The FBI has in the past two years seen a major uptick in the use social networking accounts such as Facebook and MySpace for cyber crime and today it detailed that problem to the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security.
"Regardless of the social networking site, users continue to be fooled online by persons claiming to be somebody else," Gordon Snow, Assistant Director of the FBI's Cyber Division told the subcommittee. "The surge in the use of social networking sites over the past two years, has given cyber thieves and child predators new, highly effective avenues to take advantage of unsuspecting users."
Just this month the FBI issued a warning about scammers trying to steal your money posing as a good friend left stranded somewhere in need of quick cash. The Internet Crime Complaint Center (IC3) said it is getting reports of individuals' e-mail or social networking accounts such as Facebook being compromised and used in a social engineering scam to swindle consumers out of thousands of dollars. Portraying to be the victim, the hacker uses the victim's account to send a notice to their contacts.
Online scams in general continue to be the scourge of the Internet and there seems to be no end to the "imagination" of these criminals, the FBI stated in its annual look at Internet crime, earlier this year. Annual crime complaints reported to the IC3 have increased 667.8% between 2001 and 2009.
Meanwhile, Snow outlined some the most serious social networking cybercrimes in his testimony which I have summarized below. They include:
Phishing: Phishing attacks on social networking site users come in various formats, including: messages within the social networking site either from strangers or compromised friend accounts; links or videos within a social networking site profile claiming to lead to something harmless that turns out to be harmful; or e-mails sent to users claiming to be from the social networking site itself. Social networking site users fall victim to the schemes due to the higher level of trust typically displayed while using those sites. Users often accept into their private sites people that they do not actually know, or sometimes fail altogether to properly set privacy settings on their profile. Social networking sites, as well as corporate websites in general, provide criminals with enormous amounts of information to send official looking documents and send them to individual targets who have shown interest in specific subjects. The personal and detailed nature of the information erodes the victim's sense of caution, leading them to open the malicious email.
Data Mining: Cyber thieves use data mining on social networking sites as a way to extract sensitive information about their victims. This can be done by criminal actors on either a large or small scale. For example, in a large-scale data mining scheme, a cyber criminal may send out a "getting to know you quiz" to a large list of social networking site users. While the answers to these questions do not appear to be malicious on the surface, they often mimic the same questions that are asked by financial institutions or e-mail account providers when an individual has forgotten their password. Thus, an e-mail address and the answers to the quiz questions can provide the cyber criminal with the tools to enter your bank account, e-mail account, or credit card in order to transfer money or siphon your account. Small-scale data mining may also be easy for cyber criminals if social networking site users have not properly guarded their profile or access to sensitive information. Indeed, some networking applications encourage users to post whether or not they are on vacation, simultaneously letting burglars know when nobody is home.
Cyber Underground: The cyber underground is a pervasive market governed by rules and logic that closely mimic those of the legitimate business world, including a unique language, a set of expectations about its members' conduct, and a system of stratification based on knowledge and skill, activities, and reputation. One of the ways that cyber criminals communicate within the cyber underground is on website forums. It is on these forums that cyber criminals buy and sell login credentials (such as those for e-mail, social networking sites, or financial accounts); where they buy and sell phishing kits, malicious software, access to botnets; and victim social security numbers, credit cards, and other sensitive information. These criminals are increasingly professionalized, organized, and have unique or specialized skills.
Beyond Cyber Crime: Valuable information can be inadvertently exposed by military or government personnel via their social networking site profile. In a recently publicized case, an individual created a fake profile on multiple social networking sites posing as an attractive female intelligence analyst and extended friend requests to government contractors, military and other government personnel. Many of the friend requests were accepted, even though the profile was of a fictitious person. According to press accounts, the deception provided its creator with access to a fair amount of sensitive data, including a picture from a soldier taken on patrol in Afghanistan that contained embedded data identifying his exact location. The person who created the fake social networking sites, when asked what he was trying to prove, responded: "The first thing was the issue of trust and how easily it is given. The second thing was to show how much different information gets leaked out through various networks." He also noted that although some individuals recognized the sites as fake, they had no central place to warn others about the perceived fraud, helping to ensure 300 connections in a month.
The FBI's director, Robert Mueller this week told the Senate Judiciary Committee that the FBI's response to growing cyber crime threats begins with its cyber squads in each of the FBI's 56 field offices with more than 1,000 specially trained agents, analysts, and digital forensic examiners. "The FBI has also led the development of the National Cyber Investigative Joint Task Force, which now includes 17 intelligence and law enforcement partners working side-by-side to identify the source of national security threats and significant Internet schemes. In support of victims of Internet crime, the FBI has expanded the IC3, which continues to receive, track, and refer for prosecution the ever-increasing wave of Internet crimes, from child exploitation to fraud," he stated.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories:
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.