State-sponsored "bad actors" increasingly weaponize social media platforms to launch cyberattacks and disinformation campaigns during elections. Social media companies, due to their rapid growth and scale, struggle to prevent the weaponization of their platforms. This study conducts an automated spear phishing and disinformation campaign on Twitter ahead of the 2018 United States Midterm Elections. A fake news bot account - the @DCNewsReport - was created and programmed to automatically send customized tweets with a "breaking news" link to 138 Twitter users, before being restricted by Twitter. Overall, one in five users clicked the link, which could have potentially led to the downloading of ransomware or the theft of private information. However, the link in this experiment was non-malicious and redirected users to a Google Forms survey. In predicting users' likelihood to click the link on Twitter, no statistically significant differences were observed between right-wing and left-wing partisans, or between Web users and mobile users. The findings signal that politically expressive Americans on Twitter, regardless of their party preferences or the devices they use to access the platform, are at risk of being spear phishing on social media.
After revelations of the Cambridge Analytica scandal and Russian-backed influence operations during the 2016 US election, social media platforms have increased their efforts to reduce the misuse of their platforms. Collectively, Facebook and Twitter have removed thousands of accounts linked to "bad actors," 1 who engage in "platform manipulation" 2 to undermine trust in democracy. To date, much of the public's focus on bad actors has been on the paid use of trolls to spread propaganda (Aro, 2016;Zelenkauskaite and Niezgoda, 2018) or the abuse of platforms' advertising services by covert organizations (Nadler et al., 2018).
However, bad actors also fashion social media into a much more concrete form of weaponry. Statesponsored cyber groups from Russia, Iran, and China increasingly weaponize social media platforms to conduct spear phishing attacks against Western governments (Bossetta, 2018). Spear phishing relies on social engineering -essentially a form of trickery -to bait victims into taking an action that reveals sensitive information. Automation is key feature of modern social engineering attacks, allowing attackers to conduct phishing attacks at scale (Ariu et al., 2017).
Usually, phishing attacks occur through e-mail and rely on victims to click a malicious hyperlink, download an attachment laced with malware, or enter login credentials to a spoof website. If successful, a phishing attack can lead to the hijacking of a victim’s social media, device, or private information.
Phishing remains the preferred method of state-sponsored actors to conduct cyberattacks. In 2017, “70 percent of successful security breaches associated with nation-state or state-affiliated actors involved phishing.” 3 While difficult to quantify, only a small portion of these attacks likely occur via social media. Nevertheless, reports from cybersecurity firms estimate that spear phishing on social media rose 500 percent in 2016 (Proofpoint, 2017), tripled in 2017 (PhishLabs, 2018), dipped after platforms’ purge of fake accounts, but increased 30 another percent in the first half of 2018 (Proofpoint, 2018).
Precisely due to platforms’ efforts to remove bad actors and fake accounts, ordinary citizens on social media are now more valuable targets for state-sponsored phishing attacks than previously. The largescale removal of inauthentic accounts raises the currency of real accounts for bad actors. If bad actors want to spread disinformation without being detected, they can hijack real user accounts who have established an authentic history through their interactions with the platform over time.
Moreover, once a user’s account has been successfully hijacked, bad actors can pivot off their success and launch successive attacks on that user’s connections. Since users are more likely to open links from known connections rather than strangers (Seng et al., 2018), bad actors can leverage compromised accounts to snowball an attack across a social network.
Taking seriously the political implications of large-scale cyberattacks on social media, the present study seeks to test the American public’s vulnerability to spear phishing on Twitter. Therefore, I ask:
To answers the research question, the study tests the extent to which partisan Twitter users are likely to click a hyperlink sent by a fake news account. The “DC News Report,” an automated bot account created by the author, sent 138 Twitter users (77 right-wing partisans and 61 left-wing partisans) a link to a fabricated “breaking news” story about the 2018 Midterm Elections.
The results of the experiment reveal that 27 of the 138 users, or 20 percent, clicked the link. Three independent variables -partisanship, device, and time proximity to the election -were all found to be statistically insignificant predictors for clicking the link. This null finding suggests that the risk of being spear phished on Twitter cross-cuts partisan lines as well as the type of device used to access the platform.
Important to note is that the link was non-malicious and redirected users only to a Google survey form, which users were then invited to fill in. However, bad actors could easily circumvent the filters of link shortening services to weaponize the link by redirecting users to a malicious website that harbors a malware payload.
The study proceeds as follows. First, I outline the motivation for conducting a cyberattack experiment against the backdrop of researchers’ increasingly limited access to social media data. Second, I outline why Twitter’s digital architecture facilitates spear phishing attacks. Third, the experiment’s methodology is outlined before the results are presented. Finally, the study concludes with a discussion of the study’s findings.
Amidst the cross-platform crack down on bad actors and fake accounts, social media platforms have taken steps that limit researchers’ access to data. Most pointedly, Facebook restricted access to its Pages API on 4 April 2018 (Schroepfer, 20
This content is AI-processed based on open access ArXiv data.
