Internet Identity

Part of IID’s Takedown Taekwondo Series

In our latest installment of Takedown Taekwondo we talked about the crush of spam email messages cyber criminals send out hoping to lure victims to their fraud sites. Many spam email messages contain links to phishing or malware sites, which the criminals hope will fool unsuspecting spam recipients into disclosing personal information. Plenty of other spam messages contain a phishing form within the body of the email itself, which the criminals use to collect the same type of personal information, like bank account numbers and login credentials or email passwords. Spam is the primary method by which criminals disseminate their fraud links, but not all spam comes in the form of email sent directly to potential victims’ inboxes. Thanks to the ever-increasing use of social media, cyber criminals have another powerful delivery method for their fraud.

Sharing Isn’t Necessarily Caring

Social and professional networks—like Facebook, Twitter, or LinkedIn—seek to provide their users with a sense of community. Through these networks, users disseminate information about themselves and about topics they find newsworthy. The more socially leaning networks encourage users to share information about their every move, from where they live to what they had for breakfast and where they plan to spend their day. Professional networks, too, encourage sharing, but of professional goals, accomplishments and connections. Each type of network promotes a sense of community by allowing users to share themselves and learn about others.

As such, users’ willingness to disclose information about themselves makes social networks possible, but also threatens users' online security. For one thing, it’s possible that the person on the other end posting their favorite recipes or promising job leads really isn’t who they say they are, and a click on those links could take you—and your entire network of friends, family and colleagues—virtually anywhere online, including phishing and malware sites.

Massive Networks Have Mass Appeal for Criminals

Social media sites and platforms are not only a great haven for cyber criminals looking for clicks. Social media platforms are themselves routinely victimized by criminals seeking to cash in on their enormous popularity. Just like financial institutions and email providers, Internet users increasingly have and use social networking accounts. Perhaps unlike their online banking accounts, however, social network users don’t necessarily treat those accounts with the security they deserve. While it might be obvious to users that their bank account number and online banking login information is sensitive, the sensitive nature of their social networking login credentials can be easily overlooked. After all, most people think of their social and professional networks as outlets for connecting with friends, family or business contacts and little more.

Your Personal Information is a Boon to Cyber Criminals

Why would a criminal try to phish online banking passwords from victims? That’s obvious: having a banking login gives the criminal access to the victim’s bank account and funds. While it might be less obvious why those criminals might want social and professional network logins, those sites house an enormous wealth of sensitive and personally identifiable information about users. From names, addresses and birth dates, to social security numbers, passport data and answers to challenge questions. Those users who play in-platform games that involve real money transfer may even have credit card or bank account information stored within their profiles. But even when there isn’t a direct linkage between real money and these accounts, very real risks exist. When a criminal gains access to a person’s social or professional networking account, they have access to all of that person’s contacts. The criminal might choose to post links to their own phishing or malware sites on the victim’s page, luring unsuspecting connections to click over to harmful Internet locations.

But the victim’s contacts aren’t all that are in jeopardy. Users’ willingness to share personal information—even the seemingly-innocuous like birthday plans (and therefore birthdates) and family relationships (and therefore maiden names)—arms cyber criminals with information they can use to crack passwords to other important online accounts. Such information could also come in handy for social engineering purposes, should that criminal be seeking access to information or accounts that require human interaction to gain access. The ability to answer security questions posed by the customer service representative on the other end of “your” call to your credit card company would be just what a criminal needs to get in.

With all the possibilities, it’s no wonder cyber bad guys are phishing social and professional networking platforms. IID’s goal in fighting such fraud isn’t any different from our goal in fighting fraud against any target or industry. Our goal is to always protect the Internet community, including enterprise employees and customers, from the many types of fraud online. The path to takedown may involve registrars, webhosts, site owners—or some combination, as is often the case.

When a fraud site targets a social or professional networking platform, the possibility for cascading fraud is great, as those accounts house such a large amount of information that could aid in criminals’ attempts to access other online accounts belonging to the victim. In upcoming installments of Takedown Taekwondo, we’ll look at the allure other types of targets have for cyber criminals and the different methods we might employ to get the fraud off the Internet.