Towards Detecting Compromised Accounts on Social Networks
This work addresses the issue of account hijacking for cybercriminals targeting popular media or business accounts, with incremental improvements over previous methods for detecting large-scale compromises.
The paper tackles the problem of detecting compromised high-profile accounts on social networks by leveraging their consistent behavior over time, and demonstrates that their system could have detected and prevented three real-world attacks while avoiding false positives from staged compromises.
Compromising social network accounts has become a profitable course of action for cybercriminals. By hijacking control of a popular media or business account, attackers can distribute their malicious messages or disseminate fake information to a large user base. The impacts of these incidents range from a tarnished reputation to multi-billion dollar monetary losses on financial markets. In our previous work, we demonstrated how we can detect large-scale compromises (i.e., so-called campaigns) of regular online social network users. In this work, we show how we can use similar techniques to identify compromises of individual high-profile accounts. High-profile accounts frequently have one characteristic that makes this detection reliable -- they show consistent behavior over time. We show that our system, were it deployed, would have been able to detect and prevent three real-world attacks against popular companies and news agencies. Furthermore, our system, in contrast to popular media, would not have fallen for a staged compromise instigated by a US restaurant chain for publicity reasons.