Techworld and ComputerWorld recently reported an incident that shows the risks of engaging with strangers via social networks. Thomas Ryan from security company Provide Security (with a generic name like that I feel for their SEO person) created a fake profile for a woman named Robin Sage, who posed as a Navy cyberthreat analyst and tried to befriend around 300 real people in the US military, defence contractors, infosec companies and intelligence agencies. It was a 28-day experiment that was to be showcased at the BlackHat USA 2010 conference, which finished yesterday.
These incidents are a sobering reminder of how easy it is to conduct social engineering for nefarious purposes. Fortunately, no real damage was done other than having the accounts cancelled (Facebook also banned Ryan permanently and closed his account). The fake LinkedIn profile is still visible in the Google cache.
Table of Contents
Intelligence Gathering
However, DarkReading.com, a security-related website provided more details about a serious incident caused by this fake Robin Sage. A soldier in Afghanistan had uploaded digital photos that were taken during his deployment. While we see such images every day in the news media, getting hold of the actual image file reveals a lot of metadata embedded by the camera. High-end cameras such as my Panasonic Lumix ZS7/TZ10 (well, it’s at the high end of the non-SLRs) also have a GPS receiver that can be switched on to store the camera’s geographical coordinates when the image was taken.
In most cases, the enemy knows the positions of Coalition army patrols in their region, but they usually wouldn’t know where covert, elite units such as the US Army Rangers operate. If a series of images can be plotted on a map to reveal a route, the implications are chilling.
Ryan took some trouble to create a Twitter account some months ago (cached page) and a Blogger account. Robin Sage is the name of the final training exercise before a Green Beret is awarded. He left a few obvious flaws in her profile such as having a 10-year working history and being 25 years old. The attractive photo undoubtedly eased her ability to gain connections, including some who worked in the same facility!
A few weeks ago the US and Russia swapped some spies. The Russians caught in the US included some who faked their profiles – Yahoo News.
Phishing
According to another article in a military publication Armed with Science Ryan obtained enough information from one of the connections to be able to answer security questions about his bank account such as “what was my first car?”.
Scary, if your online image trail includes your mother’s maiden name (think of genealogy data) and other data that is commonly used to answer security questions. Just because your social network is discussing pets, think before revealing your first pet’s name (particularly if you are using a real name).
The Evil Twin
Speaking of real names, it is possible for a real person to be impersonated by another. Known as the “evil twin” attack, people who are not active online are particularly vulnerable. Think of everybody you know who knows your date of birth, mother’s maiden name, names of teachers, etc. Other than family, this would include your classmates. Some of them might have photographs of you that can be used to beef up a fake profile. By searching online, it is easy to find references to the victim such as hobbies, sports teams followed, home address, etc. Once the evil twin connects with the friends of the victim using a network such as Facebook, additional connections will come unsolicited, once friends of friends assume they are connecting with someone they know.
Fake Profiles in LinkedIn
There are many types of fake LinkedIn profiles:
- Still Working at Old Company. This is the most common type of error by omission and is usually someone who was terminated and has merely forgotten to update their listing. It might be deliberate amnesia, as it is said that it is easier to be hired while still in a job. Fair enough. Sometimes it is someone who lost their password or thought that their old work email was their login name and would no longer work. I know someone who is on their third LinkedIn profile for this reason.
- Right Company, Wrong Location. Some business names are used by several legal, unrelated entities. Some might be in a different country. Someone claiming to work for Acme might be working for a different Acme. No problem here. All legit.
- Lead Generation. Take a look at the LinkedIn discussion groups relating to IT topics. Watch the people who post items that lead to their own/client’s website. Read their profiles. I have noted at least two whose profiles and connections suggest that they are Indian SEOs, but their names are those of well-known movie stars. I reported one to LinkedIn customer support, but they could see nothing wrong. Such profiles are disposable accounts that are usually made from a disposable email address. If LI boots them out, no problem. Just activate another fake profile.
- Some Wider Agenda. Good social engineers take pains to build numerous fake profiles and keep them mildly active for several years. Sometimes, these fake people have other fake people as their connections, so they look realistic. These fake people periodically leave their trail on the web by going to regular forums related to their purported interests, to make it even more believable. Such profiles need not have a malicious intent other than to fool search engines and improve the ranking of some website or websites. Some of these are used to seed forum posts, make directory submissions — all the usual SEO tasks.
- Jobseekers. Some profiles belong to real people, but their work history might be embellished. Faking a resume isn’t new, but recruiters are increasingly turning to Google to search specific sites for candidates. Adding a few keywords will improve a candidate’s chances of getting to the shortlist. After that point, the risk of being found out increases, particularly after securing the job.
- Others. People can have any number of other motives to fake their profiles – kids wanting to enter adult websites, impress someone, whatever.
The conclusion is obvious. If you have an account at a social networking site, don’t befriend anyone who asks you for a connection. Their profile might be fake. If you work for someone important and they don’t have a social networking account, then get their permission for you to reserve one in their name at all the usual sites. No need to embellish it.
2 Replies to “Why people fake profiles in social media”