The Threat of Fraud on Social Networks
Facebook as a social media outlet has not just been embraced by the public but by private and public institutions as well (Tagtmeier, 2009; McLuhan, 2011). Individuals use social networking to communicate with friends and colleagues. Organizations use social networking to improve customer relations and build web presence.
Some organizations convert blog posts to upload to facebook or twitter (Tagtmeir, 2009). Some organizations set up special teams to respond to customer service updates on the organizations’ walls (McLuhan, 2011). However, this increasing utilization of social media as an online resource is not without risk.
Cybercriminal activity has victimized online users in the form of identity theft and fraud since the commercialization of the Internet. The U.S. Federal Trade Commission (as cited by Ramsey & Venkatesan, 2010) stated, “9.9 million Americans were the victims of identity theft in 2008” (p. 23). A different study estimated an increase of 668 percent of occurrences of cybercrime from 2001 to 2009 in just the United States.
What highlights the threat of social networking and facebook in particular are the global acceptance and trust mechanisms, which build the popularity of the medium. “The trust-based characteristics of social networking platforms are being abused and manipulated by cybercriminals” (Ramsey & Venkatesan, 2010, p. 24). These characteristics create an environment where users take actions without knowledge of the consequences (Wadlow & Gorelik, 2009). This environment is then magnified by the global acceptance of social networking.
Global Acceptance of Social Media Appeals to Cybercriminals
Richard Dawkins, a British biologist, created the term memes. Memes characterize phenomena that become popular and spread through cultures as enlightening experiences (Benford, 2011). Fashion trends, memorable songs, and now social networking take hold through the functioning of memes. “Memes express how cultural evolution occurs so quickly, as old memes give way to voracious new ones” (p. 112).
Social networks may be classified as mass media but this media expands as individuals increase their associations based on personal connections that already exist (Ramsey & Venkatesan, 2010). Adding friends of friends to a network then creates an environment of mutual trust based on previous relationships, even if those relationships were only perceived in the friends minds. Many members of a social network never meet face to face.
Two characteristics of social networking appeal to cybercriminals. First, the size of social networks gives the cybercriminal a global reach, with some networks comprising hundreds of millions of users. Second, the trust mechanisms of social networks help cybercriminals fool their victims. Spam messages sent by impersonating a trusted friend in a user’s social network are better received than those sent through e-mail (Ramsey & Venkatesan, 2010). “These same characteristics may enable more intimate forms of confidence crimes previously used offline” (p. 24).
Cybercrime on Social Networks
Just visiting a social networking site will not automatically infect a visitor’s machine with a banking Trojan or virus leading the user to become the victim of cybercrime. The visitor must initiate some action for the infection to occur. For example, the Koobface worm sends invitations to potential victims as links in posts to the victims’ social networking pages (Ramsey & Venkatesan, 2010). Clicking on one of the links initiates downloading a Trojan to the computers in use.
Users often face security decisions initiated by their actions on the Internet when navigating the web using links embedded in pages. Initiating a file download or configuration change will often generate a warning. Browser publishers try to alert the users with warnings before certain actions but the users often do not know the risks of the actions they take. Sometimes users become fatigued when repeatedly prompted for actions and simply become careless (Wadlow & Gorelik, 2009).
With the numbers of users of social networking sites exceeding a quarter billion users in some networks, there should be little surprise that cybercriminals also take up residence among the varied trusting networkers. On a personal level, intimate types of cybercrime perpetrated using social networks range from variations of the Nigerian 411 fraud to dating and romance scams (Commonwealth of Australia, 2012). Some cybercriminals apply more automated approaches targeting trusting users to download Trojan infections (Ramsey & Venkatesan, 2010).
Social Network Romance Scams
Cybercriminals may appeal to the romantic side of individuals to lure them into parting with their money. Traditionally, romance and dating scams were conducted through Internet dating services (Commonwealth of Australia, 2012). A scammer would join a service, create a phony profile, and target a victim. “Once you are in contact with a scammer, they will express strong emotions for you in a relatively short period of time and will suggest you move the relationship away from the website, to phone, email and/or instant messaging” (para. 2).
While dating services still operate, romantic scammers find the size of social networks very appealing (Ramsey & Venkatesan, 2010). They also have the ability to view the profiles of vulnerable participants at their leisure to locate possible targets. A scammer may spend months to build a cyber-relationship with a victim by sharing personal information (Commonwealth of Australia, 2012). In some cases, scammers have offered to book flights to visit victims, which present the appearance of sincerity.
The object is to build trust from the victim so when the scammer eventually asks for money under a guise, such as helping a family member who has fallen ill, the victim happily agrees to help. After all, the victim feels that this is the “romance of a lifetime” (para. 3). When the victim falls for the scheme, the scammer disappears and moves on to locate the next victim.
Automated Social Networking Threats
Computer viruses arrived on the computer scene shortly after the development of the very first computers (Benford, 2011). These sometimes-harmful programs evolved over the years and hackers develop modern viruses to take advantage of the multitude of capabilities inherent in modern computers. Some of these modern viruses include: “Trojan horses, … software bombs (self-detonating agents…), logic bombs (go off given specific cues), time bombs (keyed by clock time), Replicators (“rabbits” clone until they fill all memory), worms (traveling through networked computer systems, laying eggs), and plenty more” (p. 112-113).
Social networks fall victim to automated attacks with increased frequency and effectiveness because of the level of trust for communications between users (Ramsey & Venkatesan, 2010). Compounding the problem is the move of many individuals and organizations toward cloud computing, where users store data on Internet based servers. New Trojans target facebook users and have the capability to grab almost any information a user enters during a session (Gallagher, 2012). Further, social networking sites are permitting an explosion of applications written by third parties, some of these applications store personal information so hackers target those applications as well (Ramsey & Venkatesan, 2010).
An analyst, cited by Gordon (2012), claimed that financial motivation is the driving force behind creating malware that targets sites such as facebook. This targeted malware often seeks out individuals holding key positions within organizations, such as the Chief Executive Officer. "These people will have Facebook or LinkedIn profiles or Twitter accounts and this is a way in to corporate networks for people with malicious intent" (p. 1).
One troubling aspect of these new developments is that some users use the same authentication credentials, passwords, for corporate accounts that they use for their facebook accounts. If a hacker gains those credentials from facebook then the corporate accounts for those users are also compromised. The implications of infection by these threats include direct financial loss, corporate and government fraud, and identity theft, among others (Ramsey & Venkatesan, 2010). Some of the most noteworthy Trojans in this arena include Carbeep, Zeus, SpyEye, and Ramnit.
Carberp Holds Accounts Hostage.
Carberp is a newer facebook targeted virus that hides in Excel or PDF files (Leyden, 2012). Once a facebook user attempts to open a file infected with Carberp, the hidden malware activates and begins to “harvest credentials for email and social-networking sites” (para. 2). Not only does Carberp gather credentials but the virus also acts as ransom ware by holding the user’s facebook account hostage.
Whenever the victim attempts to view a facebook page, the virus redirects the victim’s browser to a spoofed page that informs the user that his or her facebook account has been frozen. The user may unfreeze the account by supplying certain personal information along with “a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account” (para. 4). The significance of the voucher number is that the cryptographic nature of electronic payment systems makes the transaction virtually impossible to trace (Turner, 2004).
Ramnit Steals Facebook Logins
Ramnit is an especially threatening virus to enterprises (Gallagher, 2012). This virus laid claim to stealing over 45,000 user credentials from facebook. The writers of Ramnit borrowed some code from the ZeuS botnet-banking-Trojan, which gives the virus the ability to capture almost any type of data present in a session. The cybercriminals who control the virus may also add modules that may be customized to give the criminal the ability to perform a myriad of remote control exploits (Gallagher, 2012).
The enterprise threat becomes more apparent as more and more organizations move to Software as a Service (SaaS) capabilities that the Internet offers. Once a hacker captures credentials from an executive’s facebook page, the hacker could then gain entry into the corporate network. If the executive had administrative rights to SaaS applications then the hacker could perform almost any action using the remote control capability of the virus (Gallagher, 2012).
SpyEye steals card details.
The SpyEye Trojan directly targets the bank accounts of victims (Waugh, 2012). This Trojan has the ability to directly access a victim’s bank accounts, using stolen credentials, and withdraw money. Not only can the Trojan withdraw money but the transactions will also remain hidden from the user of online banking applications running on the computer or in the browser. When the victim accesses an account compromised by SpyEye, the Trojan intercepts any balance details and replaces details of the fraudulent activity with entries reflecting the victim’s past activity. The victim will only find out about the activity when the bank refuses a legitimate transaction or the victim receives a hard copy statement from the bank (Waugh, 2012).
SpyEye may be deposited to a victim’s computer as a payload from another malware package. The modular capabilities of Ramnit presented by Gallagher (2012) could be used by a cybercriminal to download the SpyEye Trojan as a payload package to facebook visitors. Once a facebook user is infected by Ramnit, a download of SpyEye could be possible.
Hiding the Proceeds of Cybercrime
Fraudulently moving money directly from one person’s bank account to another person’s account creates a trail of transactions that could be used to catch the cybercriminal. However, cybercrime, like many other types of crime, depends on the criminal’s ability to hide the money. Moving the funds stolen by using facebook or other social media to gain access to a victim’s bank accounts involve cyberlaundering and the use of money mules (Turner, 2004; Moore, Clayton, & Anderson, 2009).
Cyberlaundering is the cyber equivalent of money laundering and involves taking advantage of the technologies available through the Internet to convert criminal financial takings into clean and untraceable funds (Turner, 2004). Electronic money or e-money “is is the currency used in Internet-based commercial transactions, and represents ‘tokens of monetary value that take digital form” (p. 1408). These tokens are encrypted to prevent capture or tampering and this encryption presents a nearly impossible challenge to investigators who attempt to trace the transactions.
Many of the cybercriminal transactions that result from banking Trojans, such as Zeus and SpyEye, do not flow directly to the criminals’ bank accounts but take less direct paths through the accounts of money mules (Moore, Clayton, & Anderson, 2009). Money mules are simply individuals recruited by the fraudsters to receive the fraudulently acquired money and forward that money back to the fraudsters. Many money mules accept transaction processor positions posted on Craigslist or Monster and believe that “they will receive payments for goods sold or services rendered by their employer and that their job is to take a commission and forward the rest” (p. 4) back to their employer. These actions are also fraudulent in nature and "many of these frauds will undoubtedly be committed by organi[z]ed criminal elements, but many will also be committed by people who seemingly feel that their circumstances leave them no choice" (Murray-West, 2012, para. 3).
When the bank discovers a fraud involving money mules, the money mule is held liable for the funds received from the bank (Moore, et al., 2009). After all, the funds were transferred from the bank to the account of the money mule. Unfortunately, for the money mule, most of funds from the bank were transferred to the fraudster and the mule remained in passion of only a small portion of the proceeds. The mule would therefore be responsible to cover whatever proceeds were originally stolen.
Cybercriminal Black Markets
Cybercriminals do not only engage in directly targeting bank accounts. Cybercriminals developed black markets hidden in the depths of cyberspace in the form of Web sites (Moore, et al., 2009; Vijavan, 2007). These sites provide a place for cybercriminals to post new virus-infection technologies to increase the rates of infection. One site offered to pay webmasters a fee every week for downloading malware to the sites controlled by the webmasters and offered higher rates for successful uploads to victim’s computers (Vijavan, 2007). These black markets also decrease the knowledge level necessary for hackers to launch attacks. “It is significantly easier for hackers to gain access to very sophisticated tools with little to no understanding of how they function” (Taylor, Fritsch, Liederbach, & Holt, 2011, p. 292).
Information captured from virus infections may also be sold on the black market. Anonymous brokers deal in stolen banking credentials. A cybercriminal may sell authentication details for an online bank account for $10 to $100 per account to the broker; Personally Identifiable Information (PII), such as a name with a social security number and birthday may earn $1 to $15 per set (Moore, et al., 2009). “The brokers in turn sell the credentials to specialist cashiers who steal and launder the money” (p. 4). The money mules identified in the previous section then work for the cashiers.
Reducing Fraud on Social Networks
Social networking users form trust relationships with other users without knowing whether the machines those other users connect to the Internet with are secure. This trust reduces the ability of individual social networkers to recognize the threat. For instance, users often fall for spam messages sent through social networks because of the trust placed in the friends who the spammers impersonate to send the messages (Ramsey & Venkatesan, 2010). Expecting the social networking users to recognize the threat and act accordingly may prove a counterproductive strategy on which to base a solution. An effective strategy to reduce fraud on social networks requires a concerted effort between users, software publishers, service providers, financial institutions, and multinational cooperation among law enforcement agencies.
Software Publishers Patch Vulnerabilities
The number of computers already joined to botnets to distribute malware exceeds one million and hackers have little difficulty locating platforms running obsolete software with around 5 percent of the world computer population open to intrusion from malware (Moore, et al., 2009). When a user connects an insecure computer to the Internet, the effect is to increase the threat level for other users because a cybercriminal may use the unprotected machine to launch attacks against other users. Vendors try to meet their responsibilities for providing secure applications by developing security patches for vulnerabilities as those vulnerabilities are discovered but the responsibility for applying those patches falls to the end users. Concerning the responsibility to develop secure applications from the start, the software industry appears more successful in refuting responsibility than in developing solutions to the problem so software solutions are not likely in the near future (Moore, et al., 2009).
Blacklist Service Providers
Internet service providers are stepping up efforts to take action driven by the cost of customer support (Moore, et al., 2009). “One medium-sized ISP reported 1–2 percent of its total revenue was spent on handling security-related support calls” (p. 10). Another concern for providers is the possibility that their domains may be blacklisted if too many of their customers host sites that infect users. However, these black list restraints typically do not affect large providers because their customer bases are simply too large to cut off. Although seemingly little motivation exists for infrastructure providers to drive the cure, those providers should develop new approaches to mitigate the activity of cybercriminals to prevent data compromise and destruction (George, 2011).
Pursue Phishing Sites
Banks and other financial institutions experience large losses from frauds originating from malicious Web sites but these institutions concentrate on the sites that pose direct threats: Those sites that infiltrate the institution’s systems (Moore, et al. 2009). The sites that fraudsters use to recruit money mules are primarily ignored unless an incident raises public attention. Since the money mules themselves often cover the financial responsibility for the frauds, the banks have little incentive to target the recruiting sites. “Their incentive is also dulled by a collective-action problem: it is hard to tell which bank will suffer from any given mule-recruitment campaign” (p. 14).
The time that a malicious site remains online depends on an individual or institution locating the site and reporting the criminal activity. Banks take quick action against phishing sites designed to impersonate those banks to trick victims (Moore, et al. 2009). However, other malicious sites that take more subtle yet harmful actions remain online for longer periods because the effects of those sites do not raise the suspicion levels of the institutions.
The global nature of the Internet and social networks mean that no single nation solution would be effective in reducing the threats of fraud through social networking. A major hurdle arises from the fact that these crimes typically cross the jurisdictions of multiple countries and comprise a large number of offenses with low values (Moore, et al. 2009). The small value of the individual offenses often permits them to slip under the radar of financial institutions and service providers. “Existing mechanisms for international police cooperation are designed for rare serious crimes, such as murder and terrorism, while online crime is petty crime committed on a global and industrial scale” (p. 6).
There has been some success in the international fight against cybercrime. The U.S. Federal Bureau of Investigation recently partnered with agencies in the Netherlands and Estonia to bring down a botnet named DNS Changer that was responsible for over $14 million in fraudulent transactions (Schwartz, 2011). Law enforcement agencies in multiple countries seized servers used to host the sites and the communication links were taken down.
Malware sites and botnets depend on the Domain Name System (DNS) employed by the Internet. The Internet Corporation for Assigned Names and Numbers (ICANN) maintains a database containing the links between domain names and the Internet Protocol (IP) addresses related to those names (Taylor, Fritsch, Liederbach, & Holt, 2011). By removing the link between a domain name and the associated IP address, a site may effectively be taken out of circulation.
Social networks build on relationships of trust but these relationships may be exploited by cybercriminals to distribute spam or commit fraud. Unwitting users enable this exploitation by taking actions without understanding the implications of those actions. Social networkers initiate the processes necessary for the criminal schemes to succeed by clicking on links to malware-laden sites, often believing that trusted friends posted those links.
The dangers that social networkers face range from the compromise of personal information and identity theft to direct attacks against the users’ bank accounts. Romance scams seek to persuade a victim to surrender funds voluntarily to the fraudster by building on a perceived romantic future to build trust and automated attacks targeting social networking sites seek to inject various viruses or worms on the victim’s computers to capture authentication information. Some fraudsters target key individuals at organizations to capture those individuals’ facebook credentials. The fraudsters then use those captured credentials to attempt attacks against the organizations that the victims represent; many inept social networkers use the same credentials for multiple sites, if a crook captures the facebook credentials then there is a good chance those credentials will also work on other sites.
Newer attacks use viruses that will directly commit bank fraud and cover the trails of the activity. The victims only discover that a fraud was committed when the bank refuses a transaction or the victim receives a hard copy bank statement. The fraudulent transactions are nearly impossible to trace back to the cybercriminal because the cyber criminal uses electronic transfers and money mules to hide the identity of the true criminal.
No one entity may be charged with the responsibility to resolve the security problems inherent in social networking because of the global nature of the medium. Crooks and victims could reside in any jurisdiction whose residents may obtain Internet access and the problem involves the social networkers, software publishers, service providers, and financial institutions that may be scattered across the globe. However, there has been some success in bringing operators of cybercrime rings to justice and shutting down their sites but those successes involved the cooperation of many organizations in multiple jurisdictions. Many cybercriminals still reside in nations with very lax laws concerning cybercrime.
None of the types of organizations mentioned in this paper could individually solve the problem of fraudulent activity on social networking. Too many entities are inter-related and each plays a role that adds to the problem. Cooperation among those entities may be the best path toward a solution. However, no solution will be very effective as long as the human element in the form of social networkers take actions to circumvent controls.
- Benford, G. (2011). Catch me if you can. Communications Of The ACM, 54(3),
- Dating & romance | Scamwatch
Scammers take advantage of people looking for romantic partners, often via dating websites, apps or social media by pretending to be prospective companions. They play on emotional triggers to get you to provide money, gifts or personal details.
- Part virus, part botnet, spreading fast: Ramnit moves past Facebook passwords | Ars Technica
Gallagher, S. (2012). Part virus, part botnet, spreading fast: Ramnit moves past facebook passwords. The "evolved" malware responsible for the theft of over 45,000 Facebook …
- George, T. (2011). High tech, high risk. Risk Management, 58(8), 26-29.
- Gordon, G. (2012). The hidden economy of cyber crime. Sunday Times (South Africa). Available from LexisNexis.
- New stealthy botnet Trojan holds Facebook users hostage • The Register
Leyden, J. (2012). New stealthy botnet Trojan holds facebook users hostage.
- McLuhan, R. (2011). New reality demands a response. Marketing (00253650), 37-41.
- Moore, T., Clayton, R., & Anderson, R. (2009). The economics of online crime. Journal Of Economic Perspectives, 23(3), 3-20. doi:10.1257/jep.23.3.3
- Murray-West, R. (2012). Fraud hits record levels in 2011; unemployment and inflation blamed as fraudsters feel they “have no choice”. The Telegraph. Available from LexisNexis.
- Ramsey, G., & Venkatesan, S. (2010). Cybercrime strategy for social networking and other online platforms. Licensing Journal, 30(7), 23-27.
- Taylor, R. W., Fritsch, E., J., Liederbach, J., & Holt, T. J. (2011).Chapter 13: Information security and Infrastructure protection. Digital Crime and Digital Terrorism. Upper Saddle River, NJ: Pearson Education, Inc.
- Tagtmeier, C. (2010). facebook vs. twitter. (cover story). Computers In Libraries, 30(7), 6-10.
- Turner, S. (2004). U.S. anti-money laundering regulations: An economic approach to cyberlaundering. Case Western Reserve Law Review, 54(4), 1389-1414.
- Information Security News: Hackers now offer subscription services, support for their malware
Vijayan, J. (2007). Information security news: Hackers now offer subscription services, support for their malware [Electronic version]. Computerworld.
- Wadlow, T., & Gorelik, V. (2009). Security in the browser. Communications Of The ACM, 52(5), 40-45, doi:10.1145/1506409.1506422
- SpyEye 'trojan horse': New PC virus steals your money and creates fake online bank statements | Dail
The 'trojan horse' software steals your card details - then when you log into your online bank, it adjusts your balance so you don't realise anything is wrong. It's already been found in the U.S. and the UK.