Cybercrime writer Deb Shinder looks at the criminal opportunities that social networks offer. It may be impractical not to participate, so good security practices are a must.
Social networking is all the rage these days; it may have started out as a venue for young people (Facebook began as a service restricted to college students) but now people of all ages engage in social networking on a regular basis. Busy business people join groups on LinkedIn to stay in touch with what's going on in their industries. IT professionals exchange technical talk on Google+. Grandmas check in at the local grocery store on Foursquare. Teenagers tweet about their latest crushes. Everyone from 13 to 103 seems to have a Facebook account.
It should come as no surprise that criminals roam the social sites, too, like predatory animals looking for the weakest members of the herd on which to prey. But just how big is the problem? Does it mean you should shun the opportunity to socialize online altogether, or that companies should prohibit the use of social media on their networks? What types of illegal activities are most prevalent in the social arena? How can you protect yourself and your organization from being victimized if you do decide to venture into the social networking waters? Those are some of the questions we'll look at in this article.
"Bane of society"
Some law enforcement officials seem to be blaming the venue, rather than the criminals who misuse it. Last month, a police chief in Maine called Facebook "the real bane of society," saying that it was responsible for a flood of complaints in his town about Internet-based crimes. It makes one wonder whether there was a time when the police blamed the advent of the telephone for the crime of telephone harassment.
Another factor to consider is that many or most of the criminal complaints mentioned in the article were related to the offense of "cyberbullying." Anyone who ever attended school knows that children have been bullying other children since long before the Internet came along. However, until recently it wasn't considered a matter for the police. Right or wrong, schools and parents handled such incidents privately without getting the government involved.
Over the past few years, many U.S. states have passed legislation that makes bullying a criminal offense. For example, in the 2011 session Texas passed HB 1942 that expands the definition of bullying and mandates programs for prevention, identification, reporting of and response to bullying. There is a watch-dog organization called BullyPolice that advocates for anti-bullying laws and rates the states on their legislation. Ironically, this trend - which encompasses legislation dealing with both cyberbullying and its "real world" predecessor - was almost certainly driven by groups and individuals who organized and lobbied for these new laws via the Internet - the very medium that some now blame for the problem.
Do social networks make people mean?
A recent Pew study yielded interesting and controversial results, suggesting that when it comes to teenagers, social networking encourages them to be nicer to friends but rude to strangers and mere acquaintances. There were some significant differences between different races, social classes, and genders of the bullies (but no significant differences in those areas among the victims).
The study of online behavior has become popular among psychologists and sociologists, spawning the new field of cyberpsychology. Most of us know people who do and say things online that they would never do/say in real life interactions. This doesn't always reach the level of criminality, of course. However, the physical separation involved in online communications, as well as the (illusion of) anonymity, can result in a lowering of inhibitions in some ways akin to what happens when people drink too much alcohol, and if the criminal tendencies or mindset is there, being in the online environment seems to enable bad behavior that might otherwise be suppressed.
Violent or threatening behavior on social sites
Although it's getting most of the attention, bullying isn't the only criminal activity that's associated with or observed in social media venues. Other social network-related crimes that border on violence include stalking and harassment. There have always been disturbed persons who become obsessed with other people, either in the name of "love" or out of vengeance over some perceived wrong (and sometimes both) and are unable or unwilling to let go of those emotions. Following or pressing unwanted communications on the object of one's feelings can cross the line drawn by the law.
The Internet in general, and social networks in particular, make it much easier for a stalker to find a victim who has moved away or taken steps to avoid him/her. In the "real world," it takes more effort to track down a person who's left, and confronting him/her in person is logistically more difficult and involves more risk (of arrest or of defensive actions on the part of the victim). Through social networks, a stalker never has to leave the comfort of home, and it's easy to worm one's way into another's "friends" list through mutual friends or by creating accounts under false names.
But virtual crimes of passion aren't confined to those with whom the assailant has a pre-existing relationship. Verbal assaults on strangers are common online - so common that there's a special name for it: flaming. The term has been around since the earliest days of the Internet. Online discussions often involve controversial subjects such as politics, sex, religion, money and other "hot topics." People have strong opinions on these matters, and many take disagreements personally. Conversations devolve into profanity and name-calling. And sometimes merely obnoxious behavior turns into an illegal act when physical threats are made.
Once upon a time, most of these types of conversations took place on email discussion lists or usenet groups, where members tended to get to know one another over time (although there were always newbies or "trolls" who joined, stirred things up, and then left). Today's social networks provide a somewhat different atmosphere. In some ways, discussions are generally far more civilized now. This is probably due, at least in part, to the fact that today's popular social sites tend to require, as part of the Terms of Service agreement, that users provide their real names. There's more accountability, and since many social networks have Grandma, Uncle Bill, and Pastor Bob as their friends, they may be less likely to go off on wild tangents.
On the other hand, the social sites also exist to provide opportunities for "networking" - meeting new people - and you often see comments on friends' posts from friends of theirs you don't know. It's easy to see these as "not really people" but rather just some sort of online entities, and thus you may find yourself in heated discussions with them. Because you don't really know them, you don't know whether they're the type who just loves lively debate, or people who will escalate to threatening behavior or even accuse you of making illegal threats against them when you didn't. You should never assume that "the friend of my friend is my friend."
Criminals follow the money
While online behaviors that can lead to real-world violence are the most concerning, social sites also pave the way for other crimes, many of which are money-related. Fraudsters who once relied on mass email mailings to suck in victims now roam the social networks, offering their "friendship" to whomever will accept. Once they get into your "inner circle," they look for ways to take your money. They might send you relatively benign messages pushing their services or products, or urging you to invest in some "great deal" that's made them a lot of money, or they might concoct made-up stories about needing surgery or their homes being destroyed by fire and ask for "donations." Because it's coming from a "friend," people are less likely to see such messages as the spams or scams that they are, and take out their wallets.
Some thieves are more brazen. They use the social sites to figure out where a potential victim lives (if you've revealed your city/state and you own your home, they can go to the property tax appraisal district's web site and search for your name to find out your address). Then they monitor the person's status updates, location check-ins, etc. and when they know the whole family is out of the house, they burglarize it. They might already know what "good stuff" you have and where to find it from pictures and posts you've made online.
Others use the information they find out about you through the social network to steal your identity and track down your social security number, driver's license number and other information that they can then use to set up credit accounts or make financial transactions in your name. Or they might pose as you to target your friends for their scams, and be able to do a convincing job of imitating you online because they know - from what you've shared on the social sites - what you look like, where you went to school, your religious and political views, your favorite things, your likes and dislikes, and other information that can make them credible when contacting your friends to make their pitch for the latest con game.
Social sites as malware distribution channels
Criminals also use social networks to distribute malware - viruses, spyware, and other malicious code that can be used to crash computers, bring down networks, "phone home" with personal information, and so forth. While some of these crimes are money-motivated, others are designed just to disrupt communications, create havoc, or cause inconvenience to the victims. The criminals create fake profiles on the social sites and post links that lead to web sites where the malware is downloaded to the unsuspecting user's computer.
Thanks to the growing sophistication of social sites, criminals can take use of all the new features just as legitimate users do, using links embedded in status updates and private messages, or creating third party apps or games for the site that deliver the malware.
Just as they did with email spam, criminals take advantage of special events or what's in the news to persuade victims to click links they otherwise wouldn't. For example, last spring the news of Osama bin Laden's death spurred a flurry of malware that targeted users of social networking sites.
Protecting against social cybercriminals
The obvious answer to this problem might be to avoid social networking altogether, and some computer users have done just that. However, the social sites offer many benefits that traditional Internet communications don't, and are increasingly becoming the standard method for keeping in touch with friends and family members and communicating with business colleagues. There are ways to make social networking less risky, including:
- Check security settings. Make sure your account is configured according to best security practices. Limit who can see your posts to friends only, or use public posting only for select items that don't contain personal information.
- Check security settings again. This is not a "set it and forget it" matter. The social sites often "upgrade" their features and when they do, the default settings may be reset to a more open configuration. Check your security settings often to ensure that you're not sharing more than you think you are.
- Be selective about who you friend. Don't accept every friend request that comes along. Being the "most popular" is less important than being safe. Friend only people you know outside of the social network, in "real life" or through established online relationships. Don't assume that just because you have a mutual friend, a person is "vouched for." Your mutual friend could be one of those folks who accept every friend request.
- Don't click suspicious links in status updates and private messages. Just because a link appears to have been posted by a friend, that doesn't make it safe. The friend might have posted it without knowing it leads to a dangerous web site, or might have been infected by malware and didn't intentionally post it at all.
- Companies should restrict social network access to sites that have real business benefits and allow those users who have legitimate need to access them.
- Business users should review these Seven Deadly Sins of Social Network Security and make sure they aren't making any of the described mistakes.