It was not a particularly creative way to conduct espionage, but the world of cyber-spying isn’t a science fair.
During the weekend, it was reported that senior military and government officials had been duped into Facebook ‘friending’ someone pretending to be U.S. Admiral James Stavridis, NATO’s Supreme Allied Commander in Europe. The ruse is reputed to be the work of Chinese hackers interested in gathering email addresses and other minor tidbits of information from whoever they could. Facebook took the fake account down as soon as it was discovered, but the situation underscores a central problem that has always plagued social networks – proving the authenticity of the user.
“The problem is that most Facebook profiles are unverified,” said Graham Cluley, senior technology consultant at Sophos. “That’s not just a problem on (Facebook); it’s an issue for other social networks too. Even if you do link up with a genuine profile, you can’t always be sure that it’s the real person talking to you as their account could have been compromised.”
For corporations, losing control of their identity on social networks can be an issue not only of corporate espionage, but also brand damage. Last year for example, the shopping site Dealzon accused online auction site Grabswag.com of stealing its identity and posting fake spam ads on Facebook. Anyone that clicked on the ads was directed to Grabswag’s site. Dealzon has said the company was flooded with hate mail from angry customers as a result.
“It can be important to allow access to social networks for employee morale, and even to promote working together,” noted Kaspersky Lab Malware Researcher Tim Armstrong. “However these businesses need to be aware of the potential for misuse, especially in regard to targeted attacks. Much of the basic information many people provide to social networks can be used for foot printing a potential target.”
“There needs to be a general education program for all employees, and a more specific training program for executives, as they may be more frequently targeted,” he continued. “This information should include everything from how to manage privacy settings to what the company mandates may include. Examples of targeted attacks should be given so employees know what to look for. Additionally, settings such as profile search and visibility should be covered and expectations explicitly defined.”
According to Facebook spokesperson Frederic Wolens, it is against the social network’s policy for anyone to use a fake name or impersonate someone, and users are urged to report anyone believed to be doing so.
“When a person reports an account for this reason, we run an automated system against the reported account,” he explained. “If the system determines that the account is suspicious, we show a notice to the account owner the next time he or she logs in warning the person that impersonating someone is a violation of Facebook’s policies and may even be a violation of local law. This notice also asks the person to confirm his or her identity as the true account owner within a specified period of time through one of several methods, including registering and confirming a mobile phone number. If the person can’t do this or doesn’t respond, the account is automatically disabled.”
In 2008, Twitter launched its ‘Verified Accounts’ program for high-profile users to help address the challenge social networks are facing when it comes to identity. Though initially aimed at celebrities, the program now includes businesses and public figures looking to maintain control over their online persona. It is not fool-proof however: according to recent reports, someone posing as former NFL quarterback Brett Favre has been posting on the account @BrettFavre4 for the past week. Facebook announced a similar program for high-profile users last month.
Just recently, Barracuda Networks put out some research detailing the differences between bogus profiles on Facebook and legitimate accounts. Among the company’s findings: Facebook accounts have nearly six times more friends than real users (726 versus 130) and use photo tags more than 100 times more often than real users (136 tags for every four photos versus one tag for every four photos). Additionally, almost all fake profiles – 97 percent – claim to be female, as opposed to 40 percent of actual users.
“I’m not sure how much it matters whether a high profile person has an actual account,” Armstrong said. “If the fake account is convincing enough then the question becomes moot. Past research has shown that a large amount of people will connect despite obvious red flags. This includes account for people they don’t even know in real life. If there are two accounts that are both seemingly real, how can you tell which one is legitimate? Currently it can be very difficult to make a decision.”
As a practical matter, it may be unrealistic for an organization like NATO to patrol social networks on the lookout for fraudulent profiles for every NATO official, Cluley said. Still, high-profile brands watch for impersonators, so high-ranking staff should be similarly protected or given guidelines about how they can use social networks safely, he argued.
“The best advice is to only connect with people you know in real life, and when you receive a request from them contact them in real life to confirm it was them who sent it to you,” Cluley said. “Of course, most people will never do that.”
Related Reading: U.S. Army Warns That Social Media Can Kill. Literally.