Digital Fingerprints

'Web 2.0' Social Network Sites Can Foster Fraud

Please sign in to save this to your favorites.
Written by: Jean-François Legault, CISSP, CISA, CISM
Date: March 1, 2008
Read Time: 8 mins
Computers and Technology Consumer Fraud and Scams Fraud Schemes

Blogs and social networking sites - such as Facebook and MySpace - have become the defining forces behind the renewed vision of the World Wide Web. The idea of Web 2.0, coined at the first O'Reilly Media Web 2.0 conference in 2004, represents the evolution from read-only to user-created content.

Social networking sites allow its members to build ties based on common interests, employment history, schools attended, etc. Members can share information about themselves and interests, join groups, and invite others to participate.

A "blog" (shortened from "Web log") is an online journal containing content created by its owner. Bloggers can provide commentary on ongoing events or be online diaries. Blogs have become so popular that many rely in them as news sources, which blurs their boundaries with traditional mas media. 

 
PARADIGM SHIFT IN PRIVACY AND CONFIDENTIALITY 
As technology began controlling important parts of consumers' daily lives, more users requested that anyone storing their personal information adhere to strict privacy guidelines. Nations have passed legislation or regulations that govern privacy such as the U.S. Gramm-Leach-Bliley Act or the U.S. Health Insurance Portability and Accountability Act, Canada's Personal Information Protection and Electronic Documents Act, or the European Union's Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on free movement of such data. 
 
Web 2.0 has spawned a paradoxical shift in the privacy paradigm: Consumers require that their personally identifiable information be protected, but as users of Web 2.0 "technologies," they willingly disclose much of this same information to other members of these online communities. A user of a social networking site routinely discloses information in a profile about his or her education and employment plus phone numbers, location, birthday, and e-mail addresses without fully understanding the consequences. 
 
The confidentiality paradigm has also shifted. Employees have taken advantage of organizations' fading security perimeters caused by changes in technology like mobile devices and virtual private networks, which allow remote access to the organizations' technology infrastructure. Through their regular job duties, they now have access to confidential organizational information that they can share online in social networks. 
 
This shift in the perception of privacy and perceived anonymity on the Internet have transformed useful tools for online communications into risks that need to be managed by organizations. 
 
IMPERSONATION 
Impersonation is nothing new. Online social networks have just made it much easier to pull off. Individuals posing as celebrities on fake sites actually answer fan e-mails! But anyone can be the target of an online impersonator. 
 
Fraudsters impersonate victims on social networking sites with easily available information and pictures from other sites. They also hijack entire online profiles or use purloined material to perpetrate identity theft or even inflict revenge. A teen recently committed suicide after she was a victim in an elaborate hoax in which she received cruel messages through a fabricated profile on a social networking site. 
 
Stalkers use stolen info to impersonate victims' acquaintances. We can only imagine a conversation like this: 
 
Stalker: "Hi there, remember me?"
Victim: "Well, maybe!?"
Stalker: "I'm a friend of John's." (information obtained from the victim's friends' list)
Victim: "Oh?"
Stalker: "Yeah, remember we met at Tim's party?" (information obtained from a list of events attended and posted in the victim's profile) 
 
FACILITATING SOCIAL ENGINEERING AND TARGETED ATTACKS 
People use social engineering to convince others to divulge sensitive information or perform certain actions. Most of us know about phishing - an individual receives an alarming e-mail that requests she click a provided Web link. The link, which appears to be legitimate, asks that the individual provide sensitive information to resolve an issue. Most of us now avoid e-mails from unknown senders. But what about e-mails received from those we know? 
 
The Indiana University School of Informatics performed a study that showed that exploiting information from social networks can facilitate fraud.* Researchers first wrote an e-mail that asked students to visit an external Web site and enter their University IDs and passwords. They sent the e-mail as strangers to some students and as supposed friends from an online community to other students. The results were alarming. Only 16 percent took the bait when receiving the e-mail from a stranger. But 72 percent clicked the external Web site link sent in the e-mail from a supposed friend. 
 
In an actual scam, the impersonator of a social networking site e-mails invitations to "friends" to lure them to a forged site so they'll enter their usernames and passwords. Because most people use the same passwords on multiple sites, cyber-criminals attempt to use the stolen passwords to break into the users' e-mail accounts. The fraudsters then sell these accounts for spamming or to obtain access to auction and online payment sites. They compromise these sites by simply reusing the submitted passwords or by resetting the passwords and having them sent to the compromised e-mail accounts. 
 
Popular corporate Webmail services allow employees to access their corporate e-mails remotely through a Web-based interface. In one such scam, a cyber-criminal sent e-mails appearing to come from the IT department manager asking users to reset their passwords for the Webmail service. The cyber-criminal, who obtained the IT manager's name from a business-oriented networking site, included in the e-mail a cloaked link directing the unsuspecting employees to a forged, official-looking site at which they would reset their passwords. The cyber-criminal could then have access to any of the employees' accounts, which allowed him to access sensitive information stored in the employee mailboxes. 
 
CORPORATE IMAGE AND PERSONAL REPUTATION 
The default privacy settings of social networking sites can allow non-friends to view information in a member's profile plus pictures added by that member or by another to whom the member is linked. These pictures can also be added to groups created by members. 
 
Pictures added without consent can pose a major risk to personal reputation and corporate image. How would an expert witness feel if pictures taken in a private context appeared on a social networking site for all to see? How would an employer feel if clients could view photos of an intoxicated consultant? How would a police department react if the public could see photos of some of their recruits celebrating in a bar? These true examples have tarnished reputations and organizations' images. 
 
Discussions in online message boards also have caused problems. Imagine if nurses wrote in a social network group that they had been unable to provide adequate care because of a heavy workload. Could this information be used in a wrongful death lawsuit? 
 
DISCLOSURE OF SENSITIVE INFORMATION 
Employees have a habit of unwittingly posting corporate knowledge or opinions that could harm their companies. One employee wanted to attract attention to his personal blog by innocently discussing his company's upcoming marketing promotions and changes to customer service plans. (Even posted good news or opinions could harm organizations if the bloggers don't follow guidelines and conform to corporate messages.) 
 
As the employee leaked information without the proper marketing message, the posts generated a high volume of calls to the company's call center from uninformed customers who were complaining about changes in service or wanting to take advantage of promotions to which they weren't entitled. The posts also gave the competition an advance view of upcoming marketing promotions, so they had time to react. 
 
Military personnel could post their ranks and current deployment, law enforcement officers could include their addresses, or employees in governmental research and development departments could post sensitive work info. Such disclosures could further terrorist activity, retaliation, or espionage. 
 
Social networking sites and blogs are beneficial but must be properly managed just like any other risk. 
 
VIRTUAL CURRENCIES, ELECTRONIC MONEY, AND FRAUD 
In the next column, we'll take a closer look at electronic money and virtual currencies and their potential use in frauds, money laundering and illicit fund transfers. 
 
Jean-Francois Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte & Touche's Forensic & Dispute Services practice in Montreal, Canada.   
 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced. 

 
Ad

Begin Your Free 30-Day Trial

Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.

Learn More Already a member? Sign In

You May Also Like