Seeing is (not) Believing: Practical Phishing Attacks Targeting Social Media Sharing Cards

In the digital era, Online Social Networks (OSNs) play a crucial role ininformation dissemination, with sharing cards for link previews emerging as akey feature. These cards offer snapshots of shared content, including titles,descriptions, and images. In this study, we investigate the construction anddissemination mechanisms of these cards, focusing on two primary server-sidegeneration methods based on Share-SDK and HTML meta tags. Our investigationreveals a novel type of attack, i.e., Sharing Card Forgery (SCF) attack thatcan be exploited to create forged benign sharing cards for malicious links. Wedemonstrate the feasibility of these attacks through practical implementationsand evaluate their effectiveness across 13 various online social networks. Ourfindings indicate a significant risk, as the deceptive cards can evadedetection and persist on social platforms, thus posing a substantial threat touser security. We also delve into countermeasures and discuss the challenges ineffectively mitigating these types of attacks. This study not only sheds lighton a novel phishing technique but also calls for heightened awareness andimproved defensive strategies in the OSN ecosystem.