Schneier on Security
A blog covering security and security technology.
« Crypto Puzzle and NSA Problem |
| Police Powers and the UK Government in the 1980s »
April 8, 2009
Social Networking Identity Theft Scams
I'm going to tell you exactly how someone can trick you into thinking they're your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it. If you're scamming someone, here's what you'd do:
Step 1: Request to be "friends" with a dozen strangers on MySpace. Let's say half of them accept. Collect a list of all their friends.
Step 2: Go to Facebook and search for those six people. Let's say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you're already an established friend.
Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send "friend" requests to your victims on Facebook.
As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you'll accept. In fact, Facebook itself will suggest you as a friend to those people.
(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request "friend" status. They sought you out.)
Step 4: Now, you're in business. You can ask things of these people that only friends dare ask.
Like what? Lend me $500. When are you going out of town? Etc.
The author has no evidence that anyone has actually done this, but certainly someone will do this sometime in the future.
We have seen attacks by people hijacking existing social networking accounts:
Rutberg was the victim of a new, targeted version of a very old scam -- the "Nigerian," or "419," ploy. The first reports of such scams emerged back in November, part of a new trend in the computer underground -- rather than sending out millions of spam messages in the hopes of trapping a tiny fractions of recipients, Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable.
In Rutberg's case, criminals managed to steal his Facebook login password, steal his Facebook identity, and change his page to make it appear he was in trouble. Next, the criminals sent e-mails to dozens of friends, begging them for help.
"Can you just get some money to us," the imposter implored to one of Rutberg's friends. "I tried Amex and it's not going through. ... I'll refund you as soon as am back home. Let me know please."
Posted on April 8, 2009 at 6:43 AM
• 55 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Of course, one *easy* defense against this kind of thing is to be in contact with your friends in other ways.
In addition to facebook, there's also this amazing device called a 'telephone', or 'far speaker'.
Before I give one of my friends $500 - I'm going to call them to make sure they and their families are alright!
In other words, trust, but verify.
I would also send a check through the mail to my friend, rather than wiring the money. If it needed to be there the next day, I'd just spend that much more on postage to get next-day service, so unless they were also staking out my friend's mailbox, I don't see how they could get the money...
If someone shows up, pretending to be from high-school, and I haven't spoken to them in 20 years, well... I'll be glad to hear from them, but I wouldn't be sending a check for $500 any time in the near future!
I don't understand Step 2: "Request to be their friends on Facebook. All accept because you're already an established friend."
Whose account are you sending the "friend request" from? Does that imply you have already compromised another account?
I don't have a Facebook or Myspace account, so I'm not familiar with the mechanics of this.
> Whose account are you sending the "friend request" from?
Yours. You may have missed step #0 : Create new accounts in MySpace & Facebook. The author does not include this for (I suppose) brevity.
I created a fake identity on Facebook and did this to my friends as a proof-of-concept and to try and convince them to be more careful. Ended up with a lot of friends, most of them assuming they knew "her" because of how many mutual friends they had... they did get suspicious fairly quickly though and start asking around, at which point I revealed the stunt.
And in case you're wondering about this :
"Request to be "friends" with a dozen strangers on MySpace. Let's say half of them accept."
i.e. why would someone accept as a "friend" someone they have never heard of ? Well, people (in Facebook/MySpace et al) do this all the time.
Another important thing to remember is not to give your real birthday date on the web - given that it's a major part of bank security etc. it's not something to share with the whole world.
@Joe: "I don't understand Step 2: "Request to be their friends on Facebook. All accept because you're already an established friend." "
When someone tries to add you as a friend, one thing that facebook shows when you check them out is "friends in common." Chances are, if they are friends with your brother, wife, other friends, or a several of the above, you may think they are someone you have met.
@Dimitris,HJohn: Thanks for those explanations.
I think I also missed this point:
All accept [on Facebook] because you're already an established friend [on Myspace].
Hi Bruce, my dear boy,
I lost my ATM card, and I need some cash. Can you send me some? Say, $500. Don't bother dropping by my house... I am fine. Just send it to the following PO Box in San Antonio.
It works by me locating Bruce's family on MySpace. Then figuring out who of those people do not have a profile on Facebook (say his sister as an example), so now I simply create a profile on Facebook pretending to be his sister.
This way I wiggled my way into an already established trust. So when I send a message to Bruce via Facebook asking for a million dollars transferred to my PayPal account he is more likely to transfer the money. After all I am his sister.
@1: Don't know about you, but there are people (me inclusive) which have been terrorised for a decade by mobiles and who have begun to HATE telephones.
@Blah: "Don't know about you, but there are people (me inclusive) which have been terrorised for a decade by mobiles and who have begun to HATE telephones."
I think mobile phones are the absolute worst invention ever. I refused to own one for years. If I was with my friends, having dinner, or anything (important or recreational) I just would rather not be bothered. Of course, I got a cell phone as birthday present a couple months after I got married. (Thanks honey, I really didn't mean all that stuff I said about not wanting one the two years we were courting.)
I've seen some of my friends on Facebook put their address and phone number on their information page. Anyone they add can see it, and one such person I know has well over 1,000 friends. Not a good combination with videos of his two small children posted.
"Of course, one *easy* defense against this kind of thing is to be in contact with your friends in other ways."
Unfortunatly even "those", people consider to be real friends, that they have known personaly for years will rip them off.
The problem is humans have a "tribe instinct" where a person in the tribe is almost automaticaly trusted at one or more levels. All a "member" of the tribe has to do to exploit this is make their request in a way that the person being "duped" has no real reason to doubt.
It is similar to exploiting other inbuilt trust mechanisums that con artists frequently use.
As has often been observed most peoples understanding of what "trust" is, is almost the oposit of the meaning of trust in "security".
I would also caution everyone to be wary of the "friends of friends" setting. You can secure items by only allowing your friends to view them, or by allows friends and their friends to view them.
On the last facebook item on this blog, I posted how a buddy of mine used this to his legal advantage. I could also be used to one's advantage dubiously.
I would advise to never use this setting. Anyone who is scammed by a friend would then have access to any friends of their victims who use this setting.
Some respondents suggested that before you send a friend $500 you should call to verify. This proposal simply doesn't scale. If the attacks Bruce describes get automated, you'll be getting hundreds of requests each day; think of the amount of spam mail you get. In such a scenario you can't afford to spend time verifying each email you get from a friend in a plausible emergency. When criminals, following the trail of spammers, automate their social networking-based scamming infrastructure people will be shutting down their social networking accounts in droves.
Worse, the attack described here isn't the only one a criminal may mount through a social networking site. Instrumenting the millions of infected PCs to steal login passwords for these sites to scam the owners' friends is probably easier and less risky than trying to divert finds through their owners' e-banking accounts.
I have the perfect defense already in place.
Step 1: Don't join Facebook or MySpace. If you're *really* my friend, then you can easily contact me with that new-fangled "Far speaker" #1 talks about
Step 3: Profit!
The attack doesn't really scale well, either. If it got as bad as you suggest it could then the networking sites would be worthless and people would stop using them.
A "better" attack is actually hinted at by Bruce's comments.
Do the friending thing as described, then just lurk, or, even better, hook it up so that the facebook page reflects the actual person's myspace page. Then scan your page for wording like "Hey I'm now in [Florida, Europe, whatever]" Check the address and rob the house. If you have enough connections and you are smart about it, no one should connect the robbery to their myspace/facebook posts.
"Hi Bruce, my dear boy, I lost my ATM card, and I need some cash. Can you send me some? Say, $500. Don't bother dropping by my house... I am fine. Just send it to the following PO Box in San Antonio."
Mom, I had no idea you were in San Antonio. It sounds like an emergency. I'm sending you the money via FedEx. Is cash okay?
"I've seen some of my friends on Facebook put their address and phone number on their information page. Anyone they add can see it, and one such person I know has well over 1,000 friends. Not a good combination with videos of his two small children posted."
Why is that not a good combination. You can't possibly believe that 0.1% of the Facebook population are child predators?
There's a reason to stay out of MySpace type places and myspacesque habits.
Friend or contact request? If I don't know the person, I'm not adding him/her in my Facebook or Linkedin. Even if he knows any amount of my friends. Or for that matter, even if my friends asked for the money etc (even in person).
@Bruce: "Why is that not a good combination. You can't possibly believe that 0.1% of the Facebook population are child predators?"
No, I don't believe that 0.1% of people on Facebook are predators. But I do think that the smaller percentage of potential predators would seek out targets. I've got more than a few friend request from people I don't know and I reject them, but the gentleman I am referring to pretty much adds everyone because he is an assistant pastor at a large church. Which is understandable
Granted, I agree that the risk is small, but if he's going to add everyone whether he knows them or not, he probably should protect his information a bit better.
I'll fully disclose that I work for an entity that deals largely in crimes against children, so I may err on the side of caution moreso than the statistics would suggest. But you are correct, the numbers are small.
This is really just an offshoot of identity theft, and nothing special about social networks. Here is another common thing I've seen as a vulnerability, although I don't know it's being exploited:
Game portals (usually casual Flash games) often give developers a way to monetize their efforts. It is not unheard of for some chucklehead to submit someone else's game as their own, but it is usually an obvious theft (e.g. user account is "noob123" but the game credits "Big Game Company"). Seems like it wouldn't be that hard to steal the credit as well by naming an account "biggameco" or something similar, and in doing so it makes people less likely to call you a thief outright.
Seems a bit of a hassle, but just like social network sites pop up all the time, so do game portals. Unless you're aware of every little distribution chain that exists for your identity, the opportunity exists for some early-bird scammer to get there first and impersonate you. Pushing people away from you, to Twitter or Facebook or whatever the next big thing will be, is a terrible way to network.
I guess these attacks would work on people who have hundreds of "friends", and think a long list shows how popular and worthy they are, but my list is limited to about 30 close friends and family members, and any friend request I get from a name I don't recognize gets a reply saying "sorry, I seem to have lost the brain cell that had your name on it ... where do I know you from?"
If he's a pastor, his address and phone are already undoubtedly public in a thousand different venues; how is putting them on Facebook more dangerous?
If your response is, "because he has the videos of his children, and predators surf Facebook", you're ignoring a rather large part of the equation.
The risk that your children will be targeted by a predator is the sum of the risks of the various vectors. Almost all predation events come from known acquaintances and family members... the outlying predators troll for victims in lots of different ways; at parks, malls, online, church group meetings... anywhere children congregate.
In order for this behavior to make an actual difference in your child's safety, you'd have to become the target of a random predator (really unlikely event) who chose your children as a target via Facebook (really unlikely event) when you're already within their geographical predation zone *and* you're not already on their list because of the fact that they can or will settle on you as a target through one of their other methods (yet another pair of really unlikely events with a union that is even smaller). Total probability of this happening: marginally bigger than zero. With a population of 300 million, likely to happen to somebody. Probably won't be you.
Balance this against the much more likely event that someone young suicidal teen can find your phone number easily via Facebook and call you when they're despondent (which, at least in the case of a pastor, is probably at least a few-in-a-career event). Also pretty unlikely, but several orders of magnitude more likely than Scary Online Predators.
Let me put it another way.
My wife called me a few weeks ago afraid she forgot to lock the front door and asked me to run home and check on it. I didn't because I wasn't worried that one person may happen to try to unlock it on that one day. That doesn't mean I leave it unlocked and take the chance every day for years.
Perhaps I am more sensitive to it because I've worked around (admittedly rare) cases. The risk is not large, and not doubt he is visible in the community, but that is also interesting considering he probably wouldn't peal out so much information to anyone who asked. Like the door locking analogy, it's a risk I wouldn't take over time (but wouldn't worry about it on a daily basis).
Put another way: Based on those odds, I would bet a very large sum of money that nothing would happen to the children, but I wouldn't bet the children on it. (I might bet my wife, but certainly not the Playstation. Kidding.) :)
to say "don't join facebook, myspace, or (insert social network tool here)" is no different than throwing other security concerns back in your face by saying "why are you folks whining about all this crypto/security stuff? don't use a computer...".
if you choose to use a social networking medium, you need to acknowledge the possible risk vectors you expose yourself to. knowing what is out there for your "garden-variety" id theft, scams, etc, and how these can be propagated via social networking sites is relevant data.
we can ALL avoid any "outside" risk... dont' leave your house. course, then you have to worry about your house consipiring against you... oi. :)
You can avoid a lot of risks with some common-sense measures.
If I haven't met you outside Facebook, you aren't my friend.
I don't put anything on Facebook if I would mind if anybody on the planet saw. Hence, no need to worry about security (I really don't care about the fact that I'm not baring my soul on a social web site).
I don't lend money or invest in things or anything like that to anybody I don't know from meatspace. I have this little mental alarm that goes off if anybody wants my money or personal info or credit card numbers or whatever. Cultivate one yourself.
I think I'm pretty safe on Facebook. Of course, I'm not really one of the customers they're aiming for.
@ Bruce Schneier,
"Why is that not a good combination. You can't possibly believe that 0.1% of the Facebook population are child predators?"
Err in the UK the Met Police certainly appeared to belive that 0.1% of the general population where child predators or at least purchacing "child porn" on line with credit cards.
The infomus Operation Ore involved US authorities sending the UK a list of over 5,000 names and credit card details of people supposadly downloading "child porn" via a US based "gateway" site.
One of the people in involved in Operation Ore indicated that this was the "tip of the iceburg".
So if 5000 is aproximatly the visable 10% (ie the iceburg tip) and the UK has a population of around 50,000,000 that kind of comes out at 0.1% of the population twice that if it's "males only"...
This scheme has a chance of working if the number of friends on facebook are different than the ones on myspace and assuming that the user has both. The majority of my friends have either one or the other.
Given that the it works, to actually scam someone to send money would be really tough to work. Because if I happen to know that one of my friends is in trouble I would call them first or call their family to make sure everything is ok before sending any money. Problem is that the scammer can't do much about it since I already have their phone number (being my friend).
I think the percentage of people who are threats of any kind are very tough to measure. Percentages can give a false sense of security if not understood, because it measures the percentage of the population that would do something, but does not measure how one opens to door the let them in or how they seek them out.
Here's an(other) analogy (forgive me). If you are in a starbucks with your laptop, and you need to go to the restroom. If you pick someone at random and ask them to watch it for you, your odds are very good at picking an honest person (the 0.1% or whatever it would be applies). However, if you start closing up your laptop and someone volunteers to watch it while you go to the restroom, your risk is much greater because the threats seek out targets (i.e., the 0.1% applies if you get them randomly, but not if they seek you out--an honest person is unlikely to ask to be a facebook friend if he doesn't know you, for example).
This suggests that a level of trust verification has been lowered to the level of name and association alone due to facebook and myspace.
However, these problems existed long before. Social engineers are known to leverage the name of someone you might know to build trust, regardless of whether they are on social network sites.
I can imagine the real trick would be to have a target in mind, A, that is on Facebook and not on Myspace.
If you can do some snooping and find a probable friend, B, that is on Myspace but not on Facebook you then create a fake account for A on Myspace and B on Facebook and engineer the A/fake B and B / fake A friendships.
From then on you scam A as fake B, and if A asks about or discusses anything at all that's not scam related you just proxy the discussion via fake A to B.
Everything non scam related is a genuine conversation between the two of them, perhaps with a bit of editorial work to prevent them from arranging a meeting for a while so they don't get too close.
perhaps a dd a little to this scenario:
A) have a really hot picture. send out friend requests. people show of ftheir friends and are much more likely to accept a strainger with a hot pic. I know as I have yet to accept that very hot chick from Turkey that sent me a frind request, but am considering it.
b) at least in facebook, accepting some stupid application automagically gives it full access to your profile and friends. this means that an app that mines friends and then pulls the OP stunt can worm its way through the entire ecosystem.
so now I find myself on Facebook checking out Clive Robinson, Davi Ottenheimer, Pat Cahalan, Diomidis Spinellis, Dimitris Andrakakis, etc.
"so now I find myself on Facebook checking out Clive Robinson, ... ...etc."
Come back and tell me what you find out?
Interestingly, I recently did look up "Clive Robinson" for various good (I promise) reasons, even though I haven't got around to contacting him (you) yet. It wasn't Facebook but Linkedin that gave the most information.
Are you the one from near Portsmouth? if so, I found out a fair deal about you (not that it sounds like that you are the type either to fall for a scam or be sexually predated - sorry).
@ Mortals chiefest enemy,
"Are you the one from near Portsmouth?"
No, but if he's the one I think you mean we bumped into each other at a security confrence a few years ago and he was interested in talking employment.
Nor am I the one in a University research park in the more northerly parts of England...
And there are at least another couple you could pick from and still not be right...
Worse if you look back at my postings on Bruce's blog you will find that not only are there quite a few people with my name but there are several people that look sufficiently like me that even my other halfs perents saw somebody (who I know) from about 50 yards away at a railway station and thought it was me.
Then there is another friend who due to a mix up at a hotel abroad a group of us where staying at traveled all the way back to the UK on my passport whilst I traveled on theirs. Neither of us realised untill a bank clerk pointed out that my name was not the same as the one on the form he was filling out...
And at nearly 2m tall and built like "a bad hair day grizzly bear", (but sadly not as cute 8) you would think I would be difficult to mistake for other people...
The author hasn't seen this in practice? Clearly the author doesn't visit /b/
You should change your name to Farles Fickensmmmmq.
I grok your analogy, but it breaks down quite a bit (fatally so) when you're talking about large scale communities.
In the Facebook realm, with millions of users, a closer analogy would be that you're crammed into a Starbucks with 10,000,000 other customers. Maybe 1,000,000 of them have a particular identity profile (laptop) that a particular predator may find interesting. 99% of them leave those laptops lying around unattended for 90% of the time. This is true if you're talking about child predators looking for parents with contact information and cute kid profile pictures, or a classic grifter looking for older people who join lots of conspiracy groups and therefore might be gullible, etc.
In this case, there's 990,000 unattended laptops lying around the Starbucks for maybe a couple of dozen actual predators. The sheer volume of targets makes your particular laptop (even if you have the cutest kids ever) a really unlikely target.
Sure... if it's no skin off your nose (as you pointed out earlier in the door analogy, locking the door isn't really much of an inconvenience almost all the time), then maybe taking the extra security steps might yield a marginal increase in security. But in practical terms, it's a "feel good" security, not a quantifiable risk reduction.
"You should change your name to Farles Fickensmmmmq."
I thought about that but I looked around and there appeared to be people using anything that did not cause a stutter or a stammer (and a few that did).
So I thought "Aw shucks my parents gave me my name for some reason" (shame they never told me what it was though).
Heck I gues the more there are the better the name ;)
So which Pat am I chatting to today?
Why is this clever? It's not and actually it's unrealistic. People view their social network friends differently than their friends in real life. If they saw a friend of a friend ask for money, they are not just going to cough up the money.
I think it's funny that people who don't even participate in social networks seem to think they have well formed opinions of how to carry out attacks on them. The problem is that the premise for the attack is faulty. Rather than type everything out, I just posted in my blog about it:
In the post I mention how attacking innocuous functions could be used to semi-hijack the users account and give it a higher degree of success. This is something I went in to during the talk at Black Hat and Defcon last year.
The mention of child predators on social networks is just laughable. Let's stick with the real issues with social networks, because there are plenty of them. These issues are distractor issues that pose very little risk.
From the comments, it sounds like some people are misinterpreting the article. The power of the attack isn't that you create a fake profile in one place, make friends, and then fool them with the fake profile in another place. It's that you make a fake profile, use it to spy on your "friends" and use that knowledge to create a fake profile of real people they already know.
For instance, you start out as "George" in Facebook and befriend a bunch of people. One of them is Bob. Once you're friends with Bob, you can see his friends, people he already knows and trusts. For instance, you may learn that Bob has a sister Betty. Then you go over to MySpace and imitate those people, like Bob's sister Betty, if she doesn't already have an account.
The scam is in tricking Bob to think he's sending money to Betty, not in coercing Bob to just start trusting George.
@Davide: your statement that most of your friends have either Facebook or MySpace but not both makes this work particularly well, as most of them have left the other site empty and ripe for an imitation account. With a little work an active scammer would have a chance to make handfuls of imitations on both sides.
Social Networks have no authentication at all. We should simply be aware of this fact all the time.
Your door locking example is a good one, but the problem with it is that people who have chosen the line of work of the assistant pastor you mentioned habitually do the equivalent of leaving the door unlocked. They want to be accessible to do their job the way their beliefs say they should do it. Many (most?) of them realize that being accessible to people who need them also leaves them open to people who want to hurt them, but they feel the greater good outweighs the greater risk.
One could make similar arguments about leaving one's house unlocked - if your friend drops by to see you on a hot day & finds the door unlocked but you not home, he can have a cool refreshing beverage from your fridge and wait for you, or just get the drink & be on his way. Or he could return that drill he borrowed without leaving it out in the rain. In non-urban settings, people leave their houses unlocked like this all the time, because the perceived benefit outweighs the perceived risk.
If you accept friend requests on social networking sites from people you don't know and have never heard of, hell mend you, I say.
The sympathy meter is reading zero.
> So which Pat am I chatting to today?
Unless I've missed a thread or two, I think there are no particular incidents of someone masquerading under my name. All the boneheaded comments that are attributed to me are most likely, in fact, my cross to bear.
@nathan who said, "The problem is that the premise for the attack is faulty."
What are you on about? Just because one example of requesting cash may not work, doesn't entitle you to the conclusion that spoofed profiles don't work.
Where'd you learn logic?
Since I can't share a pint with a friend on MySpace, I don't have much use for it. Other than to keep in contact with out-of-town friends that can't remember my Email address. :)
Quite correct. More than half of the posters seem to have completely missed the point of the attack.
This is about a method for tricking someone into thinking I am their sister/best friend/boss, then scamming money. Almost all the comments assume that it is about tricking people into sending money to anonymous "friends". It isn't.
The attack makes a lot more sense when you realize it is a method for finding people you already know well and trust,, collecting information on those people, and then impersonating them. People, that is to say, who you might send money.
I am always amazed at how clever the identity thieves are - if only they would work on real problems to solve! but they are effective, here is an update on Symantic's ID Theft report: http://ratenerd.com/...
money is ok, u will verify before giving. but suppose you are victim, now "he" got that u r on myspace and not on facebook: he will create a same profile with ur photos and all.
see how that bad will be ..
in no time u will lose your identity.
As I read the percentages of child predators who might be trolling on MySpace etc., I wonder, does anyone want to take that tiny chance that their child will be that one out of a ????Truth is that 4 out of 10 girls and 3 out of 10 boys are molested during their childhood. Some of those pervs are looking on the Internet.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.