Full Report
Truth Social, launched by the Trump Media & Technology Group in 2022, has become a hotspot for scams like phishing and investment fraud
Analysis Summary
# Incident Report: Mass Social Media Phishing and Fraud Campaigns on Truth Social
## Executive Summary
Truth Social users have become the target of widespread online scams, primarily driven by the platform's group structure which facilitates mass targeting. Threat actors are executing phishing campaigns impersonating major brands to steal credentials and financial information, alongside running advance fee, romance, and investment frauds. The impact is significant user financial loss and credential compromise, necessitating stricter platform moderation and increased user education.
## Incident Details
- Discovery Date: Recent analysis by Netcraft; observation of ongoing activity mentioned in January 2025 report.
- Incident Date: Activity noted as ongoing since at least March 2024 (for the specific phishing actor).
- Affected Organization: Truth Social (Trump Media & Technology Group - TMTG) users.
- Sector: Social Media/Technology.
- Geography: Global (targeting users on the platform).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing since at least March 2024 for specific actors.
- Vector: Direct messaging/posting within interest-based groups on Truth Social.
- Details: A French-speaking threat actor used seven different accounts to post over 500 phishing messages since March 2024, impersonating brands like Spotify, Netflix, and Disney+.
### Lateral Movement
- Lateral Movement: Not applicable in the traditional sense of network penetration. The movement tactic here is *audience proliferation*, where scammers target large, established user groups (some over 100,000 members) to maximize reach for scams.
### Data Exfiltration/Impact
- Data Exfiltration/Impact: Theft of user login credentials and financial information via redirection to fake login pages following phishing lures. Also included advance fee fraud (demanding $250 to $1,000), romance scams, and crypto investment scams.
### Detection & Response
- Detection: Security researchers (Netcraft) became aware of the scope after creating an account and receiving over 30 scam messages in a few hours.
- Response Actions: The article emphasizes the need for proactive measures from platform operators, including better user education, stricter content moderation, and advanced detection technologies. No specific actions taken by Truth Social are detailed.
## Attack Methodology
- Initial Access: Exploitation of platform structure by posting malicious links directly to targeted user groups.
- Persistence: Threat actors maintain persistence by operating multiple accounts (one reported actor used seven accounts) to continuously distribute malicious content.
- Privilege Escalation: Not directly applicable (this is not a network breach). The equivalent is *trust escalation* used in investment/romance scams to extract larger sums of money.
- Defense Evasion: Use of social engineering tailored to specific platform communities and phishing links that redirect through the platform itself to create a veneer of legitimacy.
- Credential Access: Phishing attacks using fake brand login pages (Netflix, Spotify) to capture credentials upon submission.
- Discovery: Social media monitoring and research by security firms (Netcraft).
- Lateral Movement: Reaching large, pre-existing social groups for scale.
- Collection: Stealing login credentials and banking information submitted on fake landing pages.
- Exfiltration: Data is exfiltrated when victims submit information to the fraudulent third-party sites.
- Impact: Financial losses incurred through fraudulent transfers and unauthorized access resulting from stolen credentials.
## Impact Assessment
- Financial: Users reported losing between $250 and $1,000 via advance fee fraud alone. Total social media-originated scam losses across platforms since 2021 reached $2.7bn (FTC data).
- Data Breach: User login credentials (for major services) and financial/bank information were compromised.
- Operational: Minimal direct platform operational impact noted, but user trust and safety are significantly degraded.
- Reputational: Negative publicity regarding the platform's susceptibility to mass scams.
## Indicators of Compromise
- Network Indicators (Defanged): URLs leading to known phishing domains impersonating major subscription services. Analysis requires deep inspection of redirection chains originating from Truth Social posts.
- File Indicators: Not usually applicable in platform-based link sharing/social engineering, but any locally downloaded files from phishing sites could be indicative.
- Behavioral Indicators: High volume of direct messages or group posts containing links related to investment opportunities, subscription expirations, or requests for upfront fees ($250+).
## Response Actions
- Containment Measures: The recommended primary containment for users is avoiding clicking suspicious links and utilizing multi-factor authentication. (Platform action is needed but not specified).
- Eradication Steps: Suspension/banning of accounts identified as malicious posters (reported actor utilized seven accounts).
- Recovery Actions: Users who submitted credentials/data must immediately change passwords for affected services and monitor banking statements.
## Lessons Learned
- Key Takeaways: Large, interest-based social media groups create high-value targets for scammers seeking to flood victims with overlapping fraudulent schemes (phishing, investment, advance fee).
- What could have been done better: Platform operators need to implement faster detection and removal mechanisms tailored for high-volume, social-engineering-based attacks, especially those impersonating trusted entities.
## Recommendations
- Prevention Measures for Similar Incidents:
1. Implement stricter, rapid content moderation policies specifically targeting known phishing templates and impersonation schemes.
2. Enhance user education campaigns focusing on TMTG/Truth Social users to recognize common financial and subscription-based scams.
3. Utilize advanced threat intelligence feeds to proactively block known malicious URLs used in phishing campaigns before they are posted.
4. Investigate technical controls to detect and flag link redirects through multiple obfuscated steps.