The hijacking of social media accounts has reached epidemic proportions in the past 12 months, according to the Identity Theft Resource Center.
The non-profit organization that provides assistance to victims of identity theft revealed in its 2022 Consumer Impact Report that social media takeovers increased by 1,000% during the period .
In a consumer survey, the ITRC found that 85% had their Instagram accounts compromised, while 25% had their Facebook account hacked.
The report also found that 70% of account takeover victims were permanently locked out of their social media accounts and 71% had friends contacted by the hackers who compromised the account.
It can be easy to dismiss this type of identity crime as a mere inconvenience, the report notes, but it can have a profound financial and emotional impact on people.
For example, 27% of account takeover victims told the ITRC that they lost sales revenue when they lost control of their social networks.
“For some people, where social media is a communication platform for family and friends, loss of access can range from embarrassment to heartbreak,” said Mike Parkin, senior technical engineer at Vulcan Cybera SaaS provider for enterprise cyber risk remediation, in Tel Aviv, Israel.
“For others, where they make money from Instagram, YouTube or TikTok, losing their account can mean a substantial drop in income,” he told TechNewsWorld.
Breach of trust
One of the biggest assets for any type of phishing attack is having a “trusted” communication channel, observed John Bambenek, a senior threat hunter at Netenricha San Jose, California-based IT operations and digital security company.
“If I get a phishing email from Citibank, I know I can ignore it because I don’t count there,” he told TechNewsWorld. “If you use a social media account to attack your victim’s contacts, they are already preconditioned to accept your message as valid.”
“We tend to trust people we are close to when they message us on social media,” added Paul Bischoff, privacy advocate at Comparitecha site for opinions, advice and information on consumer safety products.
“If I get a message from my mom, I’m going to implicitly trust her,” he told TechNewsWorld. “If someone takes over their social media account, it wouldn’t be hard for them to trick me into sending them money, my social security number, or my account password.”
“By abusing this kind of trust relationship,” he said, “account takeovers can spread and be difficult for victims to detect compared to, say, a phishing email “.
Popularity breeds hackers
An account owner isn’t the only victim of an account takeover, noted Matt Polak, CEO and Founder of picnic societya social engineering protection company in Washington, DC
“By impersonating the true owner of the account, a bad actor can create messages or send private messages that trick contacts into doing something they wouldn’t otherwise do, such as clicking on a malicious link, forwarding credit card information or their credentials – which can lead to the account being compromised again – or money being deposited into the attacker’s account,” he told TechNewsWorld.
“Thus, the takeover of the social media account can be detrimental not only to the person being impersonated, but also to those who are targeted by the criminal using the account,” he added.
The popularity of social media has made it a target for web predators, claimed Roger Grimes, a data-driven defense evangelist with KnowBe4, a security awareness training provider, in Clearwater, Florida. “Anything that gets popular gets pirated,” he told TechNewsWorld. “That’s been true since the beginning of computers and it’s just as true today.”
“That’s why it’s crucial that we create a personal and organizational culture of healthy skepticism, where everyone learns to recognize the signs of a social engineering attack, no matter how it arrives – whether by email, Web, social media, text message, or a phone call — and whoever it appears to be sent by,” he said.
Strong authentication required
Some of the blame for the account takeover can be placed on social media operators, maintained Matt Chiodi, director of trust at Cerbymanufacturer of a Shadow IT management platform, in San Francisco.
“None of the major social media platforms offer robust authentication options for their billions of users,” he told TechNewsWorld. “This is unacceptable for tools that are so widely used by consumers and essential for business and democracy.”
“These ‘ingestible apps’ do not support security standards, such as single sign-on or automated user creation and deletion through a standard known as SCIM,” he said. “These two standards are the bread and butter of what keeps many enterprise-class applications secure. But none of them are supported, and this is the main reason why criminals go after social accounts.
The ITRC also reported a slight drop in the number of repeat victims of identity theft. In 2022, 26% of victims surveyed said they had already been a victim, compared to 29% in 2021.
Awareness may be one reason for the decline, said Carmit Yadin, founder and CEO of TotalDevicemanufacturer of a risk management platform for non-controllable devices, in Tel Aviv, Israel.
“When someone gets hacked, they take it seriously,” she told TechNewsWorld. “He will learn and know what not to do next.”
“Before he got hacked,” she continued, “he may have heard of these attacks but was unaware of their consequences.”
More difficult to find targets?
Another possible reason for the drop was offered by Angel Grant, vice president of security at F5, a Seattle-based multi-cloud security and application services company. “Victims of identity theft often mistakenly feel shame and embarrassment that they did something wrong,” he told TechNewsWorld. “For this reason, they often don’t signal when hit.”
The decline could also be a sign that identity thieves may find it harder to find soft targets and harder to get new ones, suggested Ray Steen, CSO of main springa managed IT services provider in Frederick, Md.
“After falling prey to an identity attack, victims frequently clean their digital footprint and adopt better security practices,” he told TechNewsWorld.
“In this light, a 3% decrease in casualties is not as encouraging as it first appears,” he said. “I hope for more significant improvements.”
“Unfortunately,” he added, “cyber actors take at least one step forward for every step their victims take toward better security, and they are constantly developing new attack methods.”