Security Experts:

Connect with us

Hi, what are you looking for?



Facebook Fakes: The Dark Side of Social Networking

It was not a particularly creative way to conduct espionage, but the world of cyber-spying isn’t a science fair.

It was not a particularly creative way to conduct espionage, but the world of cyber-spying isn’t a science fair.

During the weekend, it was reported that senior military and government officials had been duped into Facebook ‘friending’ someone pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. The ruse is reputed to be the work of Chinese hackers interested in gathering email addresses and other minor tidbits of information from whoever they could. Facebook took the fake account down as soon as it was discovered, but the situation underscores a central problem that has always plagued social networks – proving the authenticity of the user.

Hackers Create Facebook Fake Profiles “The problem is that most Facebook profiles are unverified,” said Graham Cluley, senior technology consultant at Sophos. “That’s not just a problem on (Facebook); it’s an issue for other social networks too. Even if you do link up with a genuine profile, you can’t always be sure that it’s the real person talking to you as their account could have been compromised.”

For corporations, losing control of their identity on social networks can be an issue not only of corporate espionage, but also brand damage. Last year for example, the shopping site Dealzon accused online auction site of stealing its identity and posting fake spam ads on Facebook. Anyone that clicked on the ads was directed to Grabswag’s site. Dealzon has said the company was flooded with hate mail from angry customers as a result.

“It can be important to allow access to social networks for employee morale, and even to promote working together,” noted Kaspersky Lab Malware Researcher Tim Armstrong. “However these businesses need to be aware of the potential for misuse, especially in regard to targeted attacks. Much of the basic information many people provide to social networks can be used for foot printing a potential target.”

“There needs to be a general education program for all employees, and a more specific training program for executives, as they may be more frequently targeted,” he continued. “This information should include everything from how to manage privacy settings to what the company mandates may include. Examples of targeted attacks should be given so employees know what to look for. Additionally, settings such as profile search and visibility should be covered and expectations explicitly defined.”

According to Facebook spokesperson Frederic Wolens, it is against the social network’s policy for anyone to use a fake name or impersonate someone, and users are urged to report anyone believed to be doing so.

“When a person reports an account for this reason, we run an automated system against the reported account,” he explained. “If the system determines that the account is suspicious, we show a notice to the account owner the next time he or she logs in warning the person that impersonating someone is a violation of Facebook’s policies and may even be a violation of local law. This notice also asks the person to confirm his or her identity as the true account owner within a specified period of time through one of several methods, including registering and confirming a mobile phone number. If the person can’t do this or doesn’t respond, the account is automatically disabled.”

In 2008, Twitter launched its ‘Verified Accounts’ program for high-profile users to help address the challenge social networks are facing when it comes to identity. Though initially aimed at celebrities, the program now includes businesses and public figures looking to maintain control over their online persona. It is not fool-proof however: according to recent reports, someone posing as former NFL quarterback Brett Favre has been posting on the account @BrettFavre4 for the past week. Facebook announced a similar program for high-profile users last month.

Just recently, Barracuda Networks put out some research detailing the differences between bogus profiles on Facebook and legitimate accounts. Among the company’s findings: Facebook accounts have nearly six times more friends than real users (726 versus 130) and use photo tags more than 100 times more often than real users (136 tags for every four photos versus one tag for every four photos). Additionally, almost all fake profiles – 97 percent – claim to be female, as opposed to 40 percent of actual users.

“I’m not sure how much it matters whether a high profile person has an actual account,” Armstrong said. “If the fake account is convincing enough then the question becomes moot. Past research has shown that a large amount of people will connect despite obvious red flags. This includes account for people they don’t even know in real life. If there are two accounts that are both seemingly real, how can you tell which one is legitimate? Currently it can be very difficult to make a decision.”

As a practical matter, it may be unrealistic for an organization like NATO to patrol social networks on the lookout for fraudulent profiles for every NATO official, Cluley said. Still, high-profile brands watch for impersonators, so high-ranking staff should be similarly protected or given guidelines about how they can use social networks safely, he argued.

“The best advice is to only connect with people you know in real life, and when you receive a request from them contact them in real life to confirm it was them who sent it to you,” Cluley said. “Of course, most people will never do that.”

Related Reading: U.S. Army Warns That Social Media Can Kill. Literally.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.