Social Media Rise
Defining social media is difficult because it is ever changing like technology itself, but for the purposes of this article, social media will be defined as any website or software that allows you to receive and disseminate information interactively.
The tremendous rise in popularity of social media over the past 7 years has led to a drastic change in personal communication, both online and off. Comparing to the world population clock, the total world population is around 7.06 billion. With that being said, the popularity of sites such as:
- Craigslist (60 million U.S. users each month)
- Facebook, (1.06 billion monthly active users)
- Foursquare (has a community of over 30 million people worldwide)
- Twitter (500 million users)
- YouTube (800 million users)
In addition to personal usage, businesses and the public sector use social media to advertise, recruit new employees, offer better customer service, and maintain partnerships. In fact, 65% of adults now use social media. Social networking is the most popular online activity, accounting for 20% of time spent on personal computers and 30% of mobile time. As social interactions move more and more online, so does the crime that follows it.
Crimes Linked to Social Media
Social networking consists of websites that allow users to create an online profile in which they post up to the minute personal and professional information about their life that can include pictures, videos, status updates, and related content. Social networking is a potential gold mine for criminals who leverage the users’ personal details into financial opportunity.
The classic example of exploitation on social networking sites involves the perpetrator perusing users’ profiles and looking for potential victims in the vicinity who won’t be home. Myspace and Facebook users can post that they will be out for the evening, which gives potential thieves a large time window to burgle the property. Facebook and Twitter now have a new “my location” feature allowing readers to see where they were and how long ago it was when they posted their update, making it that much easier for criminals to attack. Stories of this nature are frequently in the media and serve as a reminder that users are not as cautious as they should be with their personal information. The thieves see a status update of a family being on vacation for an extended period of time and jump at the perfect opportunity to steal some valuables. Another example of a recent investigation in New Hampshire ended when thieves who used Facebook to profile victims, were caught using a very peculiar type of firework that was recently taken in a burglary. An off-duty officer investigated firework explosions he could hear in the distance. The fireworks were stolen in the series of break-ins over the prior month.
Some other social networking applications, such as Foursquare and Gowalla are primarily location-based networks. Users of these networks can be rewarded for posting their locations frequently and are then given temporary titles while at their location--for example, posting that you’re having a cup of coffee at Starbucks may make you the Mayor of Starbucks on this certain site. As previously mentioned, posting a location allows perpetrators the perfect window to commit a burglary, vandalism, or even a home invasion.
Cybercasing the Joint
Another development in social media technologies is called geotagging, which embeds geographical data (longitude and latitude) into media such as photos, videos, and text messages. Geotagging allows users’ locations to be posted along with their media. The location of users can be found quickly and precisely by combining the geotagging of media-friendly sites, such as YouTube, Flickr, Google Maps, Twitter, Facebook, and Craigslist, with all the aforementioned networking sites to triangulate all positions known. Facebook placed in the “add location” option without letting users know. This feature tacks on information about where the user was and when they were there when they updated their status. For example, at the end of a status it will say “near Cheat Lake approximately 2 minutes ago.” This same feature has been added to Twitter, only before composing a tweet it asks whether or not you would like to add your location, a tad more considerate than Facebook, but dangerous nevertheless.
Determining Location of Desired Victims
A recent study from the International Computer Science Institute tested the potential to use all publicly available resources to determine the locations of a variety of people on the Internet. A process called cybercasing allows users to access online tools to check out details, make inferences from related data, and speculate about real world locations for questionable purposes. Cybercasers use the Internet to determine the location of a desired victim by accessing any available resource. The cybercasing study used three different websites in their scenarios:
- The 1st scenario used the virtual flea market site Craigslist to spot desirable photographs with geotagged data. In most cases, the researchers were able to cross-reference Google Street View to determine the exact address of the poster. Researchers also determined what times were best to burgle a residence by a poster’s ad that would often state “Please call after 5 p.m.,” implying that they would be gone at work on most days.
- The 2nd scenario examined the Twitter feed of a well-known reality show host. By viewing the pictures posted on TwitPic with the Firefox plug-in Exif-Viewer, the researchers only had to right click on the celebrity’s pictures to reveal geographical coordinates. By taking the average of several pictures posted in a similar region, the researchers could determine the location of the user with great precision.
- Lastly, YouTube was used to find the home address of someone currently on vacation. By creating a script that collects usernames and downloads the related videos, researchers were able to find a user that lived in the predetermined area of Berkley, CA and was currently on vacation in the Caribbean, as determined by his most recent YouTube uploads. The researchers were able to use his real name in a Google search to determine his address. The entire process took less than 15 minutes.
Social networking offers opportunities for virus and malware users. Users clicking on links, opening attachments, and responding to messages on networks can become victims without knowing it, resulting in adware, viruses, and malware being loaded onto their machines. Malware attacks have increased and are only growing because of the use of social media. According to one report, 52% of organizations have experienced an increase in malware attacks as a result of their employees’ use of social media. Additionally, the business world is concerned that their employees’ online behavior could be putting their network security at risk. Sophos’ 2010 Security Report surveyed over 500 organizations and found that 72% were concerned that social networking endangered their security. A 2011 survey done by Socialware found that 84% of financial advisors said they use social networks for business purposes, up from 60% in 2010.
While there is very little risk of contracting malware from Facebook itself (or any other reputable social media site), there are various tricks that scammers can use to get you to leave the protective social media environment without even realizing it. A user must first be tricked into leaving the Facebook world by clicking a link on Facebook that leads to an external website, then a malware attack is able to take place. One technique criminals use to trick users into installing malware is by creating fake pop-ups that look like update screens used by various common web browser plug-ins (such as Adobe FlashPlayer), in hopes that users will be used to occasionally updating their software for websites and click on it without a thought. The Sophos’ Security Threat Report of 2013 states that in 2012, more than 80% of threats were from redirects, mostly from legitimate sites that had been hacked.
A variety of forms of identity theft are performed daily on social networking sites under the guise of other tasks. For example, one technique is called phishing, which involves making attempts to acquire passwords, account numbers, and related information. It is said that phishing has become the most widespread Internet and email scam today. The term is a play on the actual sport of “fishing,” in which perpetrators send out many (sometimes millions) of emails with the hopes of getting “bites” in return.
Despite the low success rate, criminals continue to send out emails that look like legitimate concerns over account security or sale reminders from your favorite retailer. Beware of the requests to discontinue emails that you believe are scam, this is a way that phishers can tell if an email is still active or not.
Phishers can take this request to discontinue, note that the address is a true email address, and send more scams from a new account. In 2012, there were nearly 33,000 phishing attacks globally each month which totaled a loss of $687 million. These phishing attacks mark a 19% increase globally compared to the first half of 2011.
Another technique of crime on social networking sites is social engineering. In a classical sense, social engineering refers to the social manipulation of large groups of people to meet political or economic ends. Today, it has taken on an additional meaning in the cyber security world.
Social engineering refers to gaining access to information by exploiting human psychology rather than using traditional hacking techniques. A classic example of this starts with a friend on your network sending you a message asking for a quick loan to get car repairs so he/she can get home for work on Monday, and ends with you finding out a few days later that your friend never needed car repairs and that the person you transferred money to was a scam artist. This form of social engineering is surprisingly easy to achieve, and because of it, the computer security firm Trend Micro calls Facebook a “minefield of scams.”
All that is needed by the scammer is the username and password of one member of a network and a little practice in writing letters that sound urgent to inspire friends to aid you. All the while the scammer is vague enough not to reveal the impersonation.
Even if only a few friends on the list are duped, the return on investment for the scammer is quite high. Social engineering isn’t limited to social networking. A recent case involved the software company Oracle. During a convention, a contest was held to demonstrate the dangers of social engineering. Several hackers posed as IT professionals and asked company employees to hand over data and visit websites as part of “routine IT protocol.” Oracle employees as well as many others were frighteningly compliant in the demonstration.
Primary Author: Jason Boone, NW3C Research Associate Updated 2013 By: Stephenie Nagy, NW3C Research Intern
© 2013. National White Collar Crime Center. All rights reserved. The National White Collar Crime Center (NW3C) is the copyright owner of this white paper. This information may not be used or reproduced in any form without the express written permission of the NW3C.