Social Media and Identity Theft Risks PT I

Wednesday, March 24, 2010

Robert Siciliano


The tag line "Portions of this article originally appeared in the Bank Fraud IT Security Report."

Whether or not you believe social media to be as asset or liability to your organization, believe this; there are close to a half a billion people signed up to and involved in social media. Last time I checked, Facebook had more than 400 million users and Twitter has more than 50 million.  Some say social media sites such as Facebook and other combined have close to a billion views per month. WEB 2.0 is alive and well and has changed the game for the IT professional.

There are thousands (4600+ on record) of social media sites worldwide such as Facebook, LinkedInMySpaceTwitter, and YouTube. Social media networks are quickly becoming the bane of the IT Manager.

Social media is still in its infancy and its security has been an issue since its inception. Facebook has been perceived as an ongoing privacy and security issue and Twitter has become a big target. Users are tricked into clicking links. Viruses enter the network as a result of employees downloading or simply visiting an infected page.

For the past year, I've been screaming about the trouble with social media as it relates to identity theft, brand hijacking, privacy issues, and the opportunity social media creates for criminals to "friend" their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better and there's no question about it, criminal hackers have taken hold and are in full force.

We hear about a new Twitter phishing scam almost daily, whether it's via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a "friend" who's sending me a video that's actually a virus.

Not too long ago, it was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Lately, I see another story about another victim every week.

Social Media Identity Theft and Brand Jacking

Scammers aren't just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies' bottom lines. While many may not have sympathy for the bottom lines of billion dollar corporations, this hurts the little guy, too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers jobs and hurt the economy when the money is heading to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, "Counterfeiting operations are highly organized, are very global and are picking up steam because of the economy."

Imagine if someone used your name and image, or the name and logo of a business you own, to create a profile on Facebook, Twitter, or any other social networking website. Then they start posting blogs and sending out links while pretending to be you. They may contact your acquaintances, colleagues, or clients, or they may simply show up when others search for your name. Either way, their intentions are fraudulent. Establishing an online presence using someone else's identity creates unlimited opportunities for a scammer.

Identity thieves are taking advantage of social networking sites to build a home base. Once established, they seem as legitimate as any other user. There are few, if any, checks and balances to prevent this.

Social media identity theft occurs for a number of reasons:

  1. An impersonator may be attempting to steal your clients or potential clients.
  2. He or she could be squatting on your name or brand, hoping to profit by selling it back to you or preventing you from using it.
  3. They could be criminal hackers posting infected links that, if clicked on, will infect the victim's PC or network with a virus that gives hackers backdoor access.
  4. An impersonator may intentionally pose as you, and even blog as you, in order to damage your name or brand. Anything they say to the world that is libelous, defamatory, or just plain wrong hurts your reputation and can even make you the target of a lawsuit.
  5. He or she may be using your identity to harass someone you know.
  6. The impersonator may wish to harass you, perhaps as revenge over a perceived slight or because you sold them a defective product or service.
  7. They may wish to use a name or brand that has leverage, such as a celebrity or Fortune 500 company, as a form of social engineering, to obtain privileged access.
  8. If you or your business sells products or services, identity thieves might pose as you and offer deals with links to spoofed websites, in order to extract credit cards numbers.
  9. They may pose as a government entity for the purpose of extracting data and committing new account fraud.
  10. An impostor may be obsessed with you or your brand, and simply want to be associated with you. Posing as you could yield attention and satisfaction.
  11. They could be parodying you or your brand, by creating a tongue in cheek website that might be funny and obvious, but will most likely not be funny to you.

Social media is just a baby. All of the above comes from real world examples over the past few years. Unfortunately, this list is going to keep growing. Varieties of fraud that can occur via social media are only up to the imagination of the thief.

  1. Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting. Do the same for your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It's up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday.
  2. Set up a free Google Alerts for your name and get an email every time your name pops up online. If you encounter a site that disparages you. Get a Google Profile. It's free and it shows up on page one.
  3. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google Alerts does of fetching your name on the web.
  4. Go to This is an online portal that goes out and registers your name at what they consider the top 150 social media sites.

5.    Start doing things online to boost your online reputation. Blogging is best. You want Google to bring your given name to the top of search in its best light, so when anyone is searching for you they see good things. Bury bad stuff 20 deep. This is a combination of online reputation management and search engine optimization for your brand.

Be Careful What You Post in Social Media

Most people who post their personal information about themselves do not recognize the potential consequences of their actions, or maybe they simply don't care if their entire life is an open book.

Before you post anything, ask yourself, should the director of the United States Central Intelligence Agency, which is responsible for providing national security intelligence to senior U.S. policymakers, including the President, and who manages the operations, personnel, and budget of the CIA, have a Facebook page? Should his wife?

Sir John Sawers is the head of MI6, essentially the British equivalent of the CIA. His wife posted sensitive personal information to her Facebook page, including the address of the couple's London apartment and the locations of their children and Sir John's parents. She also posted family photos that included her half-brother, who was an associate and researcher for a historian who has been convicted of Holocaust denial. Her Facebook profile was left open to anyone in the London network.

Patrick Mercer, Conservative chairman of the Commons counter-terrorism subcommittee, has pointed out that these types of Facebook postings leave Sir John Sawers open to criticism and potentially, blackmail. "We can't have the head of MI6 being compromised by having personal details of his life being posted on Facebook, As a long-serving diplomat and ambassador, his family have been involved in his line of business for decades. I would have hoped they would have been much more sensitive to potential security compromises like this."

Would it be okay for U.S. CIA director Leon Panetta or his wife to post their addresses, vacation photos, children's' names and other personal data on Facebook? No! Is it okay for you to do it? You say, "Well, I'm not the director of the CIA." While you may not be a high profile target, you can still be a target on some level, and the more intelligence you make available to potential attackers or criminal hackers, the easier you make it for them to harm you. Nobody ever considers themselves a target until it's too late. If you use social media and regularly update your status or profile with pictures, video, or information about your whereabouts or daily routines, please keep the following advice in mind:

1.    Before you post anything online, think about what a hacker, stalker, employer, or potential employer could do with that data. Could an ex, who's fighting for custody, use the data against you in court?

2.    Don't give away specifics. Don't post your address, date of birth, kids' names, pets' names, phone numbers, or any account numbers or financial information of any kind. You really shouldn't even post children's photos online.

3.    Do not tell the world you are going on vacation! Or if you're just going to dinner or the beach and won't be at your house for several hours, why would you let potential burglars know that you're away?

4.    Before posting pictures or videos, consider what a criminal or potential employer might see. Could they be used against you in any way?

Portions of this article originally appeared in the Bank Fraud IT Security Report. Robert Siciliano Identity Theft Expert discussing Social Media Identity Theft on Fox Boston. Robert Siciliano is CEO of a professional speaker and author and can be reached via

Possibly Related Articles:
Twitter Facebook Privacy Social Media
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked