Cyberscams befriend social networks

By Douglas MacMillan

updated 12:04 p.m. ET Nov. 20, 2008

Remember the associate of that deposed dictator who needed your help transferring a few million dollars from a Swiss bank account? Well, he's back. And he — or one of his ilk — may show up soon posing as your "friend" on Facebook.

Someone bearing an eerie resemblance to those ubiquitous perpetrators of so-called Nigerian scams ended up in the online social network of Australian citizen Karina Wells. Earlier this month Wells received a message on Facebook from someone she thought was her real-life friend Adrian. He wrote that he was stranded in Lagos, Nigeria, had no access to a phone, and needed Wells to wire $500 for a plane ticket home. "Adrian" even pleaded for help in a real-time conversation over Facebook's chat service.

Wells didn't buy it. She alerted Australian authorities and Facebook, each of which is conducting an investigation. Although the details have yet to be confirmed, Facebook officials believe someone obtained Adrian's log-in credentials through a "phishing" scheme, luring him to a dummy site where he was asked to enter his Facebook password. The incident was initially reported by the Sydney Morning Herald and later confirmed by BusinessWeek.com.

Wells thwarted the apparent ruse, but officials and security experts warn such scams may become more common in an online world where millions of people interact daily, often sharing intimate details with widening circles of friends.

"Implied trust"
While e-mail is still the most common online method used by scam artists to contact potential victims, fraudsters are increasingly turning to Web pages, a category that includes social networks, according to the FBI and the National White Collar Crime Center. Last year the total amount of money reported lost through Internet crime in the U.S. rose 21 percent, to a record $239 million, according to those agencies.

The victim was contacted through a Web page in 32.7 percent of those cases, up from 16.5 percent in 2005. Social networks are partly to blame for the increase, officials say. "There is an implied sense of trust, and there's not the sense that we can be physically harmed," says Shawn Henry, assistant director of the FBI's Cyber Investigations division.

Social networks are also more ubiquitous, Henry notes. "Many [criminals] have now moved to computer networks because that's where the victims have moved and, therefore, the opportunities." According to comScore (SCOR), the number of unique visitors to all social networking sites worldwide reached 689 million in October, up 35 percent from a year earlier.

It's not difficult for a savvy Web surfer to impersonate someone else in cyberspace, as a high-profile cyber-bullying trial now under way plans to show. On Nov. 18 jury selection began in a federal court in Los Angeles for the case of Lori Drew, who prosecutors say passed herself off as a teenage boy in a widely publicized case of impersonation on a social networking site.

Two years ago 13-year-old Megan Meier hanged herself after receiving messages from "Josh," an older boy she had befriended on News Corp.-owned (NWS) MySpace, who allegedly later told her that the world "would be better off" without her. According to prosecutors, an investigation ultimately revealed that "Josh" was a fictitious online persona of multiple people, including Lori Drew, the mother of one of Meier's teenage rivals. Drew now faces one count of conspiracy and three counts of accessing computers without authorization.

Fooling security experts
A pair of online security industry consultants carried out an experiment recently to demonstrate just how easy it is to masquerade as someone else on LinkedIn. Shawn Moyer of FishNet Security and Nathan Hamiel of Idea Information Security got permission from a friend to set up a phony profile page on the networking site aimed at professionals.

Together, they posed as Marcus Ranum, a consultant renowned for building the first e-mail server for whitehouse.gov and who now serves as chief of security for Tenable Network Security. Moyer and Hamiel used Ranum's name, résumé, and photo (all of which they found on the Web without any help). Moyer and Hamiel then set about seeking to connect with chief security officers and chief information officers of large companies, an editor-in-chief of a security trade magazine, defense industry professionals, and other people whom Ranum might know in real life.

Despite their online security expertise, most accepted the request. And once the fake Ranum had several authentic connections within the industry, he looked even more credible to the next target. "I would have expected that the security community would have been a little more paranoid," Ranum says.

The experiment proved to Moyer and Hamiel what they had suspected: Users of social networking sites expect little more proof of a friend's identity than a name, a photo, and a few bits of knowledge about their real life. "What if I wanted to get inside IBM (IBM)?" asks Moyer. "What if I had wanted to get inside the [U.S. Defense Dept.]? Who else might Marcus know?"

MORE FROM DIGITAL LIFE

Digital Life Section Front

Watch your TV from thousands of miles away Lines between netbooks, laptops keep blurring Cell phone models change frequently Cell phones more distracting than passengers Facebook making Web surfing more social Britney Spears, Obama lead Yahoo top searches Online networks a magnet for job-seekers When you don't want to be Facebook friends Juror chats sex abuse trial on Facebook European history, culture and art goes digital Digital Life Section Front   Add Digital Life headlines to your news reader: