According to the Identity Theft Resource Center, the hijacking of social media accounts has reached epidemic proportions in the past 12 months.
The nonprofit providing assistance to victims of identity theft revealed in its 2022 Consumer Impact Report that social media acquisitions increased 1,000% during this period.
In a survey of consumers, ITRC found that 85% had their Instagram account compromised, while 25% had their Facebook account hijacked.
The report also found that 70% of victims of account hijacking were permanently locked out of their social media accounts and that friends of 71% were contacted by hackers who had compromised accounts.
It may be easy to dismiss this type of identity crime as merely an inconvenience, but it can have profound financial and emotional effects on people, the report said.
For example, 27% of account hijacking victims told the ITRC that they would lose sales revenue when they lost control of their social media.
“For some people, where social media is a communication platform for family and friends, losing access can range from an annoyance to a heartbreaking one,” says Mike Parkin, senior technical engineer, Vulcan Cyber, for enterprise cyber risk prevention. Said the mother-in-law’s provider. Tel Aviv, Israel.
“For others, where they are making money from Instagram, YouTube or TikTok, losing their account could mean a huge loss to their income,” he told TechNewsWorld.
abuse of trust
Among the biggest assets for any type of phishing attack is a “trusted” channel of communication, as observed by John Bumbank, a principle threat hunter at Netenrich, an IT and digital security operations firm based in San Jose, Calif.
“If I get a phishing email from Citibank, I know I can ignore it because I don’t bank there,” he told TechNewsWorld. “If you are using a social media account to attack your victim’s contacts, they are already a precondition for your message to be considered valid.”
“We trust the people we message to us on social media,” said Paul Bischoff, a privacy advocate at Comparitech, a review, advice and information website for consumer protection products.
advertisement
“If I get a message from my mom, I’m going to trust it completely,” he told TechNewsWorld. “If someone takes over his social media account, it won’t be difficult for them to trick me into sending me money, my social security number, or my account password.”
“By abusing such a trusting relationship,” he said, “account takeover can spread and make it difficult for victims to trace, for example, a phishing email.”
Popularity Breeds Hackers
Matt Pollack CEO and founder of Picnic Corporation, a social engineering security company in Washington, DC, the only victim of account hijacking is not an account owner.
“By impersonating the actual owner of the account, a bad actor can create posts or send private messages that fool contacts into doing something they otherwise wouldn’t, such as clicking on malicious links, providing credit card information Or handing over their credentials – which could lead to further account compromise – or deposit money into the attacker’s account,” he told TechNewsWorld.
“Therefore, the acquisition of a social media account can be harmful not only to the person whose identity is being impersonated, but also to those who may be targeted by the perpetrator using the account.” is done,” he said.
The popularity of social media has made it a target of web predators, maintains data-driven defense campaigner Roger Grimes with KnowBe4, a security awareness training provider in Clearwater, Fla. “Anything that becomes popular gets hacked,” he told TechNewsWorld. “This has been true since the beginning of computers and is equally true today.”
“It is therefore important that we create a personal and organizational culture of healthy skepticism, where everyone is taught how to recognize the signs of a social engineering attack – whether it is email, the web, social media, SMS messages, or phone calls. – and it does not matter by whom it appears to have been sent, ”he said.
Strong Authentication Required
Some of the blame for account hijacking can be placed on social media operators, maintained Cerby’s chief trust officer Matt Chiodi, creator of a platform to manage Shadow IT in San Francisco.
“No major social media platform provides strong authentication options to its billions of users,” he told TechNewsWorld. “This is unacceptable for tools that are widely used by consumers and are critical to enterprises and democracy.”
“These ‘unmanageable applications’ do not support security standards, such as single sign-on or automatic user creation and deletion through a standard called SCIM,” he said. “These two standards are the bread and butter of securing the Crown Jewel applications of many enterprises. But none of them are supported, and are the main reason criminals go behind social accounts.”
advertisement
The ITRC also reported a slight drop in the number of repeated victims of identity theft. In 2022, 26% of survey victims said they had been a victim earlier, compared to 29% in 2021.
Carmit Yadin, founder and CEO of DeviceTotal, a maker of a risk management platform for non-agentable devices in Tel Aviv, Israel, said awareness could be one reason for that decline.
“When someone gets hacked, he takes it seriously,” she told TechNewsWorld. “He’ll learn and know what not to do next.”
“Before they were hacked,” she continued, “he may have heard of these attacks, but was not aware of their consequences.”
Difficult to find a target?
Another possible reason for the decline was offered by Angel Grant, vice president of security at F5, a multi-cloud application services and security company in Seattle. “Victims of identity theft often feel unfairly ashamed and embarrassed that they have done something wrong,” he told TechNewsWorld. “Because of this, they often don’t report being affected.”
The decline could also be a sign that identity thieves are finding easier targets harder to find and new ones may be harder to obtain, suggested Ray Stein, CSO of Mainspring, a provider of IT managed services in Frederick, MD.
“After being the victim of an identity attack, victims often clean up their digital footprint and adopt better security practices,” he told TechNewsWorld.
“In this light, the 3% reduction in victims is not as encouraging as it might first seem,” he said. “I would expect big improvement.”
“Unfortunately,” he said, “cyber actors take at least one step forward for every step their victims take towards better security, and they are constantly developing new methods of attack.”