Social networks provide rich opportunities for making new friends, sharing interests with others and even finding romance. Popular networks such as Twitter and Facebook facilitate interactions between hundreds of millions of users. They play an increasingly important role in shaping the way we socialize, but many do not realize that there are real and present dangers around them.

Social media sites generate revenue from targeted advertising that is personalized for each user based on geolocation, demographics, interests and more. As such, social networks encourage users to share as much information as possible. Because of this, users happily post information about the places they visit, the people they hang out with and other personal information. They also use various applications and social games to further their information sharing.

The more active the user is, the more value he or she adds to the social network and its advertisers. Since social networks want users to share more information, they make it difficult for users to set their privacy settings (which limit information sharing). As a result, most users do not take the time to optimize their privacy settings and leave the default settings on, ignoring the hazards that come with sharing private information online; they fail to realize that their personal information quickly becomes available not just to their friends and family, but also to fraudsters who abuse the information for malicious purposes. It’s easy to forget that the information we share and the trust we build with our network is exactly what cybercriminals are after.

Constantly in search of new ways to make money, cybercriminals have found ways to monetize data available on social networks. These methods take advantage of personal information shared by users, compromised social media accounts and abuse of user trust relationships. Here is a closer look at the ways cybercriminals monetize information obtained from these networks.

Exploiting Personal Identifiable Information Harvested From Social Networks

There is an enormous amount of personal information available on social networks. On the user profile pages alone, information about the user’s date of birth, relationship status, location, schools attended and place of work is often displayed. By further researching connections and posts, it is easy to figure out family relationships, friend circles, main interests, hobbies and much more.

Cybercriminals are harvesting this information in order to obtain answers to security questions used to verify the user’s identity when attempting to log in to sensitive services such as online banking sites. With a bit of research, a fraudster can find out someone’s mother’s maiden name, the name of their favorite pet and their childhood nickname. The fraudster will then use this information to pass security questions, impersonate the victim, gain access to the victim’s banking and e-commerce accounts and execute fraudulent actions.

This type of personal identifiable information (PII) harvesting doesn’t require any sophistication or the use of special tools from the fraudster. However, today’s developed and mature underground provides fraudsters with plenty of methods and tools that can be used to automate the task. Furthermore, fraudsters can easily find suppliers that facilitate PII harvesting and sell complete user profiles to fraudsters. As e-commerce and other paid online services harden their security procedures, these cybercrime vendors who specialize in harvesting PII are highly sought-after in the fraudster underground. There is a complete industry that revolves around trading private information.

The screenshot below shows an example of an underground vendor offering a free sample of the harvested data available for purchase, including the person’s credit card information, Social Security number and PayPal password.

Figure 1: A sample of personal information available for sale on the underground.

Obtaining Social Network Payments Settings

Another way cybercriminals and fraudsters can monetize information available on social networks is by targeting payment information that may be stored on user profiles. To monetize the payment information, fraudsters use compromised account login credentials that can be obtained through common phishing or malware attacks, and malicious social applications.

Payment settings on these networks allow users to initiate in-app purchases directly from social media applications and games. For example, a user may be interested in purchasing extra moves in a game or purchasing accessories for an avatar. Payment settings are also needed to purchase social network advertising. Advertisers are fans of social networks because it enables them to target a relevant audience based on geolocation, demographics and more.

Figure 2: Facebook payment settings.

Figure 3: An example of an in-app purchase.

Knowing that payment settings are enabled for many user accounts, fraudsters are constantly in search of social media account credentials. Compromised user credentials allow the fraudster to gain full control over the victim’s social media account. Once the fraudster has control over the account, a malicious application can be installed. Such an application will forcefully create in-app purchases directing money to the fraudster’s account.

However, fraudsters aren’t limited to compromised accounts. They can also spread such malicious applications by creating ad campaigns and encouraging users to enable the malicious application on their account.

Abusing Business-Consumer Trust Relationships via Fan Pages

Social media changes the way consumers think and react to products, services and everyday life. Engaging with consumers online helps build trust and drives business and product success. Therefore, it is essential for businesses to stay engaged with their consumers over social media fan pages.

Aware of the fact that brands are building trusting relationships over social media fan pages, cybercriminals are looking for ways to exploit this trust for their needs. Compromising trusted fan pages enables cybercriminals to reach hundreds and thousands of consumers at once. Over the past few months, we have seen a rising trend in fraudster underground forums discussing the ways to compromise and gain control over trusted social media pages. Some of these discussions offer credentials to social media accounts that promise they will provide control over trusted fan pages.

Below are some examples of these discussions in bulletin boards operated by fraudsters:

Figure 4: A fraudster selling credentials of a victim in control of a Facebook fan page with 20,000 likes.

Figure 5: A fraudster seeking to buy a fan page with many likes for the budget of $50-$100.

Once a cybercriminal gains control over a public brand’s social network presence, it is easy to lure consumers to phishing sites, where they will be asked to submit their credentials. For example, if a consumer visits a compromised fan page of a bank and clicks on a phishing link, the consumer can be routed to a fake login website where he or she will provide his or her bank account details to the cybercriminal. The cybercriminal can then sell the information to other fraudsters or use this information to commit fraud.

Another option is to lure consumers to access exploit sites or convince visitors to download malware to their endpoints. A compromised endpoint infected with advanced malware allows the attacker to not only gain further access to information on the endpoint itself, but can also open up a variety of potential cybercrime vectors that enable attackers to offer their botnet for distributed denial-of-service activities or proxies addresses.

In today’s fast-paced world of social media, it’s easy to forget that the information we share online with our friends, family and business contacts is highly sought-after by fraudsters. Various methods are used to monetize information shared online, the user accounts used for sharing information and the trusted relationships between advertisers and consumers. The success of current monetization methods will drive fraudsters to perfect and hone their current tools and skills and come up with more innovative schemes to exploit social networks and the information shared on them.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…