Parler collapse opens door to phishing attacks

The publication of huge amounts of data on users of defunct social network Parler, gathered by ethical hackers in the last hours before the site’s shutdown, almost certainly heralds new cyber criminal phishing campaigns, according to cyber security experts.

Established as a “free speech” alternative to mainstream social networks such as Twitter, Parler has become a hotbed of far-right extremist content and may have played a pivotal role in coordinating the 6 January terrorist attack on the US Capitol.

In the past week, social media firms and technology platforms have moved against some of the extremist elements they were previously happy to host, most notably banning defeated US president Donald Trump – now facing impeachment over his role in inciting the attack on his own government – from Facebook and Twitter and banning thousands of related accounts.

Parler itself fell offline after AWS cancelled its services, citing breaches of its terms of use, but before the shutdown, ethical hackers were able to gain access to the service to scrape terabytes of user data, possibly as much as 99% of all the data on the service.

The effort was led by an activist going by the Twitter handle @donk_enby, who described the effort as akin to “a bunch of people running into a burning building trying to grab as many things as we can”.

The group was working to preserve Parler’s content for researchers, but the data is also expected to prove useful to law enforcement agencies in tracking down and arresting those involved in the storming of the Capitol.

However, in making it public, the data is now also available to anybody who cares to access it, including cyber criminals, according to Eric Howes, principal lab researcher at security training firm KnowBe4.

Howes said the shutdown of Parler came at a perilous time in the US.

“Emotions in this country are at a boiling point following the events in DC. With the near simultaneous suspension of Trump from Twitter and other social media platforms and the removal of Parler from app stores, many users will be highly motivated to find alternative sources to download and access Parler. And that represents a golden opportunity for malicious actors to exploit,” he wrote.

“We anticipate that bad actors will fill the gap by launching phishing campaigns that offer users bogus websites with fake, malicious Parler downloads or even malware-infected versions of Parler. They may also set up fake websites and push malicious online advertising to do the same.”

KnowBe4 believes Parler-themed phishing attacks will likely take two forms, either spoofed emails from Parler itself, or spoofed emails from far-right groups denouncing the actions of Amazon, Apple and Google. In both cases the emails will contain alternative links to download or install Parler, that in fact direct to malicious or compromised websites, opening the doors to further compromise, data exfiltration, scams, malware and ransomware attacks.

Howes said the nature of the data dump from Parler, which is understood to include profile data, user information, admin rights data, videos and posts, could allow malicious actors to individually target its users, and while there is a certain amount of schadenfreude in the prospect of terrorists being attacked by cyber criminals, it is important to remember that a very small minority of Parler users took part in the attack on the Capitol, making this a serious potential threat.

In response, KnowBe4 is adding simulated Parler phishes to its KMSAT security awareness training platform, which are now available in its “Controversial/NSFW” collection.

Howes advised security teams to alert employees and users to the danger that if any of their data has been caught up in the Parler dump, they could well encounter further attempts at compromise.