“If you’ve received a friend request from me, ignore it. My account was hacked.”
Almost everyone in the inhabited world has either seen or written that phrase on social media. It happens when someone is nefariously posing on the platform as someone they are not. It happens a lot and even to people who should know how to avoid it. But it isn’t hacking. It’s spoofing and it’s important to know the difference.
Hacking involves accessing a data system, sometimes legitimately test a system. The rest of the time the hacker is up to no good. Hacking requires a great deal of skill and knowledge that most people, especially criminals, do not possess. A good example of hacking was the SolarWinds breach because hackers accessed code updates from the target and injected a trojan virus that spread to customers, including Fireye and the DHS. However, hacking requires skill, which makes it is a very small part of the volume of cybercrime. Security industry analysts uniformly define only five percent of all computer crime as hacking. The rest is spoofing or phishing (and the two are generally connected) resulting in fraud and blackmail.
For most internet users, there is little they can do to prevent a hack of their system. At the same time, they are unlikely to be a target so for the rest of this article, we will focus on the problem of spoofing.
Spoofing is non-technical
Spoofing requires little to no technical expertise. All it requires is patience on the part of the criminal and permission supplied by the victim, but more on that last part a bit later.
Spoofing involves faking an email address, a domain name server (DNS) or Internet protocol (IP) address. Spoofers can get that information number of ways but the easiest way is to buy it off the internet. They don’t even need to go to the dark web as criminal organizations sell them out in the open on social media platforms like Instagram. That can lead to getting arrested, though, as some of those vendors are actually law enforcement sting operations.
More patient spoofers can use marketing automation software and spreadsheets to gather the information that victims readily share on social media. For example, on Facebook and Twitter people enthusiastically participate in games like “What Disney Princess are you?” and memes that ask you to reveal your age by naming something that younger people won’t know. Some of these are innocent games, but they all draw data from the users that a criminal can use to get to know the victim or connect to all the people that repost the game. Criminals and marketers alike can determine age groups, where they live, birthdays, and clues to passwords. Once they have gathered enough data on about a thousand people, they can run their scam. two or three positive responses can result in thousands of dollars in funds readily delivered by the victim.
Buying your way in
Criminals buy legitimate contact lists also used by marketers in direct marketing programs. The list makers don’t really do much in the way of background checks for customers and if they have monitoring of the list uses, the worst that happens is blacklisting the criminal. He can always buy another list from another supplier.
A pernicious scam that has moved to the US is the Classiscammer campaigns that started in Russia, moved through the EU and began hitting the US last year. It works like this:
Scammers publish ads on popular marketplaces and classified websites, offering expensive products for sale at deliberately low prices. The buyer contacts the seller, who lures the former into continuing the talk through a third-party messenger, such as WhatsApp. It’s noteworthy that scammers pose as both buyers and sellers. To be more persuasive, scammers will spoof local phone numbers when speaking with their victims. Once the criminal obtains the victim’s trust spoofers will manipulate victims into turning over sensitive personal information.
More recently spoofers are using this basic program to target people who lost jobs during the pandemic and offer generous job packages after a qualification interview. We interviewed one potential victim who was smart enough to contact Cyber Protection Magazine and ask if this was a legitimate offer. It wasn’t. What made this variation interesting was that getting money from the victim was not the goal. Instead, they wanted the victim to launder money by printing and delivering paychecks through the US Postal System, which is also mail fraud. You can listen to her story at Crucial Tech.
Personal responsibility is the best defense
On the bright side, Apple’s decision to allow iOS users to block apps from tracking them, and Google’s phasing out the use of third-party cookies will stop a significant portion of surreptitious data harvesting, but that won’t stop the criminals completely.
In April, Facebook admitted that more than half a million accounts had been compromised by a spoofing gang that scraped personal data from users that had been voluntarily shared on their pages including birthdays, email addresses, phone numbers and friend lists, none of which are required to be made public. Facebook forbids the practice but has no mechanism to stop it from happening until after the act. Even if social media could keep it from happening, people still:
- Clicking on links in emails from spoofed accounts
- Replying to emails from spoofed accounts
- Playing games on social media sites
- Giving up personal information in the name of ‘fun”
- Making birthdays, phone numbers and addresses public on their “about” page for their social platforms.
- Using their birth year in the email address
Those are just a few of the mistakes users make and tactics spoofers will employ to gather personal information. Some users like to say that they have nothing to hide so they aren’t concerned about the government being able to scan their social media for information. But contrary to conventional paranoia, the government is not the problem. Hostile nation-states and criminal gangs are and the victim naïveté allows it to happen.
The key to our case study subject’s avoidance of harm is skepticism. That is the most potent arsenal in any cybersecurity defense. The industry calls it “zero trust” and is trying mightily to automate it but no AI technology will ever be superior to a human being that says, “If it is too good to be true, it isn’t.”
In the end, our best advice is when online accept nothing as safe, verify everything, and when in doubt, ask