Cyabra uncovered 84 profiles promoting hacking services for hire on Twitter, offering to recover lost accounts on digital trading platforms. Those hacking services, advertised in plain sight on social media, are not only a threat to customers’ data safety: they’re also a risk to the E-Trading platforms themselves, to their security and reputation.
Three years ago, digital trading platforms may have seemed like quirky pandemic hobbies, just like growing your own sourdough or recreating famous artworks using family members and household objects. Digital trading was already gaining popularity before the pandemic, but the restrictions and social distancing measures, as well as people being stuck at home and seeking alternative ways to generate income or explore investment opportunities, all led to increased interest in E-trade. The convenience and accessibility of these platforms quickly attracted an even larger audience, and their popularity is still on the rise.
With more and more money being placed into digital trading platforms, they have attracted the interest of a much smaller crowd with much larger capabilities: hackers and criminals. Those bad actors take advantage of frustrated and desperate people locked out of their accounts and not being cared for by customer services, and offer their services on social media, claiming they can help people recover their lost accounts.
Hackers to the Rescue! (Not)
Cyabra identified 84 profiles on Twitter – 66% of them (56 profiles) fake – offering hacking services for customers locked out of 10 different E-trading platforms and apps: eToro, TD Ameritrade, Trezor, MetaMask, Zengo, Coinbase, Trustwallet, Fidelity, Nutmeg and Ellevest.
The profiles were posting in English, Spanish, and Portuguese. In one month, Cyabra detected 743 posts created by those profiles. Most of the posts were identical, a fact that didn’t stop them from reaching the eyes of over 272,000 profiles. It’s safe to assume that the hackers who created the fake profiles with the purpose of offering and spreading their services knew exactly what they were doing, since those bots also engaged and interacted with one another, taking advantage of Twitter’s algorithm to gain increased trending and reach a wide audience.
Everything Wrong With Hacking as a Service (Haas)
Why would people use a shady hacking service instead of contacting online trading platforms’ customer services? The short answer is that they usually tried everything else. The rapid surge in the popularity of e-trading platforms placed a strain on their customer service centers, which found it challenging to cope with the overwhelming demand. And while their strict security regulations are undeniably crucial for safeguarding users’ information and money, they’re also pushing desperate people who lost all hope of ever seeing their money into radical decisions.
This is where hackers rise to “help”. Just a short while ago, hacking services were something you could only find on the dark web or cybersecurity underground. Now, the same hackers market their services openly on social media, and some go as far as advertising themselves on government websites.
This may appear as an organic shift in the free market economy – after all, if E-trading platforms cannot assist their customers, why shouldn’t hackers step in to bridge the void?
But the damage to the platforms, to their reputation and to their customers is not something to be taken lightly. In the world of digital trading, security and safety is everything. While CISOs put effort, time, and money into protecting their clients’ data and investments, those very clients might be paying a third party to hack into their locked accounts because the platforms themselves were unable to support them. By doing that, they provide those hackers with new paths into the platforms.
Since giving your credentials to a hacker is also a violation of E-trading companies’ terms of service, customers being scammed by those hackers will probably never report the phishing or theft to the platforms, for fear of losing the only chance to get back into their accounts. This means hackers are not only infiltrating the platforms, they also remain undetected.
Even if we believe those hackers have no hidden agenda or malicious intents, and are doing exactly what they claim to do – helping people regain access to their locked accounts – they are still breaking the terms of service, which are there for a good reason. Since hackers won’t bother to authenticate users as the platforms do, their services can be used to hack into somebody else’s account.
Let’s try an even more optimistic scenario: even if the platform’s security measures are so solid that not even a single account is hacked, trending posts like the ones below lay a big stain on the platforms’ reputation when claiming customer support is pointless and implying that other hackers are already active on the platforms, breaking into people’s accounts. With hackers maliciously using social media, frustrated users complaining about slow or unresponsive customer service can be amplified to trigger a wave of consumer hate, leading to massive reputation damage.
Can E-Trading Halt Hacker Havoc?
Hacking as a Service poses a significant security threat to E-Trading platforms, undermining their claims of robust security. Worse, the fact they promote their services online while disparaging the platforms themselves creates a major brand reputation problem for those platforms, whose success depends on their ability to keep customers’ money and accounts safe. And while these companies can invest in better security measures for their customers, rebuilding their brand reputation after the harm HaaS caused can prove significantly more challenging. CISOs responsible for the security of digital trading platforms must also be aware of threats emanating from social media, and understand the potential risk to their company’s reputation.
As the trend of hackers-for-hire expands, it poses a direct threat to the integrity and reputation of the entire E-Trading industry. It is crucial for CEOs and CISOs to recognize that security extends beyond the platform itself and includes active monitoring of their companies on social media. Real-time monitoring and alerts can make the difference between catching and reporting bad actors, to suffering major reputation damage.
