New-age social media cybercrimes and how to tackle them

By Asheeta Regidi As cybercrime gets more targeted and professional , cybercriminals are seeking larger and more specific information about people. Social media sites have become a haven for cybercriminals, because of the sheer volume of personal information that is available there. Facebook  reportedly has 50-100 million fake accounts, of which at least 14 million are ‘undesirable’. With major anti-spam and similar security measures in place, cybercriminals are getting more and more innovative with their methods. Fake Twitter Family Trees The use of Twitter to spread spam is not new. In order to avoid Twitter’s anti-spam measures, spam operations are taking to more complicated and sophisticated means. Symantec reports one such example of an elaborate fake Twitter family tree set up by the spammers. It consisted of hundreds and thousands of fake Twitter accounts. At the top of the family tree were accounts impersonating celebrities, which among other tweets, tweeted a miracle diet spam link. Images of real celebrities like Lady Gaga and Britney Spears were also used to add to the authenticity. These were retweeted by several ‘parrot’ accounts, which followed anyone and everyone so that they would follow them back. The parrot accounts were surprisingly effective in getting real people to follow them back. [caption id=“attachment_311572” align=“aligncenter” width=“374”] Example of a spam tweet being retweeted (Image: Symantec)[/caption] In addition to the miracle diet retweets, the parrot accounts also tweeted messages that were actually tweets by other real persons, in order to escape detection by Twitter’s anti-spam filters. At the bottom of the family tree were several accounts, which did not have any Twitter activity, but simply existed to add authenticity to the parrot accounts by strength of numbers. The sheer number of accounts convinced people of the authenticity of the miracle diet spam links that were being tweeted and retweeted by the family tree. On clicking on the spam link, people were directed to websites that were designed to look like a Women’s Lifestyle website, which in turn sold the fake miracle diet pill. The website also linked them to fake online surveys. These were used to extract credit card information and other personal information from the victims. Password Recovery Scams This scam makes use of the password recovery features of sites like Gmail and Facebook. It starts with acquiring the victim’s e-mail address and phone number, both of which are quite easily traceable online. The scammer then attempts to login into the person’s e-mail address, and clicks on the ‘Forgot Password’ link. He requests a verification code on his phone for resetting the password. Once it is sent, he sends an SMS to the victim which reads “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.” People’s automatic tendency to trust figures of authority makes them forward the verification code received to that number. The scammer can now reset the password, and has obtained access to the victim’s e-mails, contacts, and most of his online activity. The attackers sometimes also send an SMS with the new password, such as “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”, and add an alternate e-mail to the victim’s account such that his e-mails, present and future are copied to that account. Social Engineering Symantec’s Internet Security Threat Report (ISTR) , 2016 reports that companies have lost millions of dollars because the phishing e-mails were so convincing that employees believed them to be official company wire-transfer requests. [caption id=“attachment_311573” align=“aligncenter” width=“549”] Example of a phishing email (Image: Wikipedia)[/caption] A phishing e-mail that looks authentic to such an extent is not possible without a large quantity of insider information. Company websites and employee devices are a major source of information. Cybercriminals are now also tapping into social media sites for acquiring this information. These sites are a favorite of cybercriminals for obtaining access to people’s passwords, contacts, co-workers and business operations. The ISTR reports that with information such as organizational structures of the company being so easily available online, phishing e-mails easily demonstrate an understanding of the business and knowledge of key executives, which makes them a lot more convincing. Fake Instagram Followers Companies often pay popular Instagram users with a large number of followers to promote their products. This has led to people seeking a larger number of followers in order to make money, and cybercriminals cashing in on this to trick people. Cybercriminals have been offering free Instagram followers . Clicking on the link leads users to a fake Instagram login page, which is used to obtain their login details, access their follower accounts, and drive the users to fake online surveys. Fake Online Surveys Fake online surveys are used to trick people into handing over their personal information through the questions asked in the surveys. People are also paid to take online surveys, leading to online survey scams similar to the ‘click-to-earn-money from home’ scams. Here, people are asked to pay some money upfront, perhaps as a ‘membership fee’, in order to earn money through taking online surveys, which, in reality is a scam. Fake Customer Service Accounts People often post consumer complaints on Twitter and Facebook, such as a complaint about a bad service or a faulty product. Scammers respond to these inviting people to contact the ‘official’ customer service account. These fake accounts are used to phish for bank login details and other sensitive information. Other Activities The ISTR also reports a range of methods used by scammers on social media:

• Manual Sharing: They present intriguing videos, fake offers and messages which are shared by people among their friends.
• Fake Offering: These invite victims to join a fake event using incentives such as a gift card. Joining the event will normally require entering login details first.
• Likejacking: This involves using fake ‘Like’ buttons, which instead lead to the installation of malware and also automatically share the scam on the victim’s wall.
• Fake Apps: Victims are invited to subscribe to an application which appears to be integrated with the original social media site. This maybe used to steal personal information or login details.
• Fake Plugin: Victims are invited to install a plugin to view a window, but the plugin also installs malware.

Tackling Social Media Cybercrime A victim of a social media cybercrime must keep in mind that intermediaries like Facebook and Twitter cannot be held responsible for any content, link or information that is made available by a third party on their website under Section 79 of the Information Technology Act, 2000 . Their only remedy is to file an FIR with their nearest police station, which they should do at the earliest. In cybercrimes, time is of essence, particularly in collecting highly volatile electronic evidence. Victims can themselves collect evidence, such as taking screenshots of their computer screens or mobile screens, a far more effective form of evidence than downloading a soft copy. Basic precautionary measures should also be taken by people, such as avoiding refollowing anyone who follows them on Twitter, checking the authenticity of the websites they log into and e-mails they receive, and being cautious of the amount of personal information they share online. Victims can also do their bit by preventing the further spread of scams. Some responsibilities have been imposed under Indian IT laws on intermediaries like Facebook and Twitter, such as the responsibility of carrying out due diligence activities and carrying out security practices and procedures to protect customer data. Intermediaries are obligated to remove any objectionable information on their site which comes to their knowledge within a period of 36 hours under Rule 3(4) of the Information Technology (Intermediary Guidelines) Rules, 2011 . Most of these websites have ‘Report spam’ and other similar features, which enable users to report such scams.