Growth of e-crime on social networks

85. Over half of UK households now use social networking sites. Facebook is the most popular social network in the UK with two thirds of internet users having accounts on the site. Facebook told us that it has 33 million UK users and approximately a billion users worldwide.[73] Twitter estimated that it had 10 million users in the UK, 200 million worldwide.[74] Google+ had 2.5m.[75] Social networking has become the most popular online activity, accounting for 19% of all time spent online worldwide.[76] The popularity of social networks and the vast amount of data they store about individuals is making them a prime target for cyber criminals.

86. During our inquiry we spoke to the providers of the most popular web services in the UK: Facebook, Twitter and Google. We asked them if there had been an increase in the number of attacks on services. Facebook's Simon Milner, Director of Public Policy, told us that there was "consistent evidence" that people were hacking Facebook in the UK and the US.[77] Sinead McSweeney, Director of Public Policy EMEA, Twitter, confirmed that there had been an increase in terms of "advanced, persistent threats from sophisticated and well-resourced individuals with expertise, with resources".[78]

Drivers of e-crime on social networks

^87. Sophos reported that social networks were an increasingly popular platform for cyber criminals. It linked the rise in e-crime on social media to the trend in mobile cyber crime as users increasingly accessed social networks through mobile phones: 35% of UK mobile phone users accessed social network sites through their phones in 2010-11.[79] Sophos also reported that 50% of all smartphones were connected to Facebook for 24 hours a day. As well as popularity, Sophos has identified the implied trust between users of social networks as being a key reason for being increasingly targeted by cyber criminals. [80]

88. The Norton 2012 Cyber Crime Report, which surveyed c.13,000 adults across 24 countries, identified the targeting of social networks as one of two key trends in the development of e-crime. The report found that:

• 4 / 10 social network users had been a victim of e-crime on social networks;
• 1/6 social network users reported that someone had hacked into their profile and impersonated them;
• 1/ 10 users had been victims of scams or fake links on social networks.
• 19% of respondents had been notified that their password for a social networking site had been compromised and needed to be changed.[81]

89. Imperva recently analysed the conversation threads on one of the internet's largest hacker forums (it has a membership of 250,000) and a number of smaller forums. It found that social networks were of increasing interest to online hackers. Facebook was the most popular platform discussed, featuring in 39% of conversations. Twitter was a close second, being mentioned in 37% of conversations. Other sites featured can be seen from the chart below. A common request in these discussions was for assistance in hacking into an individual's social network profile, either to spy on them or for revenge.[82]

Social networks popularity. Percentage of threads with keyword September 2011-September 2012 [83]

^90. The Police Central e-Crime Unit told us that it saw social networks being used for general and bespoke phishing scams and together information with which to blackmail users^.[84]

Types of e-crime carried out on social networks

IDENTITY THEFT / PHISHING ON SOCIAL NETWORKS

91. Many types of scams on social networks involve hijacking a user's account by luring them to a webpage with a fake log-in for their account or malware that installs a keylogger (a programme that records key strokes)on their computer. Upon gaining control of the account, the scammer can then contact the user's friends and attempt to scam them by impersonating the user and pretending that they are in trouble and need some money. They can also post messages and links that will compromise their accounts in turn. Accounts may also be hijacked in personally motivated attacks as a means of revenge or to spy on a user's actions.

92. In evidence, RSA explained how users of social media could be providing information unwittingly to criminals: "attackers are increasingly gathering intelligence on their targets, sometimes months in advance of an attack, using social media and other means to understand which individuals possess the assets they want, and crucially how to tailor, or "socially engineer", their attacks to increase their likelihood of success. Indeed cyber attackers prefer using social engineering in this way because in so doing they are able to evade traditional perimeter controls more easily."[85]

THEFT OF PERSONAL INFORMATION

93. Scammers can steal personal information from social networkers, especially those who do not use privacy settings appropriately (see above) or develop other socially-engineered attacks against the user or their friends. Weaknesses in the design of social networks can help scammer's access personal information. For example the account settings on networks such as Google+ are automatically set to public. Sarah Hunter, Google's Head of Public Policy in the UK, told us that the hijacking of Google accounts was "a significant problem". She said that there was some evidence that phishing emails, as in emails that have been sent to people in an attempt to try to get their passwords out of them, were "increasingly coming from accounts—emails from people they think they know. Of course, they are not from people they know; they are from those accounts that have been hijacked".[86] Google said it had spent "a lot of money and a lot of time trying to prevent accounts from being hijacked in the first place. We spend hundreds of millions of pounds in keeping our users' data safe".

94. Google appears to have had some success in protecting its users, Sarah Hunter confirmed that over the last two years the number of Google accounts hijacked had decreased by 99.7%. She told us that Google has developed technology that scans account activity and identifies suspicious activity:

For example, if you have a Gmail account and you signed in from London, and then an hour later signed in from Australia, we would see that as a signal of suspicious activity, and we would ask you a few questions, some security questions; "Are you really you?" That is an amazingly effective way to stop hijacking, and as a result we have significantly reduced the number of hijacked accounts.[87]

95. Facebook has no formal review process for 'apps' developed by third parties that are accessible on its platform. Many of these apps require users to give the developer access to some of their personal account information. Cyber criminals may use apps as another way of evading security checks and stealing personal information.

96. As RSA explained:

"cyber criminals are out to steal personal information for financial gain. This information can range from an individual's credit card details and web or corporate logins, to an organisation's highly confidential plans or data. Indeed the value of personal data to a cyber criminal is much higher than a credit card or bank account number alone. For example, the average selling price of a US credit card on the criminal black market is around $1.50. But when that card is sold with a full identity profile, the value can be up to ten times greater."[88]

CLICKJACKING

97. In a practice known as 'clickjacking' malicious code can be hidden beneath legitimate buttons or other clickable content on a website. The content is often given sensationalist headlines to entice users to click on it. Previous examples include: "Lady Gaga found dead in hotel room," and "Japanese tsunami launches whale into building." Users believe they are clicking on one thing, such as a video or article but are actually clicking on an invisible button that releases a worm into their computer.[89]

ADVANCE FEE / ROMANCE SCAMS

98. Cyber criminals may use social network platforms to persuade users to send an advance fee in order to receive a prize or take part in a 'get rich quick' scheme. Scammers have also persuaded users to part with money by developing an 'online relationship' with individuals.[90] After a while they persuade their victim to send them money on the basis that they are in trouble or want to visit the victim in person but can't afford to do so. This type of fraud is prevalent on dating websites.

TWITTER DIRECT MESSAGES (DMS)

99. One recent spate of attacks used Twitter Direct Messages, to tell users that they are featured in a YouTube video. Users who click on the link are greeted with what appears to be a video player and a warning message that "An update to YouTube player is needed" but the download is in fact a trojan which will infect the user's computer.

CYBER BULLYING AND TWITTER TROLLS

100. Cyber bullying and Twitter Trolls are terms that relate to cyber bullying on social media sites. This type of bullying is particularly high amongst young people. Parents have spoken out about their children being bombarded with vicious or sexually explicit taunts from their peers and being pressured to take part in sexual activities, sometimes of a violent nature.[91] There have been several high profile cases of celebrities and public figures becoming victims of 'Twitter Trolls', users who send malicious, offensive and threatening tweets to others. In a recent court case Frank Zimmerman, who sent a message to Louise Mensch threatening her children, was given a 26 week suspended prison sentence.[92] Trolls are not just an issue for Twitter however, Facebook recently launched a campaign in Australia to encourage users to stand up to online bullies. Bullying can and does occur on many other web platforms.

101. Online services should be 'secure by design' e.g. new account settings should be set by default to private with the user sharing information with friends or publicly only if they actively choose to do so. Users should not be asked to submit personal details that are known to be helpful to fraudsters. For example, users should be discouraged from giving their date of birth.

102. We recommend that providers of web services take users through a short explanation when they sign up for an account about how to keep their data secure and how criminals could use certain data against them. Users should not be asked to provide such valuable personal data.

103. We are concerned that many users may not grasp the full extent of the data they are sharing with private companies. The interest in and opposition to plans to increase data availability to the Government (e.g. witness the fate of the proposed Data Communication Bill) makes us question whether public are really relaxed about sharing so much data or if they are simply unaware they are doing so.

104. We are deeply concerned that it is still too easy for people to access inappropriate online content, particularly indecent images of children, terrorism incitement and sites informing people how to commit online crime. There is no excuse for complacency. We urge those responsible to take stronger action to remove such content. We reiterate our recommendation that the Government should draw up a mandatory code of conduct with internet companies to remove material which breaches acceptable behavioural standards.

105. We note those companies that donate to the Internet Watch Foundation, and encourage them to increase their contributions. Additionally, we recommend that the Government should look at setting up a similar organisation focused on reporting and removing online terrorist content.

106. We are concerned to note the Minister's assertion that off the shelf hacking software is increasingly available to untrained criminals and recommend the Government funds a law enforcement team which is focused on disrupting supply.

Improving software standards

107. Engineering the Future has been outspoken about the need to improve the design of new software to make it more resilient against attack. It says that:

The capability of seemingly benign attachments, such as pdf files or jpeg pictures to execute malicious code or website attacks ... all result from wholly avoidable mistakes by the developers of the faulty software.

the main source of risk is not, as widely claimed, unsafe behaviour by computer users but, rather, the design flaws and programming errors that make normal, reasonable behaviour unsafe.[93]

108. Engineering the Future says that improving public awareness about online risks will be ineffective if sufficient incentive is not given to software manufacturers to create products that do not expose their customers to such serious risks. It would like to see a timetable announced for introducing a Europe-wide measure of liability on manufacturers and importers of faulty software for the damage that avoidable defects cause.

109. Symantec however has raised doubts, from the point of view of anti-virus software providers, about the extent that software companies can be held responsible for security breaches. It says that since the company cannot control how effectively consumers install and use their products it cannot be liable for a security breach as the fault may lie in the use of the software rather than in its design.

110. It has said that software providers would only accept liability for their products if they could assume a level of control over the way in which they were being used. This, Symantec says, would involve companies using

'privacy invasive technology to provide the ability to monitor and control the behaviour and actions of users for example to ensure that the software is being used for only the purpose for which it was supplied or sold.'

111. Symantec says that the legal, privacy and cost issues that this approach would give rise to is unlikely to make it an attractive option for users. It has also said that such an approach would stifle innovation and competition:

An approach along these lines could not only impact the control users have on their PC's but could also stifle technological innovation and competition in the marketplace by promoting particular business models. A move towards more closed platforms or a situation where one dominant technology provider could dictate what can, or cannot, be installed on its system due to liability concerns may limit consumer choices to only sites or online content that are approved by PC providers based on a level of risk.[94]

112. We recommend that software for key infrastructure be provably secure, by using mathematical approaches to writing code.

74   Q 168 Back

75   Ofcom, the 2012 Telecommunications Market Report, p263-264 Back

76   ComScore, Top 10 need to know about social networking and where it's headed, p4 Back

77   Q 172 Back

78   Q 171 Back

79   ComScore, Top 10 need to knows about social networking and where it is headed, 2010-11, p20  Back

80   Sophos, Four Data Threats in a post PC World, p12 Back

81   Norton, 2012 Cyber Crime Report, p13, http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf Back

82   Imperva, Hacker Intelligence Initiative, Monthly Trend Report #13, p7 Back

83   Ibid. Back

84   Q 100 Back

85   Ev 87, para 13 Back

86   Q 177 Back

87   Q 177 Back

88   Ev 87, para 9 Back

89   Sophos, Four Data Threats in a post PC World, p12 Back

90   Sometimes referred to as "catfishing" after the 2010 film of that title Back

91   Laura Bates, 'Next generation of social media exposing girls to sexual abuse', The Independent Website, 13 February, 2013 Back

92   http://www.guardian.co.uk/uk/2012/jun/11/louise-mensch-troll-sentenced-email Back

93   Ev 72 Back

94   Ev 90 Back