Hijacking of social media accounts has reached epidemic proportions in the last 12 months, according to the Identity Theft Resource Center.
The non-profit, which provides assistance to the victims of identity theft, revealed in its 2022 Consumer Impact Report that social media takeovers have increased by 1,000% during the period.
In a survey of consumers, the ITRC found that 85% had their Instagram accounts compromised, while 25% had their Facebook accounts hijacked.
The report also found that 70% of the victims of account hijacking were permanently locked out of their social media accounts, and 71% had friends contacted by the hackers that compromised the account.
It may be easy to dismiss this type of identity crime as a mere inconvenience, the report noted, but it can have a profound financial and emotional impact on people.
For example, 27% of account hijacking victims told the ITRC they’d lost sales revenue when they lost control of their social media.
“For some people, where social media is a communication platform for family and friends, losing access can range from an annoyance to heartbreaking,” said Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber risk remediation, in Tel Aviv, Israel.
“For others, where they are making money from Instagram, YouTube, or TikTok, losing their account can mean a substantial hit to their income,” he told TechNewsWorld.
Abusing Trust
One of the biggest assets for any kind of phishing attack is having a “trusted” channel of communication, observed John Bambenek, a principal threat hunter at Netenrich, an IT and digital security operations firm based in San Jose, Calif.
“If I get a phishing email from Citibank, I know I can ignore it because I don’t bank there,” he told TechNewsWorld. “If you are using a social media account to attack the contacts of your victim, they are already preconditioned to accept your message as valid.”
“We tend to trust people we’re close to when they message us on social media,” added Paul Bischoff, a privacy advocate at Comparitech, a reviews, advice and information website for consumer security products.
“If I get a message from my mother, I’m going to implicitly trust it,” he told TechNewsWorld. “If someone takes over her social media account, it wouldn’t be hard for them to trick me into sending them money, my Social Security number, or my account password.”
“By abusing this sort of trusted relationship,” he said, “account takeovers can spread and be difficult for victims to detect when compared to, for example, a phishing email.”
Popularity Breeds Hackers
An account owner isn’t the only victim of an account hijacking, noted Matt Polak, CEO and founder of the Picnic Corporation, a social engineering protection company in Washington, D.C.
“By impersonating the actual owner of the account, a bad actor can create posts or send private messages that fool contacts into doing something they would not otherwise do, such as clicking on a malicious link, handing over credit card information or their credentials — which can lead to further account compromise — or depositing money into the attacker’s account,” he told TechNewsWorld.
“So social media account takeover can be not only harmful to the person whose identity is being impersonated, but also to those who are targeted by the criminal using the account,” he added.
Social media’s popularity has made it a target of web predators, maintained Roger Grimes, a data-driven defense evangelist with KnowBe4, a security awareness training provider, in Clearwater, Fla. “Whatever becomes popular becomes hacked,” he told TechNewsWorld. “It’s been true since the beginning of computers and is just as true today.”
“That is why it is crucial that we create a personal and organizational culture of healthy skepticism, where everyone is taught how to recognize the signs of a social engineering attack no matter how it arrives — be it email, web, social media, SMS message, or phone call — and no matter who it appears to be sent by,” he said.
Robust Authentication Needed
Some of the blame for account hijacking can be pinned on social media operators, maintained Matt Chiodi, chief trust officer at Cerby, maker of a platform to manage Shadow IT, in San Francisco.
“None of the prominent social media platforms offer robust authentication options to their billions of users,” he told TechNewsWorld. “This is unacceptable for tools that are so widely used by consumers and critical to enterprises and democracy.”
“These ‘unmanageable applications’ do not support security standards, such as single sign-on or automated user creation and removal through a standard known as SCIM,” he said. “These two standards are the bread and butter of what keeps many enterprises’ crown jewel applications secure. But none of them are supported, and it’s the main reason criminals go after social accounts.”
The ITRC also reported a slight decline in repeat victims of identity theft. In 2022, 26% of surveyed victims said they’d been a victim before, compared to 29% in 2021.
Awareness may be one reason for that decline, posited Carmit Yadin, founder and CEO of DeviceTotal, maker of a risk management platform for un-agentable devices in Tel Aviv, Israel.
“When someone gets hacked, he takes it seriously,” she told TechNewsWorld. “He will learn and know what not to do next.”
“Before getting hacked,” she continued, “he may have heard about these attacks but wasn’t aware of their consequences.”
Harder To Find Targets?
Another possible reason for the decline was offered by Angel Grant, vice president for security at F5, a multi-cloud application services and security company in Seattle. “Victims of identity theft often wrongfully feel shame and embarrassment that they did something wrong,” he told TechNewsWorld. “Because of that, they often do not report when they are impacted.”
The decline could also be a sign that identity thieves may be finding it harder to find easy targets and harder to get new ones, suggested Ray Steen, CSO of MainSpring, a provider of IT-managed services in Frederick, Md.
“After falling prey to one identity attack, victims frequently clean up their digital footprint and adopt better security practices,” he told TechNewsWorld.
“In this light, a 3% decrease in victims is not as encouraging as it may first appear,” he said. “I would hope for larger improvements.”
“Unfortunately,” he added, “cyber actors take at least one step forward for every step their victims take towards better security, and they are constantly developing new methods of attack.”