A Match Made in Heaven: Fraud and Social Media

Since the days of Friendster and GeoCities, fraud has thrived on social media.

Social media is the fraudsters’ playground—an unregulated, highly visible, easily exploitable platform that connects with billions of people and serves a host of purposes in a hacker’s repertoire. Many fraudulent accounts are mere satire or innocuous trolling, but others are created with far more devious intentions.

Even inexperienced cyber criminals can carry out low-tech attacks via social media by building convincing profiles and connecting to the right people. In a targeted attack, hackers connect with colleagues and friends of the target, a tactic called “gatekeeper friending,” to appear more legitimate once connecting to the target itself.

In the unverified world of social media, fraudsters lay claim to whatever they like—that they work at the same organizations, have the same alma mater, or share all the same goals and interests. Never in the history of human communication has deceit been easier. With these elements in place, the hackers can request sensitive information or ask for money. If the target believes the account to be a coworker, relative, or love interest, these things are openly shared.

In a SEC Form 10 filing Facebook estimates that nearly 15 million of its accounts are “undesirable.” Even more are considered “false” accounts—nearly 100 million. According to Barracuda Labs, Twitter is similarly fraudulent—about 10% of accounts. Expect these trends to grow. Fake accounts can be leveraged in more technical attacks as well, such as phishing or malware attacks. Launching such a campaign from a well connected, legitimate-looking profile increases the efficacy of any malware or phishing campaign.

Imitating a brand is also particularly simple. A quick Google image search to get the company logo, and a hacker can set up a fake customer service representative account. Again, these can be low-tech, used to slander the company, or for more advanced ends, such as to spread malware links via targeted scams and attacks. These fraudulent accounts will often try to phish company employees into disclosing brand account credentials or sensitive company data. These attacks can be spread using company hashtags both to make the account seem more legitimate and to amplify the attack across the company’s social footprint.

Impersonations can also target the employees of an organization. These attacks often start with a senior executive impersonator account requesting sensitive information or account credentials from subordinates. Hackers can then use these credentials to gain access to the legitimate brand accounts and post anything they choose, from malicious links to slander and abuse.

Fake accounts have existed since the beginning of social media. A handful of examples from the past half-decade: In 2010 a Paramount Entertainment impersonator rattled off racist and inappropriate tweets. Last year, a Thai woman stole some $200,000 using a fake Furby Instagram account. Also in 2013, a fraudulent Southwest Airlines Facebook page boasted some 2000 followers and an Instagram scam promised VIP deals on American Airlines, Jet Blue, Delta, United Airlines and Emirates.

The app InstLike, as seen in the picture, tricked over 100,000 users into letting the app hijack their account and like random photos. In January, fake Twitter accounts disguised as market researchers connected to traders in the finance world and claimed several small companies were under investigation by the Department of Justice—hackers rode the ensuing stock plunge.

One group historically prone to social media fraud is the military. Hackers launch “romance scams,” in which fake profiles of servicemen abroad connect with loved ones at home, or even initiate online relationships. Once the targeted party believes they are communicating with a real person, the hacker will request money. One unnamed military official in particular has some 30 imposter Facebook accounts. More troubling is the nearly 100 fake Skype accounts – the most popular means of communication between military personnel and loved ones at home, and thus the easiest target for “romance scams.” Even the Russian social networking site VK has 75 different profiles under this same military official’s name.

Most recently, the fake Jamie Dimon Twitter account took center stage in the news of fraudulent social media activity. It began benignly, posting tweets like, “We are excited to announce that our CEO James Dimon has joined Twitter. This account is managed by the Global Media Relations Department.” The account followed notable business leaders and tweeted several times throughout the day.

For organizations, the cost of social media fraud varies on the type and breadth of the attack. Customer scams have serious business implications further down the road, in the form of customer loyalty and support costs. Executive impersonations can result in brand reputation damage or stock manipulation. Businesses are beginning to understand the full scope of this problem—a third of users say they have been sent malware on social, 24% of SMBs say they have been compromised via social, and 72% of companies believe employees’ use of social media poses a threat to their organization.

As long as social media exists, fraud will persist as a problem. It’s time for organizations to take the threat of social media very, very seriously.

This article was originally published in Security Week. See the full article here.