Towards Detecting Compromised Accounts on Social Networks

TL;DR

This paper presents a method for detecting compromised high-profile social media accounts by analyzing their consistent behavior over time, successfully identifying real-world attacks and avoiding staged incidents.

Contribution

It extends previous work on large-scale account compromise detection to focus on high-profile accounts using behavioral consistency analysis.

Findings

System could detect and prevent three real-world attacks

System would not have fallen for staged publicity stunt

Behavioral analysis is effective for high-profile account security

Abstract

Compromising social network accounts has become a profitable course of action for cybercriminals. By hijacking control of a popular media or business account, attackers can distribute their malicious messages or disseminate fake information to a large user base. The impacts of these incidents range from a tarnished reputation to multi-billion dollar monetary losses on financial markets. In our previous work, we demonstrated how we can detect large-scale compromises (i.e., so-called campaigns) of regular online social network users. In this work, we show how we can use similar techniques to identify compromises of individual high-profile accounts. High-profile accounts frequently have one characteristic that makes this detection reliable -- they show consistent behavior over time. We show that our system, were it deployed, would have been able to detect and prevent three real-world attacks against popular companies and news agencies. Furthermore, our system, in contrast to popular media, would not have fallen for a staged compromise instigated by a US restaurant chain for publicity reasons.