Seeing is (Not) Believing: Practical Phishing Attacks Targeting Social Media Sharing Cards

TL;DR

This paper uncovers a new phishing attack exploiting social media sharing cards, demonstrating its feasibility across multiple platforms and highlighting the need for better detection and mitigation strategies.

Contribution

It introduces Sharing Card Forgery (SCF), a novel attack method that forges benign-looking sharing cards for malicious links, revealing security vulnerabilities in social media link previews.

Findings

SCF can create convincing fake sharing cards for malicious links

The attack is effective across 13 different social networks

Deceptive cards can evade existing detection mechanisms

Abstract

In the digital era, Online Social Networks (OSNs) play a crucial role in information dissemination, with sharing cards for link previews emerging as a key feature. These cards offer snapshots of shared content, including titles, descriptions, and images. In this study, we investigate the construction and dissemination mechanisms of these cards, focusing on two primary server-side generation methods based on Share-SDK and HTML meta tags. Our investigation reveals a novel type of attack, i.e., Sharing Card Forgery (SCF) attack that can be exploited to create forged benign sharing cards for malicious links. We demonstrate the feasibility of these attacks through practical implementations and evaluate their effectiveness across 13 various online social networks. Our findings indicate a significant risk, as the deceptive cards can evade detection and persist on social platforms, thus posing a substantial threat to user security. We also delve into countermeasures and discuss the challenges in effectively mitigating these types of attacks. This study not only sheds light on a novel phishing technique but also calls for heightened awareness and improved defensive strategies in the OSN ecosystem.