BUFFALO, N.Y. – “If you think there’s no way
to stop identity theft attacks like the one in which Russian
hackers stole 1.2 billion usernames and passwords, you would be
So says online consumer-behavior expert Arun “Vish”
Vishwanath, PhD, associate professor in the Department of
Communication at the University at Buffalo, who has conducted
extensive research in the field of online security, user behavior
and identity theft.
“Prevention of such massive theft begins with you –
the computer user,” he says. “We willingly hand over
all sorts of personal information to online strangers, sometimes
just by clicking on a link, so thievery like this is very easy to
accomplish, even by unsophisticated crooks.
He says the Russian gang initially purchased stolen credentials
from the black-market, but then they began phishing people via
email and social media with links and attachments that, once
clicked, installed malware on the users’ computers.
“This malware allowed the criminals to send emails and
messages to others in the victim’s address-books and
friend-lists, each containing more links that compromised
others’ computers,” says Vishwanath.
“The compromised computers were used to surreptitiously
assess the vulnerability of websites that users visited,” he
says, “and that yielded data from over half a million
“In this way, a simple phishing attack through the process
of social-contagion became a gold mine for the Russian gang,”
Vishwanath says, “but it is actually our behavior on social
media, for instance, that makes it possible for thieves like this
“Take social media, for instance,” he says.
“People often tell others where they are and who they are
with on Facebook, which makes it easy for perpetrators interested
in breaking into your house. All they have to do is to keep an eye
on your account to learn when you are out of town. It also makes it
easy for people to craft messages to lure you. Something as simple
as knowing you have a dog or love gardening or are traveling makes
it easy for a perpetrator to target you.”
He says a lot of us presume that social media is transparent;
that people who have a profile are real; that friend requests have
been sent by an actual person – a friend, an acquaintance,
someone we met a while ago perhaps.
That’s not true and Vishwanath says it’s time to
wake up. “There are millions of fake profiles on Facebook and
it’s hard even for Facebook to police them,” he says,
“and it’s more nefarious than that.
“There are companies that create phony social media
profiles and sell them to other companies that use them to improve
their perceived popularity by producing “fake” likes,
comments and recommendations to posts,” he says, and those
phony profiles have many other uses.
“It’s easy to create a profile for another person by
culling pictures found online,” Vishwanath says, “and
once a fake profile pulls in a few friends, or even creates fake
friends, other people quickly start connecting with them.
“This is the greatest danger with social media,” he
says. “People with ‘friends’ are assumed to be
authentic or real. And, once the fake profile pulls in a victim,
all the victim’s friends start falling for the deception
because they think the fake profile represents their friend’s
friend. In this way, a simple attack can ignite a rather large
trove of victims.”
Vishwanath evaluated why such contagion takes place in a recent
simulation where he sent existing Facebook users a series of
friend-requests from phony profiles he created for the study.
One of the phony profiles had a picture, another had many phony
friends, another just had the name and no picture or friend, and
one other had a full-profile with a picture of the sender and many
The profiles were of average-looking males. The findings show
how people think: the profiles with pictures and friends and the
one with only friends were very successful in netting victims. What
was intriguing was that within a few minutes, people started
accepting the request from the person with many phony friends, and
this attack, in the end, was most successful.
People didn’t even care if that person had a picture; all
they looked at was how many friends this person had and quickly
accepted the request. Within a few hours, the attack had gone
viral, and real victims were now accepting the request because they
saw their (mutual) friends accept it. It appears that popularity is
all that matters and is the key reason why it is so easy to
victimize people on Facebook and even via email.