6 minute read

Social Media Engineering

Next Article
US Foreword

US Foreword

Cybersecurity Fundamentals

Social Media Engineering

By: James Bore

In the 'Introduction to Cybersecurity' series, I spoke about social engineering as a way to manipulate individuals into disclosing information that would benefit an attacker.

In the 'Introduction to Cybersecurity' series, I spoke about social engineering as a way to manipulate individuals into disclosing information that would benefit an attacker. I’m sure recent events have been evident to everyone, and that most readers will have been aware of some of the conspiracy theories, misinformation, and polarisation, which is occurring. While this is, in part, down to the way that certain social media platforms are designed to focus on division, some of it is down to deliberate recruitment techniques.

These techniques are universal and are often used to recruit people into personality cults, multilevel marketing schemes, conspiracy theories, and various other radical groups. They are lowcost, low-effort, incredibly effective, and even more effective in an environment where most social interaction has been moved online, and face to face is discouraged. They are used to help spread conspiracy theories which target and encourage action against critical national infrastructure, and highprofile persons.

To take just one example the conspiracy theories around 5G were quickly re-tailored to incorporate Bill Gates and George Soros as targets, and were effective enough that there were arson attacks against 5G infrastructure. In other words, a few memes and videos, along with the use of these techniques (whether deliberate or accidental, though there is strong evidence of deliberate action) were enough to cause homegrown domestic terrorism attacks on UK soil.

While not part of what might normally be considered cybersecurity, social engineering is usually included, and a lot of these techniques exploit botnets and catfish accounts (fake social media accounts designed to present an appealing persona in order to infiltrate social networks) to encourage their spread. This technique, and others like it, show the weaponisation of social media.

Recruitment Steps

Recruitment Steps Classically, recruitment techniques used by cults or similar rely on four basic steps. We’ll do a quick run-through of these before looking at how they can be modified to thrive on social media platforms.

• Target selection

The right target is often someone who has suffered a crisis. Any identity-threatening crisis will do, grief, significant life change, global pandemic, all prime someone as a potential target as people often reassess identity following a significant change. Graduates, and recent arrivals at universities, are often favourites as these are very public, very obvious events which will prompt identity reassessments.

• Love bombing

Simple and straightforward positive reinforcement. The recruiting group showers the target with compliments and support, simply being nice. This support is unconditional, with no caveats or constructive criticisms, and when it works, it positions the group as a best supportive friend.

• Isolation

After the supportive position has been established, the target is isolated. This is one of the areas that adapts well to social media, and we’ll see why shortly. At this point with the target free from outside influences, a whole slew of emotional manipulative techniques can be applied to transition the group from a supportive best friend to a core part of the target’s identity.

• Maintaining control

This step most replicates abusive relationships, with the group being a source simultaneously of support and terror. The threat of withdrawing the support allows much more obvious use of abusive tactics, and by this point if the other steps have been successful the target will have started to think of themselves as a member of the group, as a core part of their identity. Breaking out, as with any abusive relationship, is difficult, painful, and usually requires outside help. We’ll see how this plays into social media engineering as well.

Translating to Social Media

In person, these techniques are clearly recognisable to anyone familiar with this sort of recruitment. Even some less-ethical sales books promote similar methods (multi-level marketing companies are founded on this sort of psychological manipulation). Where it can be less obvious is when they’ve moved to social media, where the steps are somewhat different.

Target Selection

With the breadth of social media, targets often self-select. A few years ago, it was established that 64% of members joining extremist groups on Facebook, of all kinds, came from recommendations from the Facebook algorithm. You may have come across the term ‘dog whistle politics’, meaning phrases or ideas that seem innocuous but carry greater meaning for a particular audience (if you read the article on steganography, dogwhistle politics is a form of steganography making use of what's known as a context code).

By interacting with the post, whether responding to the hidden message or not, someone is marking out that they are a potential target. Because these techniques require a much lower investment of time and effort on social media than in person, a much wider net can be cast and so targets can be selected with less (or no) care beyond clicking ‘Like’.

Love Bombing, Isolation and Maintaining Control

The social media approach combines these two into a single step. Whether it’s through a dog-whistle post of some kind (often a meme), through sharing news from extremist and unreliable sources or groups, or through some other mechanism, the aim is to get the target to post something controversial themselves. At this point, people who are aware of the dog-whistle context and disagree with it will often react in a knee-jerk fashion with shock and anger. Not only because they disagree with the view, but because of the psychological principle that everyone considers themselves at the centre of a story – so a post that’s ideologically against a person feels like a personal betrayal.

Because these techniques require a much lower investment of time and effort on social media than in person, a much wider net can be cast and so targets can be selected with less (or no) care beyond clicking ‘Like’.

Of course, that anger leads to a reaction from the poster, who feels attacked because they meant no harm. Compounding this the group who originally created the innocuous post will jump onto the conversation, giving the unconditional support and acclaim. At the same time, friends and family are more likely to react with negative emotions. This is devastatingly effective – trimmed back to the most shallow level social media is built for instant, knee jerk responses rather than nuanced discussion. Emotionally weighted reactions can very quickly alienate a target from their friends and family, while simultaneously giving them a supportive new network among the radical group.

This reoccurs as the target will tend to then share more controversial posts – both as they get drawn into the group and to upset former friends and family in revenge for their perceived attacks. It merges perfectly from this stage into the keeping control stage, as wider networks reject a person for extreme views, they are driven more towards those views.

Countermeasures

The best countermeasure is awareness and education on how these techniques work. Another trait is that people do not enjoy the idea they are being manipulated, and effective education works. Once a target has begun reidentifying as part of one of these groups it is a much more challenging and complex problem, and while deradicalisation programmes exist, they are very much still in their infancy.

James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at james@bores.com

This article is from: