September 3, 2014 By Alex Karlinsky 6 min read

Social networks provide rich opportunities for making new friends, sharing interests with others and even finding romance. Popular networks such as Twitter and Facebook facilitate interactions between hundreds of millions of users. They play an increasingly important role in shaping the way we socialize, but many do not realize that there are real and present dangers around them.

Social media sites generate revenue from targeted advertising that is personalized for each user based on geolocation, demographics, interests and more. As such, social networks encourage users to share as much information as possible. Because of this, users happily post information about the places they visit, the people they hang out with and other personal information. They also use various applications and social games to further their information sharing.

The more active the user is, the more value he or she adds to the social network and its advertisers. Since social networks want users to share more information, they make it difficult for users to set their privacy settings (which limit information sharing). As a result, most users do not take the time to optimize their privacy settings and leave the default settings on, ignoring the hazards that come with sharing private information online; they fail to realize that their personal information quickly becomes available not just to their friends and family, but also to fraudsters who abuse the information for malicious purposes. It’s easy to forget that the information we share and the trust we build with our network is exactly what cybercriminals are after.

Constantly in search of new ways to make money, cybercriminals have found ways to monetize data available on social networks. These methods take advantage of personal information shared by users, compromised social media accounts and abuse of user trust relationships. Here is a closer look at the ways cybercriminals monetize information obtained from these networks.

Exploiting Personal Identifiable Information Harvested From Social Networks

There is an enormous amount of personal information available on social networks. On the user profile pages alone, information about the user’s date of birth, relationship status, location, schools attended and place of work is often displayed. By further researching connections and posts, it is easy to figure out family relationships, friend circles, main interests, hobbies and much more.

Cybercriminals are harvesting this information in order to obtain answers to security questions used to verify the user’s identity when attempting to log in to sensitive services such as online banking sites. With a bit of research, a fraudster can find out someone’s mother’s maiden name, the name of their favorite pet and their childhood nickname. The fraudster will then use this information to pass security questions, impersonate the victim, gain access to the victim’s banking and e-commerce accounts and execute fraudulent actions.

This type of personal identifiable information (PII) harvesting doesn’t require any sophistication or the use of special tools from the fraudster. However, today’s developed and mature underground provides fraudsters with plenty of methods and tools that can be used to automate the task. Furthermore, fraudsters can easily find suppliers that facilitate PII harvesting and sell complete user profiles to fraudsters. As e-commerce and other paid online services harden their security procedures, these cybercrime vendors who specialize in harvesting PII are highly sought-after in the fraudster underground. There is a complete industry that revolves around trading private information.

The screenshot below shows an example of an underground vendor offering a free sample of the harvested data available for purchase, including the person’s credit card information, Social Security number and PayPal password.

Figure 1: A sample of personal information available for sale on the underground.

Obtaining Social Network Payments Settings

Another way cybercriminals and fraudsters can monetize information available on social networks is by targeting payment information that may be stored on user profiles. To monetize the payment information, fraudsters use compromised account login credentials that can be obtained through common phishing or malware attacks, and malicious social applications.

Payment settings on these networks allow users to initiate in-app purchases directly from social media applications and games. For example, a user may be interested in purchasing extra moves in a game or purchasing accessories for an avatar. Payment settings are also needed to purchase social network advertising. Advertisers are fans of social networks because it enables them to target a relevant audience based on geolocation, demographics and more.

Figure 2: Facebook payment settings.

Figure 3: An example of an in-app purchase.

Knowing that payment settings are enabled for many user accounts, fraudsters are constantly in search of social media account credentials. Compromised user credentials allow the fraudster to gain full control over the victim’s social media account. Once the fraudster has control over the account, a malicious application can be installed. Such an application will forcefully create in-app purchases directing money to the fraudster’s account.

However, fraudsters aren’t limited to compromised accounts. They can also spread such malicious applications by creating ad campaigns and encouraging users to enable the malicious application on their account.

Abusing Business-Consumer Trust Relationships via Fan Pages

Social media changes the way consumers think and react to products, services and everyday life. Engaging with consumers online helps build trust and drives business and product success. Therefore, it is essential for businesses to stay engaged with their consumers over social media fan pages.

Aware of the fact that brands are building trusting relationships over social media fan pages, cybercriminals are looking for ways to exploit this trust for their needs. Compromising trusted fan pages enables cybercriminals to reach hundreds and thousands of consumers at once. Over the past few months, we have seen a rising trend in fraudster underground forums discussing the ways to compromise and gain control over trusted social media pages. Some of these discussions offer credentials to social media accounts that promise they will provide control over trusted fan pages.

Below are some examples of these discussions in bulletin boards operated by fraudsters:

Figure 4: A fraudster selling credentials of a victim in control of a Facebook fan page with 20,000 likes.

Figure 5: A fraudster seeking to buy a fan page with many likes for the budget of $50-$100.

Once a cybercriminal gains control over a public brand’s social network presence, it is easy to lure consumers to phishing sites, where they will be asked to submit their credentials. For example, if a consumer visits a compromised fan page of a bank and clicks on a phishing link, the consumer can be routed to a fake login website where he or she will provide his or her bank account details to the cybercriminal. The cybercriminal can then sell the information to other fraudsters or use this information to commit fraud.

Another option is to lure consumers to access exploit sites or convince visitors to download malware to their endpoints. A compromised endpoint infected with advanced malware allows the attacker to not only gain further access to information on the endpoint itself, but can also open up a variety of potential cybercrime vectors that enable attackers to offer their botnet for distributed denial-of-service activities or proxies addresses.

In today’s fast-paced world of social media, it’s easy to forget that the information we share online with our friends, family and business contacts is highly sought-after by fraudsters. Various methods are used to monetize information shared online, the user accounts used for sharing information and the trusted relationships between advertisers and consumers. The success of current monetization methods will drive fraudsters to perfect and hone their current tools and skills and come up with more innovative schemes to exploit social networks and the information shared on them.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today