Papers
Topics
Authors
Recent
Search
2000 character limit reached

Seeing is (Not) Believing: Practical Phishing Attacks Targeting Social Media Sharing Cards

Published 17 May 2024 in cs.CR | (2405.10758v1)

Abstract: In the digital era, Online Social Networks (OSNs) play a crucial role in information dissemination, with sharing cards for link previews emerging as a key feature. These cards offer snapshots of shared content, including titles, descriptions, and images. In this study, we investigate the construction and dissemination mechanisms of these cards, focusing on two primary server-side generation methods based on Share-SDK and HTML meta tags. Our investigation reveals a novel type of attack, i.e., Sharing Card Forgery (SCF) attack that can be exploited to create forged benign sharing cards for malicious links. We demonstrate the feasibility of these attacks through practical implementations and evaluate their effectiveness across 13 various online social networks. Our findings indicate a significant risk, as the deceptive cards can evade detection and persist on social platforms, thus posing a substantial threat to user security. We also delve into countermeasures and discuss the challenges in effectively mitigating these types of attacks. This study not only sheds light on a novel phishing technique but also calls for heightened awareness and improved defensive strategies in the OSN ecosystem.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (39)
  1. AiDuanLian. 2024. AiDuanLian. https://www.aifabu.com/. Accessed: 2024-05-15.
  2. Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science 3 (2021), 563060.
  3. Backlinko. 2024. Social Media Phishing: What You Need to Know. https://cofense.com/knowledge-center/social-media-phishing-what-you-need-to-know/. Accessed: 2024-05-15.
  4. The role of social networks in information diffusion. In Proceedings of the 21st International Conference on World Wide Web (Lyon, France) (WWW ’12). Association for Computing Machinery, New York, NY, USA, 519–528. https://doi.org/10.1145/2187836.2187907
  5. Bilibili. 2024. Bilibili. https://www.bilibili.com/. Accessed: 2024-05-15.
  6. Discord. 2024. Discord. https://discord.com/. Accessed: 2024-05-15.
  7. Douyin. 2024. Douyin-SDK Documentation. https://developer.open-douyin.com/docs/resource/zh-CN/dop/develop/openapi/interaction-management/jump/h5-share/. Accessed: 2024-05-15.
  8. The Chameleon Attack: Manipulating Content Display in Online Social Media. In Proceedings of The Web Conference 2020 (Taipei, Taiwan) (WWW ’20). Association for Computing Machinery, New York, NY, USA, 848–859. https://doi.org/10.1145/3366423.3380165
  9. Facebook. 2024. Facebook. https://www.facebook.com/. Accessed: 2024-05-15.
  10. An Exploratory Study of Malicious Link Posting on Social Media Applications. ([n. d.]).
  11. To Err.Is Human: Characterizing the Threat of Unintended URLs in Social Media. Proceedings of the 28th Network and Distributed System Security Symposium (NDSS) ([n. d.]). https://doi.org/10.14722/ndss.2021.24322
  12. LinkedIn. 2024. LinkedIn. https://www.linkedin.com/. Accessed: 2024-05-15.
  13. Microsoft Teams. 2024. Link unfurling. https://learn.microsoft.com/en-us/microsoftteams/platform/messaging-extensions/how-to/link-unfurling?tabs=desktop%2Cjson%2Cadvantages. Accessed: 2024-05-15.
  14. Measurement and analysis of online social networks. In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement (San Diego, California, USA) (IMC ’07). Association for Computing Machinery, New York, NY, USA, 29–42. https://doi.org/10.1145/1298306.1298311
  15. Open Graph Protocol. 2024. The Open Graph protocol. https://ogp.me/. Accessed: 2024-05-15.
  16. Pinterest. 2024. Pinterest. https://www.pinterest.com/. Accessed: 2024-05-15.
  17. SanWeiTui. 2024. SanWeiTui. http://sanweitui.com/. Accessed: 2024-05-15.
  18. Slack. 2024. Slack. https://slack.com/. Accessed: 2024-05-15.
  19. Giada Stivala and Giancarlo Pellegrino. 2020. Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https://www.ndss-symposium.org/ndss-paper/deceptive-previews-a-study-of-the-link-preview-trustworthiness-in-social-platforms/
  20. Telegram. 2024. Telegram. https://web.telegram.org/. Accessed: 2024-05-15.
  21. Tencent QQ. 2024. QQ. https://im.qq.com/. Accessed: 2024-05-15.
  22. TianTianWaiLian. 2024. TianTianWaiLian. https://www.tiantianwailian.com/. Accessed: 2024-05-15.
  23. TikTok. 2024a. QQ-SDK Documentation. https://open.mobile.qq.com/api/mqq/index#api:setShareInfo. Accessed: 2024-05-15.
  24. TikTok. 2024b. TikTok. https://www.tiktok.com/. Accessed: 2024-05-15.
  25. trendmicro. 2024. What Is Social Media Phishing? https://www.trendmicro.com/en_us/what-is/phishing/social-media-phishing.html. Accessed: 2024-05-15.
  26. Twitter. 2024. About Twitter Card. https://developer.twitter.com/en/docs/twitter-for-websites/cards/overview/abouts-cards. Accessed: 2024-05-15.
  27. WeChat. 2024a. Getting Access Token. https://developers.weixin.qq.com/doc/offiaccount/en/Basic_Information/Get_access_token.html. Accessed: 2024-05-15.
  28. WeChat. 2024b. Getting Started with Development. https://developers.weixin.qq.com/doc/offiaccount/en/Basic_Information/Access_Overview.html. Accessed: 2024-05-15.
  29. WeChat. 2024c. JS-SDK Documentation. https://developers.weixin.qq.com/doc/offiaccount/en/OA_Web_Apps/JS-SDK.html. Accessed: 2024-05-15.
  30. WeChat. 2024d. WeChat. https://www.wechat.com/. Accessed: 2024-05-15.
  31. Wechat card making tool. 2024. Wechat card making tool. http://www.fgcq39.cn/. Accessed: 2024-05-15.
  32. Wechat Custom Sharing. 2024. Wechat Custom Sharing. http://vip.kakuapi.com/share.php. Accessed: 2024-05-15.
  33. Wecom. 2024. Wecom. https://work.weixin.qq.com/. Accessed: 2024-05-15.
  34. WeiDuanlian. 2024. WeiDuanlian. https://dot2.com/. Accessed: 2024-05-15.
  35. WhatsApp. 2024. WhatsApp. https://www.whatsapp.com/. Accessed: 2024-05-15.
  36. Xiaohu. 2024. Xiaohu Card. https://moreqifu.com/product/xiaohu. Accessed: 2024-05-15.
  37. Xiaomard. 2024. Xiaomark. https://xiaomark.com/. Accessed: 2024-05-15.
  38. Lie to Me: Abusing the Mobile Content Sharing Service for Fun and Profit. In WWW ’22: The ACM Web Conference 2022, Virtual Event, Lyon, France, April 25 - 29, 2022, Frédérique Laforest, Raphaël Troncy, Elena Simperl, Deepak Agarwal, Aristides Gionis, Ivan Herman, and Lionel Médini (Eds.). ACM, 3327–3335. https://doi.org/10.1145/3485447.3512151
  39. Zhihu. 2024. Zhihu. https://www.zhihu.com/. Accessed: 2024-05-15.

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

Sign Up for Free