Full Report
Action Fraud reported a spike in social media and email account hacks in 2024, resulting in losses of nearly £1m
Analysis Summary
# Incident Report: Surge in UK Social Media and Email Account Compromises
## Executive Summary
In 2024, reports of social media and email account compromises in the UK surged by 57%, leading to approximately £1 million in victim losses reported to Action Fraud. The primary attack vector involved 'on-platform chain hacking,' where fraudsters gained access to an account, impersonated the owner, and tricked contacts into revealing authentication codes. The main impact centered around financial scams, particularly investment and ticket fraud, executed via compromised accounts.
## Incident Details
- **Discovery Date:** Data compiled and reported in early 2025 (referencing 2024 figures).
- **Incident Date:** Throughout 2024.
- **Affected Organization:** General UK public/consumers (reported via Action Fraud).
- **Sector:** Consumer/General E-commerce and Communications.
- **Geography:** United Kingdom.
## Timeline of Events
### Initial Access
- **Date/Time:** Not explicitly stated, occurred throughout 2024.
- **Vector:** Predominantly phishing attacks targeting user credentials or subsequent 'on-platform chain hacking.'
- **Details:** Attackers executed phishing campaigns, leading to initial account compromise (email/social media).
### Lateral Movement
- **Vector:** Once access was gained, attackers impersonated the legitimate user through direct messaging contacts on the compromised platform. This was used to solicit authentication codes from those contacts, enabling access to secondary accounts (chain hacking).
### Data Exfiltration/Impact
- **Impact:** Monetization of compromised accounts through the promotion of fraudulent schemes, including fake investment offers and fraudulent ticket sales. The primary impact was financial loss (£1M total).
### Detection & Response
- **Detection:** Reports were submitted to Action Fraud by victims experiencing losses related to these account compromises.
- **Response Actions:** Not explicitly detailed in the article beyond the reporting/statistics gathered by Action Fraud.
## Attack Methodology
- **Initial Access:** Phishing attacks leading to credential theft and account takeover.
- **Persistence:** Maintaining access by potentially changing recovery details or utilizing session tokens gained from initial compromise.
- **Privilege Escalation:** Not explicitly detailed for the initial breach, but chain hacking acts as a form of escalating trust to gain access to secondary accounts via social engineering.
- **Defense Evasion:** Impersonation of a known contact makes the fraudulent messages appear legitimate, bypassing social trust filters.
- **Credential Access:** Theft via phishing, potentially leading to the extraction of One-Time Passcodes (OTPs) sent via SMS.
- **Discovery:** Attackers surveyed the compromised account's contact list for targets.
- **Lateral Movement:** 'On-platform chain hacking' via direct messaging contacts to propagate the attack.
- **Collection:** Focused on gathering authentication codes from contacts.
- **Exfiltration:** Monetization through directing contacts toward fraudulent investment or ticket schemes.
- **Impact:** Direct financial loss to victims of secondary scams.
## Impact Assessment
- **Financial:** Nearly £1 million ($1.3m) in reported victim losses.
- **Data Breach:** Compromise of access to personal social media and email accounts, leading to the potential exposure of contact lists and internal communications.
- **Operational:** Disruption and reputational damage to the authentic users whose accounts were weaponized.
- **Reputational:** Damage to the trust users place in social media and email platforms, as well as trust between networked contacts.
## Indicators of Compromise
*Note: Specific hashes or IPs are not available in the summary, indicators are behavioral based on the report.*
- **Network indicators:** Communications originating from compromised accounts utilizing known malicious domains/URLs associated with phishing or fraudulent investment/ticket sales (defanged).
- **File indicators:** None explicitly mentioned.
- **Behavioral indicators:** Unsolicited messages requesting verification codes (OTPs) sent from a known contact; unusual posts promoting investment schemes or fake event tickets from a previously dormant/normal account.
## Response Actions
- **Containment:** Users who identified a compromise should have immediately reset passwords and reviewed recovery options.
- **Eradication:** Removal of fraudulent content posted by the actor and notifying all contacts who might have received malicious messages.
- **Recovery:** Users securing linked secondary accounts that may have been targeted by the chain hacking attempt.
## Lessons Learned
- **Key Takeaways:** Social engineering remains highly effective when combined with digital access, especially when impersonating a known contact ('friend trust' factor). OTPs sent via SMS are highly vulnerable in multi-step social engineering attacks.
- **What could have been done better:** Increased user education regarding the dangers of sharing SMS-delivered codes, regardless of who requests them. Emphasis on using Multi-Factor Authentication (MFA) methods less susceptible to social engineering (e.g., authenticator apps over SMS).
## Recommendations
- **Prevention measures for similar incidents:** Mandate and enforce hardware or application-based Multi-Factor Authentication (MFA) over SMS-based MFA for high-risk accounts (email/social media).
- Implement robust platform security monitoring to flag rapid, unusual requests for verification codes sent across a user's contact list immediately following an initial account takeover.
- Increase public awareness campaigns specifically targeting the 'on-platform chain hacking' tactic and the dangers of sharing dynamic authentication codes.