Incident Response, Malware, Phishing, TDR, Vulnerability Management

Online identity theft: Who’s after my Facebook password?

Identity is best defined as a set of individual characteristics by which a person is recognized or known. The online world, however, has to rely on other elements of identity authentication. That most often is a login and password pair, and stealing an online identity boils down to stealing a login/password pair.

Though methods and strategies of ID thieve have been widely studied (Plain Phishing, Spear Phishing, Phisher Worms, Client-side Trojaning, etc.), the questions of "who" and "why" remain largely ignored; that is, Who is after online identities? And what for?

For instance, few people are aware that bank phishers usually don't personally siphon accounts they have stolen. They merely sell them to people who know how to turn a virtual nest egg into cash: money launderers.

Interestingly, the cost of authentication credentials to a stolen online banking account often do not reflect the amount in an account. Indeed, accounts holding balances of nearly $200,000 have been sold for mere $300. Therefore, account buyers successfully cashing the whole balance out recoup around 500 times their investment. That outstanding productivity figure says much about the risks and difficulties involved in actually laundering the money. Definitely not a job for the kid next door, rather for a professional money launderer or a crime syndicate.

But what about social networking site accounts? When confronted with a Social Networking Site Worm (a Phisher Worm), the intent of which is to harvest as many accounts as possible, some users are left wondering: "What is the point?" The answer typically is that the underlying goal is simply to make money via spraying spam over the profiles of hi-jacked users' friends -- a strategy that could fairly be deemed "Spam 2.0".

Not only is this new form of spam starting to invade places where users are not expecting to see it (hence are more likely to "click" than in the case of mail-based spam), but it also resorts to advanced social engineering to drive click-through rates to sky-high levels. Indeed, ads are disguised as comments posted on users' profiles (usually by friends who had their account phished), in a very cunning way. Facebook has seemed to be relatively immune to this phenomenon (perhaps because profiles are not public, hence limiting the potential audience to an ad-clogged profile) until very recently.

While this is still limited in volume, the Facebook situation could change. with accounts bearing enormous amounts of friends becoming a place of choice for spammers to post bulk messages and generate considerable amounts of money via affiliate programs. Facebook is a tool for online marketers, should they be legitimate (call them "Application Developers") or rogue (call them "spammers or phishers"). Indeed, the granularity of the marketing segmentation it allows for is probably the best in the social networking site world.

The question remains: what prevents cyber criminals from redirecting users to a malicious site? And couldn't the information sitting in the private sections of user profiles be of some use for industrial spies, blackmailers or child predators?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.