Online identity theft: Who's after my Facebook password?

Share this article:
Online identity theft: Who's after my Facebook password?
Online identity theft: Who's after my Facebook password?

Identity is best defined as a set of individual characteristics by which a person is recognized or known. The online world, however, has to rely on other elements of identity authentication. That most often is a login and password pair, and stealing an online identity boils down to stealing a login/password pair.

Though methods and strategies of ID thieve have been widely studied (Plain Phishing, Spear Phishing, Phisher Worms, Client-side Trojaning, etc.), the questions of "who" and "why" remain largely ignored; that is, Who is after online identities? And what for?

For instance, few people are aware that bank phishers usually don't personally siphon accounts they have stolen. They merely sell them to people who know how to turn a virtual nest egg into cash: money launderers.

Interestingly, the cost of authentication credentials to a stolen online banking account often do not reflect the amount in an account. Indeed, accounts holding balances of nearly $200,000 have been sold for mere $300. Therefore, account buyers successfully cashing the whole balance out recoup around 500 times their investment. That outstanding productivity figure says much about the risks and difficulties involved in actually laundering the money. Definitely not a job for the kid next door, rather for a professional money launderer or a crime syndicate.

But what about social networking site accounts? When confronted with a Social Networking Site Worm (a Phisher Worm), the intent of which is to harvest as many accounts as possible, some users are left wondering: "What is the point?" The answer typically is that the underlying goal is simply to make money via spraying spam over the profiles of hi-jacked users' friends -- a strategy that could fairly be deemed "Spam 2.0".

Not only is this new form of spam starting to invade places where users are not expecting to see it (hence are more likely to "click" than in the case of mail-based spam), but it also resorts to advanced social engineering to drive click-through rates to sky-high levels. Indeed, ads are disguised as comments posted on users' profiles (usually by friends who had their account phished), in a very cunning way. Facebook has seemed to be relatively immune to this phenomenon (perhaps because profiles are not public, hence limiting the potential audience to an ad-clogged profile) until very recently.

While this is still limited in volume, the Facebook situation could change. with accounts bearing enormous amounts of friends becoming a place of choice for spammers to post bulk messages and generate considerable amounts of money via affiliate programs. Facebook is a tool for online marketers, should they be legitimate (call them "Application Developers") or rogue (call them "spammers or phishers"). Indeed, the granularity of the marketing segmentation it allows for is probably the best in the social networking site world.

The question remains: what prevents cyber criminals from redirecting users to a malicious site? And couldn't the information sitting in the private sections of user profiles be of some use for industrial spies, blackmailers or child predators?

Share this article:
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.

When it comes to cyber attacks, predictions are pointless but preparation is key

When it comes to cyber attacks, predictions are ...

Rather than predicting the next lightning strike it is far better to pay attention to the areas we already know are vulnerable.