Thursday, November 20, 2008

Cyberscams Befriend Social Networks

Now fraudsters may log on as your "friend." How Facebook, LinkedIn, and other social networking sites are fighting a rise in scams

Remember the associate of that deposed dictator who needed your help transferring a few million dollars from a Swiss bank account? Well, he's back. And he—or one of his ilk—may show up soon posing as your "friend" on Facebook.

Someone bearing an eerie resemblance to those ubiquitous perpetrators of so-called Nigerian scams ended up in the online social network of Australian citizen Karina Wells. Earlier this month Wells received a message on Facebook from someone she thought was her real-life friend Adrian. He wrote that he was stranded in Lagos, Nigeria, had no access to a phone, and needed Wells to wire $500 for a plane ticket home. "Adrian" even pleaded for help in a real-time conversation over Facebook's chat service.

Wells didn't buy it. She alerted Australian authorities and Facebook, each of which is conducting an investigation. Although the details have yet to be confirmed, Facebook officials believe someone obtained Adrian's log-in credentials through a "phishing" scheme, luring him to a dummy site where he was asked to enter his Facebook password. The incident was initially reported by the Sydney Morning Herald and later confirmed by

Wells thwarted the apparent ruse, but officials and security experts warn such scams may become more common in an online world where millions of people interact daily, often sharing intimate details with widening circles of friends.

"Implied Trust"
While e-mail is still the most common online method used by scam artists to contact potential victims, fraudsters are increasingly turning to Web pages, a category that includes social networks, according to the FBI and the National White Collar Crime Center. Last year the total amount of money reported lost through Internet crime in the U.S. rose 21%, to a record $239 million, according to those agencies. The victim was contacted through a Web page in 32.7% of those cases, up from 16.5% in 2005. Social networks are partly to blame for the increase, officials say. "There is an implied sense of trust, and there's not the sense that we can be physically harmed," says Shawn Henry, assistant director of the FBI's Cyber Investigations division.

Social networks are also more ubiquitous, Henry notes. "Many [criminals] have now moved to computer networks because that's where the victims have moved and, therefore, the opportunities." According to comScore (SCOR), the number of unique visitors to all social networking sites worldwide reached 689 million in October, up 35% from a year earlier.

It's not difficult for a savvy Web surfer to impersonate someone else in cyberspace, as a high-profile cyber-bullying trial now under way plans to show. On Nov. 18 jury selection began in a federal court in Los Angeles for the case of Lori Drew, who prosecutors say passed herself off as a teenage boy in a widely publicized case of impersonation on a social networking site. Two years ago 13-year-old Megan Meier hanged herself after receiving messages from "Josh," an older boy she had befriended on News Corp.-owned (NWS) MySpace, who allegedly later told her that the world "would be better off" without her. According to prosecutors, an investigation ultimately revealed that "Josh" was a fictitious online persona of multiple people, including Lori Drew, the mother of one of Meier's teenage rivals. Drew now faces one count of conspiracy and three counts of accessing computers without authorization.

Fooling Security Experts
A pair of online security industry consultants carried out an experiment recently to demonstrate just how easy it is to masquerade as someone else on LinkedIn. Shawn Moyer of FishNet Security and Nathan Hamiel of Idea Information Security got permission from a friend to set up a phony profile page on the networking site aimed at professionals. Together, they posed as Marcus Ranum, a consultant renowned for building the first e-mail server for and who now serves as chief of security for Tenable Network Security. Moyer and Hamiel used Ranum's name, résumé, and photo (all of which they found on the Web without any help). Moyer and Hamiel then set about seeking to connect with chief security officers and chief information officers of large companies, an editor-in-chief of a security trade magazine, defense industry professionals, and other people whom Ranum might know in real life.

Despite their online security expertise, most accepted the request. And once the fake Ranum had several authentic connections within the industry, he looked even more credible to the next target. "I would have expected that the security community would have been a little more paranoid," Ranum says. The experiment proved to Moyer and Hamiel what they had suspected: Users of social networking sites expect little more proof of a friend's identity than a name, a photo, and a few bits of knowledge about their real life. "What if I wanted to get inside IBM (IBM)?" asks Moyer. "What if I had wanted to get inside the [U.S. Defense Dept.]? Who else might Marcus know?"

Enforcement Hurdles
There's no easy solution for the social networking sites themselves. Each major networking site contains terms of service that prohibit posing as another user. "The rules of impersonation are pretty much the same on the Internet as off the Internet," says Gene Landy, principal with Boston-based law firm Ruberto, Israel & Weiner. In both places the severity of punishment hinges on how much harm is intended. Pretending to be an ex-girlfriend and posting embarrassing photos on Facebook, for example, would likely constitute a civil offense, Landy says. But almost any serious attempt at fraud—pretending to be someone else to obtain money or retrieve sensitive information—would likely be tried as a criminal offense, he explains.

Enforcing the rules online can be tricky for social networks that don't want to put off would-be users with a rigorous authentication process. Facebook maintains a long list of blacklisted names that bars users from registering with fictitious names such as Donald Duck and Evil Spock, two of the most popular false IDs, says Facebook's head of security, Max Kelly. The site also prohibits suspicious activity such as spamming users with hundreds of messages. But mainly it falls to users to be vigilant. "If you use Facebook the way we intend people to use Facebook, which is to model your real-world interactions, people won't be able to impersonate someone else," Kelly says. Still, he adds, "I'm not ruling out that we may look at other ways to verify people's identities in the future."

Security expert Moyer admits it would be pretty difficult for LinkedIn to have measures in place to thwart his experiment, but says it and other sites should take some steps to authenticate users. For one, he recommends that new user profiles get stamped with some kind of "born-on date" that displays when the account was created. That could impede scammers who cycle through many new accounts every day. Also, sites should develop some kind of peer warning system that lets users flag others' suspicious activity.

Still, the best prevention method remains educating Web users to be more cautious of people in their networks. "When I get a friend request, I tend to ask people what T-shirt [they] wore the last time we had dinner," Moyer says.

A simpler way to check identity is to spend some time on the person's profile, see how long they've been active, how familiar their friends appear to be, and whether the messages and multimedia they post reflect their personality.

When all else fails, it's probably best to be leery of requests for money or bank account information—especially when they emanate from deposed dictators.

1 comment:

  1. In reply to: "he recommends that new user profiles get stamped with some kind of "born-on date" that displays when the account was created. That could impede scammers who cycle through many new accounts every day"

    That is not enough because scammers may open many new accounts and just put them on hold till they are old enough.

    There should be some measure of 'useful' activity of the user, such as sending messages that are not spam, receiving connection requests from other users, etc.