Facebook, Instagram Blasted for 'Lame' Security PracticesAccount Takeover Claims Grow 1,000% as Scams Hit People, Banks, Government Agencies
More than 4 billion people have accounts on Facebook and Instagram, making them the most popular social media platforms on the planet. Members share photos, life events and opinions to attract followers, build businesses and stay connected with friends and family. But there's a darker side to these social platforms.
Social media account takeover complaints to the Identity Theft Resource Center jumped more than 1,000% last year. Theft, impersonation and fake accounts on Facebook and Instagram - social properties of Meta - are fueling a massive increase in scams and illegal activity. In fact, federal authorities say about 50% of account takeover cases today originate on social media.
"We have all these platforms, but who's taking care of your security? Who's taking care of your privacy? I don't think anybody really is. Frankly, I think the efforts are lame."
– Chris Ingram, author, former radio personality and Facebook identity theft victim
"These social media scams are bigger parts of underlying scams we're seeing out there," says Stephen Dougherty, financial fraud investigator with the U.S. Secret Service. "We are seeing a lot of social media impersonation and social media misinformation being used to carry out scams such as romance scams, which we all know are very, very impacting for the victims involved because not only are they at financial loss usually, a lot of times they can be flipped and used as money mules to perpetrate bigger cyber and even financial crimes such as business email compromise."
Cryptocurrency investments are common scams on social media these days, giving rise to a new twist on pig butchering, which typically begins with a contact on social media and often includes elements of romance scams. U.S. authorities in November seized seven spoofed website domains used to trick five victims into investing $10 million in crypto assets that simply vanished.
Growing Threats to Banks
Personal details about customers freely available on Facebook and Instagram have long been used to "fill in the edges" about victims to facilitate takeover of banking accounts, but a growing trend is to use this information to open new accounts for banking fraud and theft of government benefits, says James Lee, COO of the Identity Theft Resource Center. The move to digital banking and online account opening has exacerbated the problem, he says.
"No one is ever going to look at you. You're not going to be in the physical presence of a human being when you're opening up those accounts," Lee tells Information Security Media Group. "So that account is now set up, and, you, the person whose information has been used, is completely unaware that someone has opened up an account in your name. The first time you'll be aware is when, months later, depending on the type of account they open, when you get some notice from the financial institution - that is, a document you have to file with your taxes."
Each major U.S. bank is spending at least $1 billion a year on cybersecurity and fraud detection, but the American Bankers Association acknowledges that social media scams are generating significant losses for the industry.
"I think it's a problem for everyone," says Paul Benda, senior vice president of operational risk and cybersecurity at the American Bankers Association. "When you look at this, it's obviously the person whose identity is stolen. It's a terrible thing. They're a victim from the scammers. But if you're a bank and it's shown that's a fraudulent account, your bank is going to make you whole, so the bank is also a victim because they're having to pay out a lot of these things. And so that's the challenge we've got is: It's got to be a joint response. Consumers have to try and educate themselves on 'What are the red flags?' And banks spend billions of dollars every year trying to identify these things in the background with the fraud alerts, with the cybersecurity security controls they have in place."
Facebook Credential Theft Hits 500M Users
Automated tools are enabling threat actors to compromise huge numbers of social media accounts. Researchers at cybersecurity firm PIXM have been tracking a single campaign, active on Facebook since 2021, that has stolen the credentials of half a billion users - and counting. The scammer, based in Colombia, bragged that he has generated $60 million in ad revenue clicks.
The theft of credentials begins with a phishing email through Facebook Messenger that comes from a "friend" and asks, "Is that you in this video? You better take it down." Most Facebook users click on the link, and that sets up a man-in-the-middle attack with a fake Facebook login page to steal credentials, says Nick Ascoli, vice president of threat research at PIXM.
"What they'll do with your Facebook credentials is, programmatically with their own bots, log into your Facebook account and then do the same thing - spread the same link to all of your Facebook Messenger contacts," Ascoli says.
While the Colombian threat actor's main motivation is to generate ad revenue by linking to legitimate advertising and malvertizing services, the process shows how easy it is to fool Facebook Messenger email security and steal credentials. Ascoli has been monitoring clicks from Messenger to a number of fake websites used by the hacker. The sites are subdomains of Hubspotpagebuilder.eu, a legitimate web hosting service.
Once the user clicks on the phishing link, the user is directed to page that displays a "404" error page for less than 1 second. It then redirects users to a fake Facebook login page, requiring them to submit their credentials. Once the credentials are captured, the user is redirected to a blank video page with other links to fake content. Behind the scenes, the hacker serves up 10 to 15 ad pages and collects about 15 cents per click, Ascoli says.
Account Recovery Process Is 'Laughable'
One of the biggest problems with account takeover on Facebook is that victims are finding it difficult - if not impossible - to recover their accounts. Take, for example, Chris Ingram, an author and former radio personality. He wasn't a big Facebook user, but one day he got an email from his ex-wife, who wanted to know why he was trying to sell her cryptocurrency.
"I went and checked my Facebook account and couldn't log in," Ingram says. "It said my password was false. It said it wasn't my Facebook account. And even when I tried to get through with the backup - my phone number and that sort of thing, it wouldn't let me sign in."
Ingram reported the credential theft online to Meta and about 10 days later, he received a notice from the system, saying the person impersonating him did not "violate community standards." Unable to reach a real person with Meta, he reported the theft several more times - with the same result.
"It's actually laughable," he says. "Meanwhile, friends of mine are getting emails trying to sell them everything from bitcoin to vacations in Aruba."
Lee with the Identity Theft Resource Center says credential theft is a common problem for Facebook and Instagram users. In most cases, he says, users simply give up trying to recover their account.
"They can't get through the systems that the platforms have created to handle these issues, which by and large do not involve an actual human being, which frustrates people and drives people away," Lee says. "The response you get from the organizations around these kinds of issues is basically, 'If we required more verification on the front end, if we required multifactor authentication universally, if we required other kinds of processes that would make it easier to prove that the actual account owner has been kicked out, that that would somehow make the system either less secure, more onerous, or it would not be feasible from a cost perspective.' Those are excuses; those are not legitimate reasons."
But behind every account takeover, there's a human cost that is impossible to measure. For example, while Ingram was trying to recover his account, his 32-year-old son died and he was unable to talk with numerous friends about his loss.
"I tried to reach out to friends who loved him and who might want to know that and, frankly, who might comfort me in that time, and I couldn't reach them," Ingram says. "I couldn't make those connections that frankly, have now become over the internet what used to be more flesh and blood and personal. Obviously, in the grand scheme of things, not being able to reach people on Facebook is not the end of the world. But it was just one added gut-wrenching stab in the gut that, frankly, just made this even more aggravating."
Meta, the parent company of Facebook and Instagram, did not respond to requests for an interview with Information Security Media Group. In December, Nathaniel Gleicher, Meta's head of security policy, said that the social platform had improved its security controls to deter phishing and had piloted a new online chat feature that helped more than 1 million people in nine countries recover their accounts.
Meta says users typically face problems with account recovery when they have incomplete or outdated contact information, and the social media giant says 1 in 4 account takeovers occurs when contact information is compromised. Earlier this month, Meta sued a scraping-for-hire service provider and closed 60,000 fake accounts.
Users such as Ingram, however, say Meta owes it to members to do more.
"The priority has to be security," he says. "If you're going to be somebody who opens up a company who's going to be providing these kinds of services, your number one priority has to be privacy and security first, and then everything else can follow. Unfortunately, I think, we've certainly got the cart before the horse. We have all these platforms, but who's taking care of your security? Who's taking care of your privacy? I don't think anybody really is. Frankly, I think the efforts are lame."
Experts warn users to be ever more vigilant, but some say the federal government can help turn the tide. One major step in the right direction would be a national data breach reporting law that requires organizations to report what happened and what actions are being taken to remediate the problem, according to Lee.
"Individual privacy, cybersecurity, business privacy, business security - all these things are now intertwined in ways we've never seen historically,” Lee says. "This is one of the best ways we have to deal with that and begin the process of making real headway in reducing the number of identity crime victims."