In July 2018, over 100 Israeli soldiers were approached by fake social media accounts that displayed pictures of attractive young people. The accounts cajoled the soldiers to download malicious football and dating apps. These apps gave the Hamas-backed cybercriminals access to the user’s location, contacts and photos, in addition to control over the phone’s camera and microphone for spying. In a more recent case, fake accounts created in the name of actor Hugh Jackman approached several users asking them for donations. The actor took to Twitter to warn users of the fake accounts.
These are simply cases in point. Social media platforms are increasingly being used by cybercriminals to spy, send malicious links and carry out financial frauds. According to an April report by RSA Security, social media fraud has increased by 43% in 2018.
“The motive behind fake social-media accounts could be to impersonate an individual with an intention to either trick specific users for getting sensitive information or spread misleading information to a larger audience. The hacker may compel users to re-direct to malicious links and download unverified files, leading the viruses or malware to spread,” said Burgess Cooper, partner, cybersecurity at EY India.
“In 2018, our anti-phishing technologies blocked more than 3.7 million attempts to visit fraudulent social media network pages and 60% of the fake pages were found on Facebook,” said Shrenik Bhayani, general manager for the South Asia region at Kaspersky Labs. Scammers also use social media platforms like Instagram to leave malicious phishing links in the comments section of trending posts, adds Bhayani.
Most social media platforms offer embedded browsers so they won’t have to leave their app to check a link. These in-app browsers can expose users to malicious webpages. “As the in-app browsers aren’t the primary browsers, some of the inherent or basic security controls normally available on default browsers may not be incorporated by the publishers, which will inadvertently help the attackers to gain access to potentially sensitive data,” said Prateek Bhajanka, principal analyst, Gartner. The anti-virus solutions in laptops, mobile phones also won’t be effective in such cases because they swing into action once something is downloaded on the system or written to the disk, Bhajanka said.
Social media platforms are more effective for cybercriminals since they allow attackers to build a rapport with their targets and increases the likelihood of their clicking on the links and photos shared with them, in comparison to a phishing email sent by a totally unknown entity. “It is much more likely that a person will click on a fake bank site if the link comes from his/her social network friend rather than from an unknown person,” Bhayani points out.
Bhajanka cites the example of an “inspirational video” going viral recently, where it urged users to use their aspiration or ambition as their password as it would remind them of their goal every time they entered it. However, he cautions that if you share the video, it would not be difficult for a hacker to guess your ambition/aspiration looking at your social feed and thus guess your password. Similarly, many Facebook users often report on forums that they have been getting requests for financial assistance from accounts of friends. The fact is that hackers target accounts of inactive users and use them to target the friends who are still active on the platform.
“Gullible users often fall for fake accounts as these profiles are based on seemingly real identities, posing to be to be genuine people. The urge to gain more followers or to befriend an attractive looking person are the primary reasons people accept such requests,” said Venkat Krishnapur, vice president of engineering and managing director, McAfee India.
Despite several attempts to purge fake accounts, leading social media platforms like Facebook, Instagram and Twitter have not been able to get rid of them completely. According to a July report by HyperAuditor, Instagram has more than 16 million fake accounts in India alone. The total number of such accounts is a lot higher.
Twitter on its part also cracked down on fake accounts that were being used by media personalities, politicians, brand ambassadors to inflate their total number of followers. These fake accounts are used for bulk tweeting, sharing fake news reports and posting large number of unsolicited replies to influence public opinion during elections or in general towards a product or brand.
Facebook claims it has several measures in place to block fake accounts from being created. Their systems look for a number of different signals like use of a certain location to create multiple accounts and then block certain IP addresses altogether. In case of accounts that show no signals of being fake, Facebook waits until they show signs of malicious activity or a user reports them.
Krishnapur advises that social media sites need to work in tandem and communicate with each other as fake profiles are reused across different social networks.
However, with users spending more time on social media, social media companies need to step up their game to keep such hackers at bay.
WHY YOU MUST BE ON YOUR GUARD
* Hackers can hijack real accounts to target unsuspecting friends and contacts
* Friends are likely to give into requests for financial aid
* Hackers can also use them for gathering information on targets and use it for phishing attacks
* Hijacked accounts can be sold on Dark Web to highest bidder