This Friday, Facebook will go public in one of the most anticipated IPOs in history. With more than 900 million users, Mark Zuckerberg’s expanding social media empire has become a seemingly irreplaceable part of the online experience. Unfortunately, a byproduct of its success is that millions of Americans are far more exposed to a number of cyber crimes that also teem on the site.
To be sure, cyber crimes have been occurring for some time, but the
presence of social media has made many crimes much easier to commit. In
social networks people make “friends” without knowing the person and
make personal information easily available. And none of the networks
present more opportunity to criminals than Facebook and its hundreds of
millions of users. With this in mind, 24/7 Wall St. looked at some of
the most common ways criminals use Facebook.
Internet security analysts warn that Facebook is a hotbed for online
crime. According to an infographic published earlier this year by
ZoneAlarm, a leading Internet security software provider, “roughly 4
million Facebook users experience spam on a daily basis, 20% of Facebook
users have been exposed to malware,” and Facebook receives 600,000
reports of hijacked log-ins every day.
Facebook knows that there is a problem. Earlier this year, the social
media giant began working with the U.S. Attorney General’s office to
try to combat linkjacking, a new form of account hacking and spam that
is more or less unique to Facebook. Through various kinds of identity
theft, linkjacking spammers send messages containing false ads or even
viruses to the victims, pretending to be a Facebook friend.
Like linkjacking, malware represents yet another growing threat for
Facebook users, Dr. Kent Seamons, assistant professor in the Computer
Science Department at Brigham Young University, told 24/7 Wall St.
“Hackers get malware on your machine and get tens if not hundreds of
thousands of these machines under their control and then they rent them
out to spammers and others,” Seamons explains. Renting Facebook accounts
to spammers is one of the many ways that thieves monetize the personal
information they steal. These rented accounts can then be used to
advertise products illicitly or to request money from unsuspecting
Ultimately, all social media sites make it easier for criminals to
deceive their victims. According to a study published in Communications
of ACM, a journal for computing professionals, the percentage of
students that responded to a phishing email increased from 16% to 72%
when the email included relevant social information about the target.
For example, scams that make it appear that a message comes from a
friend of the target make it more likely that the target will respond.
These are the nine ways criminals use Facebook.
1. Hacking Accounts
When criminals hack a Facebook account, they typically use one of
several available “brute force” tools, Grayson Milbourne, Webroot’s
Manager of Threat Research for North America, told 24/7 Wall St. in an
interview. These tools cycle through a common password dictionary, and
try commonly used names and dates, opposite hundreds of thousands of
different email IDs. Once hacked, an account can be commandeered and
used as a platform to deliver spam, or — more commonly — sold.
Clandestine hacker forums are crawling with ads offering Facebook
account IDs and passwords in exchange for money. In the cyber world,
information is a valuable thing.
2. Commandeering Accounts
A more direct form of identity theft, commandeering occurs when the
criminal logs on to an existing user account using an illegally obtained
ID and password. Once they are online, they have the victim’s entire
friend list at their disposal and a trusted cyber-identity. The impostor
can use this identity for a variety of confidence schemes, including
the popular, London scam in which the fraudster claims to be stranded
overseas and in need of money to make it home. The London scam has a
far-higher success rate on Facebook — and specifically on commandeered
accounts — because there is a baseline of trust between the users and
those on their friends list.
3. Profile Cloning
Profile cloning is the act of using unprotected images and
information to create a Facebook account with the same name and details
of an existing user. The cloner will then send friend requests to all of
the victim’s contacts. These contacts will likely accept the cloner as a
friend since the request appears to be from someone they’re familiar
with. Once accepted, the crook has access to the target’s personal
information, which they can use to clone other profiles or to commit
fraud. As Grayson Milbourne puts it, “Exploiting a person’s account and
posturing as that person is just another clever mechanism to use to
extract information.” Perhaps what’s scariest about this kind of crime
is its simplicity. Hacking acumen is unnecessary to clone a profile; the
criminal simply needs a registered account.
4. Cross-Platform Profile Cloning
Cross-platform profile cloning is when the cyber criminal obtains
information and images from Facebook and uses them to create false
profiles on another social-networking site, or vice versa. The principle
is similar to profile cloning, but this kind of fraud can give Facebook
users a false sense of security because their profile is often cloned
to a social platform that they might not use. The result is that this
kind of fraud may also take longer to notice and remedy.
Phishing on Facebook involves a hacker posing as a respected
individual or organization and asking for personal data, usually via a
wall post or direct message. Once clicked, the link infects the users’
computers with malware or directs them to a website that offers a
compelling reason to divulge sensitive information. A classic example
would be a site that congratulates the victims for having won $1,000 and
prompts them to fill out a form that asks for a credit card and Social
Security number. Such information can be used to perpetrate monetary and
identity fraud. Grayson Milbourne of Webroot, also explained that
spearphishing is becoming increasingly common, a practice that uses the
same basic idea but targets users through their individual interests.
6. Fake Facebook
A common form of phishing is the fake Facebook scam. The scammers
direct users via some sort of clickable enticement, to a spurious
Facebook log-in page designed to look like the real thing. When the
victims enter their usernames and passwords, they are collected in a
database, which the scammer often will sell. Once scammers have
purchased a user’s information, they can take advantage of their assumed
identity through apps like Facebook Marketplace and buy and sell a
laundry list of goods and services. Posing as a reputable user lets the
scammer capitalize on the trust that person has earned by selling fake
goods and services or promoting brands they have been paid to advertise.
7. Affinity Fraud
In cases of affinity fraud, con artists assume the identity of
individuals in order to earn the trust of those close to them. The
criminal then exploits this trust by stealing money or information.
Facebook facilitates this type of fraud because people on the site often
end up having a number of “friends” they actually do not know
personally and yet implicitly trust by dint of their Facebook
connection. Criminals can infiltrate a person’s group of friends and
then offer someone deals or investments that are part of a scheme.
People can also assume an identity by infiltrating a person’s account
and asking friends for money or sensitive information like a Social
Security or credit card number.
8. Mining Unprotected Info
Few sites provide an easier source of basic personal information than
Facebook. While it is possible to keep all personal information on
Facebook private, users frequently reveal their emails, phone numbers,
addresses, birth dates and other pieces of private data. As security
experts and hackers know, this kind of information is often used as
passwords or as answers to secret security questions. While the majority
of unprotected information is mined for targeted advertising, it can be
a means to more pernicious ends such as profile cloning and,
ultimately, identity theft.
Not all spam — the mass sending of advertisements to users’ personal
accounts — is against the law. However, the existence of Facebook and
other social sites has allowed for a new kind of spam called
clickjacking. The process of clickjacking, which is illegal, involves
the hacking of a personal account using an advertisement for a viral
video or article. Once the user clicks on this, the program sends an
advertisement to the person’s friends through their account without
their knowledge. This has become such an issue for the social media
giant that earlier this year that the company has teamed up with the
U.S. Attorney General to try to combat the issue.
-Michael B. Sauter, Adam Poltrack and Ashley C. Allen