubuntu and OS X, also makes it possible to check the activity of Twitter accounts and retrieve clues about the person (career, interests, etc.). The tweets themselves can be created according to the time of year to avoid, for example, someone interested in the Rio Olympics receiving a tweet in December when it would be much more useful to send it in July… Tweets can also be shaped via a trained neural network model to compose tweets previously swallowed by the millions. All it does is find a tweet topic. The tool can also write in any language, the aim being that it cannot be distinguished from other tweets written by people.

For businesses, SNAP_R can be used for internal testing to learn how receptive employees are to mobile tweets, said Evan Blair, business manager at Zerofox. Aware that this tool can be used for spear phishing, the researchers have integrated a parade to prevent it from being exploited for malicious use. But for white hat research, it can be disabled.