Baltimore security firm ZeroFox made the SNAP_R bot as a proof-of-concept for the next generation of phishing techniques, explaining its methods in a paper released at the recent Black Hat security conference. It uses machine learning to churn through a victim's tweets and those of their followers, then sends a dynamic message relevant to their interests. It uses clustering to identify high-value targets based on social engagement, like followers and retweets, and measures the bot's success by tracking clickthrough rates. In summary, the researchers claim it to be "the world's first automated end to end spear phishing campaign generator for Twitter."
The ZeroFox team created SNAP_R as an education and security assessment tool: like many firms, they are often hired to attack clients using cutting-edge methods that real hackers would use. Machine learning is often used defensively, so this method is one of the first to turn it around to target victims in the "spear" phishing school of anti-security.
Since links in tweets are automatically shortened, users largely aren't able to sniff out shifty URL destinations, so spotting poor grammar or irrelevant content is the quickest way to suss out malevolent intent. Catering messages is a clever way to keep from arousing victim suspicions and ultimately getting them to click on links they would be too cautious to otherwise. Britain's GCHQ intelligence agency exploited this technique when it used its own innocuous URL shortener to track activists and incite pro-revolutionary messages during the Arab Spring and Iranian uprisings. That ZeroFox tricked an unbelievable two-thirds of victims into clicking links, far higher than the five to 15 percent success rate for normal phishing methods, is evidence of a serious vulnerability in social network users' security behaviors.