BusinessWeek.com reports that cyberscammers have taken to trolling for victims on social-networking sites such as Facebook and LinkedIn. “Many [criminals] have now moved to computer networks,” said Shawn Henry, assistant director of the FBI’s Cyber Investigations division, “because that’s where the victims have moved and, therefore, the opportunities.”
Email remains the scam artist’s favorite tool, but the FBI and the National White Collar Crime Center report that criminals are increasingly turning to social networks and other websites to ply their trade. Internet crime in the U.S. rose 21 percent last year, according those agencies, costing victims $239 million. In 32.7 percent of those cases, the victim was initially contacted through a web page. In 2005, only 16.5 percent of the victims reporting an online crime were contacted that way.
The Businessweek.com story recounts the experience of an Australian citizen named Karina Wells, who received a message on Facebook from someone posing as her real-life friend Adrian. “Adrian” claimed he was stranded in Lagos, Nigeria without access to a telephone and that he needed Karina to wire him $500 for a plane ticket home. He even chatted with Karina in real time, using Facebook’s chat service.
Wells got suspicious and alerted both Australian authorities and Facebook; each organization initiated an investigation into the matter. Facebook officials assume that the criminal obtained Adrian’s log-in ID and password through a phishing scheme. “There’s an implied sense of trust [with social networks]” said the FBI’s Henry, ‘and there’s not the sense that we can be physically harmed.”
It’s relatively easy to trick even the security savvy, as two online security consultants recently demonstrated. Shawn Moyer of Fishnet Security and Nathan Hamiel of Idea Information Security posed as another consultant, Marcus Ranum, who garnered fame for building the White House’s first email server. Using Ranum’s name, resume, and photo, Moyer and Hamiel established connections on LinkedIn with security officers and chief information officers at large companies, the editor-in-chief of a security trade magazine, and other people Ranum might actually know.
The pair had no trouble getting people—even those victims who should have been the most security conscious—to accept “connect” requests from the fake Ranum; and the more professional connections they established, the more legit they appeared to the next target.
Most social networking sites prohibit users from posing as someone else, but that won’t go far to deter a criminal bent on committing fraud. And while Moyer admits it would be difficult for sites such as LinkedIn to prevent experiments such as the one he and Hamiel tried using Ranum’s identity, he does believe they could take measures to authenticate their users.
Read the entire story at BusinessWeek.com.