Don’t click on the link! Chris Batson/Alamy Stock Photo

Careful of that clickbait. Phishing, where cybercriminals try to trick people into clicking links to malware or sites that steal your personal information, is common on social networks like Twitter. Now a machine learning system that reads our past tweets to craft personalised traps could make clicking links that show up in your feed even riskier.

Crafting a successful phishing campaign isn’t easy. Throw garbage at people and they probably won’t click – and Twitter will ban you. So some criminals take the trouble to tailor their phishing tweets to specific individuals by hand – known as spearphishing.

For example, @NatWest_HelpTC is a scam account that responds to anyone tweeting a customer service question at NatWest’s real Twitter account. The imposters direct users to a fake NatWest site in an attempt to harvest bank login details. A NatWest spokesperson told New Scientist that attacks like this have plagued them – and other companies – for a while now.


Keep an eye on your emails too: How your private emails can spread all over the world

Success rates for spearphishing are estimated to be around 45 per cent. The technique is time consuming, however. “It is a very labour intensive way for fraudsters to phish,” says the spokesperson.

Banks shouldn’t count on the difficulty of phishing protecting their customers though – researchers have created a system that can go spearphishing automatically.

Targeted trick

By mining people’s past Twitter activity, their machine learning system first hunts down a potential target. It looks for high-profile or well-connected users – such as those who list a job title like recruiter or CEO in their profile – and people who are particularly active.

Philip Tully, part of the team who created the system at Zerofox in Baltimore, Maryland, says they also targeted people by looking the hashtags they used in their tweets, as well as what the person likes to retweetand the times they are most likely to be using Twitter. Using this information, the algorithm generates tweets that the individual is likely click on. In other words, personalised clickbait.

The team tested the system on 90 people and managed to trick more than two-thirds of them into clicking the link. The team thinks that the approach could reach far more people with a greater success rate than hand-crafted approaches. They also say the system would work on other social media sites, including Facebook. The work was presented at the Black Hat conference in Las Vegas last week.

But it’s not just about getting someone to click on a link. A recent study by a team at Columbia University suggested that 60 per cent of people don’t click on or read the links they retweet. Tully says that’s a boon for the technique his team is warning about.

Tweet laundering

These retweeters are effectively laundering the dodgy tweets, lending them the sheen of a legitimate user’s reputation and making it more likely that the next person will click the link.

“People are used to not clicking links in strange emails,” says Tully. But on social media people are more trusting, he says.

“We had one tweet that was hashtagged #infosec – targeted at information security professionals – and a particularly high number of people clicked the link,” says team member John Seymour, also at Zerofox.

What can we do to avoid falling into a trap laid by such a system? For a start, we should think twice before clicking. “If that tweet is coming from someone I don’t follow, maybe I shouldn’t trust them,” says Matt Devost at cybersecurity firm FusionX in Washington DC.

We should also keep our computers and phones updated. “If I have an up-to-date browser on an up-to-date operating system, the probability of infection from a malicious link is minimal,” he says.