Social media has become the largest electronic collaboration tool in the history of technology and communication. Users of social media websites come from all age, gender and cultural groups and from virtually each corner of the world. In March 2014, CNN reported that Facebook and Twitter are by far the most popular sites, with Facebook claiming more than 1.2 billion active users and Twitter touting more than 240 followers.
These figures show a very robust usage of social media networking to create virtual communities, share information, generate content, and transmit personal messages. The ability for people to participate in a community and connect with others is simpler and faster than it has ever been.
Social Media Benefits and Issues
The Department of Defense (DoD) has seen value in social media in support of morale, welfare and recreation activities for troops hoping to stay connected while deployed. As a public affairs tool, there are clear advantages to using social media, but only if there is prudent management of the message in terms of the appropriateness of the information to be published and attention to force security when public affairs personnel tweet updates about a military component’s status and news.
The DoD’s biggest risks with social media are just new takes on old problems amplified by the speed of sharing information in near real-time and the ease of access to social media — sometimes resulting in loss of information, specifically, classified information.
WikiLeaks is a good example of a social media avenue that allows users to post and share new content. Unfortunately, recent high profile cases involving documents stolen by U.S. security personnel and provided illegally to WikiLeaks and other media outlets demonstrate that the insider threat is very real requiring the DoD to institute tighter controls to prevent data loss.
The DoD still allows access to social media from government-owned and operated networks. But how does the DoD promote and build transparency while at the same time prevent future losses of its classified information and data, which are among its most coveted assets and a matter of national security?
No matter how you define it, unauthorized or unintended data sharing via social media may very well be out of control. In an article for Computerworld, “Social networks leak your information,” Sharon Gaudin, noted “researchers at Worcester Polytechnic Institute (WPI) reported that at least 20 of the top social media sites leak some type of your private information to third party.” As it turns out, there is no better platform to share information than on social media sites.
The obvious positive aspects of the social media cyber-scenario are that Soldiers, Sailors, Marines and Airmen can connect with top brass, government leaders and public affairs officers to get and share information in near real-time. Deployed military members can also easily connect with family and friends. On the other hand, the downside is that military members without an understanding of cybersecurity can easily connect and share information with family and friends.
Social Engineering
The ease of connecting with others and building networks leads to an equally serious concern regarding social engineering, which can go something like this: “Hi, I’m “General So-and-So” (but really I’m some guy or gal in West Africa pretending to be a general officer), please add me as a friend.” The general’s profile may consist of dramatic phrases designed to convince the unsuspecting. This type of scammer attempts to manipulate and exploit victims.
Tactics used by cyber criminals include preying on their target's emotions, appealing to the recipient's sense of empathy or desire for financial gain. The unsuspecting, and carefully selected target, accepts the friendship and then the clock starts ticking to a financial extortion attempt, for example. The scammer will move the conversation from Facebook to Skype or Yahoo chat and end in asking the target to wire transfer money to a bank account in a foreign country.
Social media sites are the perfect storm for a social engineering attack because they allow complete anonymity and provide plenty of targets to plunder. Instead of a technology hack, this is a people hack that requires only novice level knowledge of human behavior and access to any free social media venue. With minimal time investment, cyber criminals can yield major monetary returns.
We have seen this old scam evolve from the postman delivering phony love letters into phishing emails from a new generation of unscrupulous characters; this same scam is alive and well on virtually every social media site. So what is the “patch” for the vulnerability to curtail this activity? Social media site owners and developers are well aware of the problem and most have in place a fraud and abuse policy, and user agreements addressing fraudulent behavior and fake accounts, but as with any good policy — it is only as good as its enforcement.
Over the past four years, the U.S. Marine Corps has carefully searched and reported fraudulent accounts to the social media owners which host them. The most due diligence we can possibly do is to continue to seek and deliver the evidence to site owners in hopes they will enforce their own user agreements and persistently monitor suspicious activity to help protect legitimate social media users.
So what are the social media sites doing to stop these attacks?
Facebook has been effective in combating social media high profile fakers. And there are many.
According to the Better Business Bureau (BBB), “Fake Facebook profiles are a problem nearly as old as the social media site itself.”
Brand name products and celebrity pages are particularly prone to copies. But scammers also impersonate ordinary people in an attempt to scam their friends and family. The BBB reported that in 2013, Facebook targeted 76 million fake accounts in its “war of bogus accounts,” and according to a 2013 Business Insider article, “Overall, the total percentage of fake accounts declined from 8.7 percent to 7.2 percent.”
In whole numbers, the number of duplicate accounts went up from about 45.8 million to 52.8 million; but the total number of fake accounts (which includes abusive and misclassified accounts) declined from 83 million to 76 million over the last six months of 2013.
Facebook provides support to the DoD effort by establishing an effective mechanism to investigate and remove fakes. Facebook has acknowledged the problem with an active action plan and has provided a company representative to the U.S. government to report phony accounts to be deleted in accordance with the Facebook user agreement policy.
Google+ promotes the reporting of phony accounts by providing information on how to recognize a fake account. Google has ingeniously enlisted their users as the eyes and ears for fraudulent accounts, and then empowered them with a simple and well-established step-by-step process to report fraud.
Twitter, LinkedIn and Skype also have fraud policies, but as always, users are cautioned to use care when using any social media product. If you have questions regarding social media use, please check with your command’s security officer.
Victim Assistance
U.S. citizens and residents who have suffered a financial loss as a result of Internet fraud should contact their nearest field office of the United States Secret Service. Also, victims are advised to continue reporting scam e-mails and Internet fraud to law enforcement agencies.
If you have become a victim of social media fraud report the theft to the Federal Trade Commission. Your report helps law enforcement officials across the United States in their investigations. Online: http://www.ftc.gov/idtheft or by phone: 1-877-ID-THEFT (438-4338) or TTY, 1-866-653-4261.
Report identity theft to the Internet Crime Complaint Center (IC3) (FBI-NW3C Partnership). Online: http://www.ic3.gov/default.aspx.
Additional Information
For DoD policy and information on how to protect your privacy on social media sites, go to the DoD Social Media Hub Education & Training website at http://www.defense.gov/socialmedia/education-and-training.aspx/.
For Department of the Navy social media policy and information, go to the DON Chief Information Officer’s website at http://www.doncio.navy.mil/TagResults.aspx?ID=114.
Darcy Hotchkiss is a HQ USMC C4 cyber staff member and a 17-year veteran in DoD cyber security.