Internet users made the heist by Russian hackers a piece of cake

“If you think there’s no way to stop identity theft attacks like the one in which Russian hackers stole 1.2 billion usernames and passwords, you would be wrong.”

So says online consumer-behavior expert Arun “Vish” Vishwanath, PhD, associate professor in the Department of Communication, who has conducted extensive research in the field of online security, user behavior and identity theft.

“Prevention of such massive theft begins with you – the computer user,” he says. “We willingly hand over all sorts of personal information to online strangers, sometimes just by clicking on a link, so thievery like this is very easy to accomplish, even by unsophisticated crooks.

He says the Russian gang initially purchased stolen credentials from the black-market, but then they began phishing people via email and social media with links and attachments that, once clicked, installed malware on the users’ computers.

“This malware allowed the criminals to send emails and messages to others in the victim’s address-books and friend-lists, each containing more links that compromised others’ computers,” says Vishwanath.

“The compromised computers were used to surreptitiously assess the vulnerability of websites that users visited,” he says, “and that yielded data from over half a million websites.

“In this way, a simple phishing attack through the process of social-contagion became a gold mine for the Russian gang,” Vishwanath says, “but it is actually our behavior on social media, for instance, that makes it possible for thieves like this to succeed.

“Take social media, for instance,” he says. “People often tell others where they are and who they are with on Facebook, which makes it easy for perpetrators interested in breaking into your house. All they have to do is to keep an eye on your account to learn when you are out of town. It also makes it easy for people to craft messages to lure you. Something as simple as knowing you have a dog or love gardening or are traveling makes it easy for a perpetrator to target you.”

He says a lot of us presume that social media is transparent; that people who have a profile are real; that friend requests have been sent by an actual person – a friend, an acquaintance, someone we met a while ago perhaps.

That’s not true and Vishwanath says it’s time to wake up. “There are millions of fake profiles on Facebook and it’s hard even for Facebook to police them,” he says, “and it’s more nefarious than that.

“There are companies that create phony social media profiles and sell them to other companies that use them to improve their perceived popularity by producing “fake” likes, comments and recommendations to posts,” he says, and those phony profiles have many other uses.

“It’s easy to create a profile for another person by culling pictures found online,” Vishwanath says, “and once a fake profile pulls in a few friends, or even creates fake friends, other people quickly start connecting with them.

“This is the greatest danger with social media,” he says. “People with ‘friends’ are assumed to be authentic or real. And, once the fake profile pulls in a victim, all the victim’s friends start falling for the deception because they think the fake profile represents their friend’s friend. In this way, a simple attack can ignite a rather large trove of victims.”

Vishwanath evaluated why such contagion takes place in a recent simulation where he sent existing Facebook users a series of friend-requests from phony profiles he created for the study.

One of the phony profiles had a picture, another had many phony friends, another just had the name and no picture or friend, and one other had a full-profile with a picture of the sender and many phony friends.

The profiles were of average-looking males. The findings show how people think: the profiles with pictures and friends and the one with only friends were very successful in netting victims. What was intriguing was that within a few minutes, people started accepting the request from the person with many phony friends, and this attack, in the end, was most successful.

People didn’t even care if that person had a picture; all they looked at was how many friends this person had and quickly accepted the request. Within a few hours, the attack had gone viral, and real victims were now accepting the request because they saw their (mutual) friends accept it. It appears that popularity is all that matters and is the key reason why it is so easy to victimize people on Facebook and even via email.