Hashtag hijackers foul basketball fans on social media
As we have observed in the past, social media attackers congregate around major current events, and particularly popular sporting events, such as spreading spam links during March Madness and malware during the Super Bowl™. As the recently concluded NBA championship season demonstrates, no popular sports league is immune to this kind of activity: this year, however, Proofpoint social media researchers observed threat actors leveraging hashtags to spread their messages without having to go through the work of building a network of followers and friends.
On social media, your news feed, the content that you see readily when you first login, is produced mainly by people you follow or whom you have friended. In order to follow those accounts, you usually need to have intentionally established some form of connection by liking or following them.
However, it is possible for content to gain users’ attention even when they are not actively following an associated account. “Hashtags” allow users to group posts around a common theme. Any number of hashtags can be placed anywhere within a tweet or post on other social platform. On Twitter in particular, this hashtag becomes a hyperlink within the tweet, and whenever someone clicks on this hashtag, all other tweets containing this hashtag also show up.
Because hashtags are designed to quickly produce a list of tweets on related topics, Twitter users may be inclined to click on a hashtag rather than search a topic in the search engine, and a popular hashtag can easily become a security issue for users in the hands of threat actors. Normally, when a new account with few followers or friends makes a post, it will not get much attention. However, adding a hashtag to a tweet can garner significant attention effortlessly. For a hashtag representing a very popular and widely followed sporting event, the potential for new eyeballs is almost limitless.
We analyzed how people were using a popular NBA 2017 championships hashtag, “#NBAFinals2017,” to determine whether attackers were able to take advantage of hashtags to target social media users.
Most Twitter posts with the “#NBAFinals2017” hashtag were fairly benign, serving their intended purpose of grouping people with similar interests. For instance, this poster wished that basketball season was still going strong:
Our analysis found many other instances of hashtag use — or rather, abuse — that focused not on bringing people together, but on separating people from their money.
Spamming Through Hashtags
Gambling-related posts tend to be popular around any major sporting event, so it was no surprise that we also found spammers “hijacking” the hashtag #NBAFinals2017 to spread spam and gambling links:
We found hundreds of similar types of links and posts, all from different users:
It appears that one or more spammers are spreading the same content through many different accounts, all the while exploiting the #NBAFinals2017 hashtag.
Fake Accounts Hijacking Hashtags
Investigating the first example above, we found that it was in fact posted by a fake account:
We determined this to be a fake account with high confidence based on the link in the profile. Several Twitter accounts using the redirected link in the profile returned Twitter pages such as this:
The link in the profile leads to a phishing site that has since been taken down.
We detected hundreds of spam comments and several phishing links associated with the #NBAFinals2017 hashtag. As we have observed with other major sporting events, we also found many instances of hate speech as well. We detected a very large spike around June 12, the date of the last game of the NBA Finals in 2017. Figure 1 is a chart for the number of spam, hate speech, or phishing links containing the #NBAFinals2017 hashtag during that period: