4 Can web service providers protect
Growth of e-crime on social networks
85. Over half of UK households now use social networking
sites. Facebook is the most popular social network in the UK with
two thirds of internet users having accounts on the site. Facebook
told us that it has 33 million UK users and approximately a billion
Twitter estimated that it had 10 million users in the UK, 200
Google+ had 2.5m.
Social networking has become the most popular online activity,
accounting for 19% of all time spent online worldwide.
The popularity of social networks and the vast amount of data
they store about individuals is making them a prime target for
86. During our inquiry we spoke to the providers
of the most popular web services in the UK: Facebook, Twitter
and Google. We asked them if there had been an increase in the
number of attacks on services. Facebook's Simon Milner, Director
of Public Policy, told us that there was "consistent evidence"
that people were hacking Facebook in the UK and the US.
Sinead McSweeney, Director of Public Policy EMEA, Twitter,
confirmed that there had been an increase in terms of "advanced,
persistent threats from sophisticated and well-resourced individuals
with expertise, with resources".
Drivers of e-crime on social
reported that social networks were an increasingly popular platform
for cyber criminals. It linked the rise in e-crime on social
media to the trend in mobile cyber crime as users increasingly
accessed social networks through mobile phones: 35% of UK mobile
phone users accessed social network sites through their phones
in 2010-11. Sophos
also reported that 50% of all smartphones were connected to Facebook
for 24 hours a day. As well as popularity, Sophos has identified
the implied trust between users of social networks as being a
key reason for being increasingly targeted by cyber criminals.
88. The Norton 2012 Cyber Crime Report, which surveyed
c.13,000 adults across 24 countries, identified the targeting
of social networks as one of two key trends in the development
of e-crime. The report found that:
- 4 / 10 social network users
had been a victim of e-crime on social networks;
- 1/6 social network users reported that someone
had hacked into their profile and impersonated them;
- 1/ 10 users had been victims of scams or fake
links on social networks.
- 19% of respondents had been notified that their
password for a social networking site had been compromised and
needed to be changed.
89. Imperva recently analysed the conversation threads
on one of the internet's largest hacker forums (it has a membership
of 250,000) and a number of smaller forums. It found that social
networks were of increasing interest to online hackers. Facebook
was the most popular platform discussed, featuring in 39% of conversations.
Twitter was a close second, being mentioned in 37% of conversations.
Other sites featured can be seen from the chart below. A common
request in these discussions was for assistance in hacking into
an individual's social network profile, either to spy on them
or for revenge.
Social networks popularity. Percentage of threads
with keyword September 2011-September 2012 
90. The Police Central
e-Crime Unit told us that it saw social networks being used for
general and bespoke phishing scams and together information with
which to blackmail users.
Types of e-crime carried out
on social networks
IDENTITY THEFT / PHISHING ON SOCIAL
91. Many types of scams on social networks involve
hijacking a user's account by luring them to a webpage with a
fake log-in for their account or malware that installs a keylogger
(a programme that records key strokes)on their computer. Upon
gaining control of the account, the scammer can then contact the
user's friends and attempt to scam them by impersonating the user
and pretending that they are in trouble and need some money.
They can also post messages and links that will compromise their
accounts in turn. Accounts may also be hijacked in personally
motivated attacks as a means of revenge or to spy on a user's
92. In evidence, RSA explained how users of social
media could be providing information unwittingly to criminals:
"attackers are increasingly gathering intelligence on their
targets, sometimes months in advance of an attack, using social
media and other means to understand which individuals possess
the assets they want, and crucially how to tailor, or "socially
engineer", their attacks to increase their likelihood of
success. Indeed cyber attackers prefer using social engineering
in this way because in so doing they are able to evade traditional
perimeter controls more easily."
THEFT OF PERSONAL INFORMATION
93. Scammers can steal personal information from
social networkers, especially those who do not use privacy settings
appropriately (see above) or develop other socially-engineered
attacks against the user or their friends. Weaknesses in the design
of social networks can help scammer's access personal information.
For example the account settings on networks such as Google+ are
automatically set to public. Sarah Hunter, Google's Head of Public
Policy in the UK, told us that the hijacking of Google accounts
was "a significant problem". She said that there was
some evidence that phishing emails, as in emails that have been
sent to people in an attempt to try to get their passwords out
of them, were "increasingly coming from accountsemails
from people they think they know. Of course, they are not from
people they know; they are from those accounts that have been
said it had spent "a lot of money and a lot of time trying
to prevent accounts from being hijacked in the first place. We
spend hundreds of millions of pounds in keeping our users' data
94. Google appears to have had some success in protecting
its users, Sarah Hunter confirmed that over the last two years
the number of Google accounts hijacked had decreased by 99.7%.
She told us that Google has developed technology that scans account
activity and identifies suspicious activity:
For example, if you have a Gmail account and
you signed in from London, and then an hour later signed in from
Australia, we would see that as a signal of suspicious activity,
and we would ask you a few questions, some security questions;
"Are you really you?" That is an amazingly effective
way to stop hijacking, and as a result we have significantly reduced
the number of hijacked accounts.
95. Facebook has no formal review process for 'apps'
developed by third parties that are accessible on its platform.
Many of these apps require users to give the developer access
to some of their personal account information. Cyber criminals
may use apps as another way of evading security checks and stealing
96. As RSA explained:
"cyber criminals are out to steal personal
information for financial gain. This information can range from
an individual's credit card details and web or corporate logins,
to an organisation's highly confidential plans or data. Indeed
the value of personal data to a cyber criminal is much higher
than a credit card or bank account number alone. For example,
the average selling price of a US credit card on the criminal
black market is around $1.50. But when that card is sold with
a full identity profile, the value can be up to ten times greater."
97. In a practice known as 'clickjacking' malicious
code can be hidden beneath legitimate buttons or other clickable
content on a website. The content is often given sensationalist
headlines to entice users to click on it. Previous examples include:
"Lady Gaga found dead in hotel room," and "Japanese
tsunami launches whale into building." Users believe they
are clicking on one thing, such as a video or article but are
actually clicking on an invisible button that releases a worm
into their computer.
ADVANCE FEE / ROMANCE SCAMS
98. Cyber criminals may use social network platforms
to persuade users to send an advance fee in order to receive a
prize or take part in a 'get rich quick' scheme. Scammers have
also persuaded users to part with money by developing an 'online
relationship' with individuals.
After a while they persuade their victim to send them money on
the basis that they are in trouble or want to visit the victim
in person but can't afford to do so. This type of fraud is prevalent
on dating websites.
TWITTER DIRECT MESSAGES (DMS)
99. One recent spate of attacks used Twitter Direct
Messages, to tell users that they are featured in a YouTube video.
Users who click on the link are greeted with what appears to be
a video player and a warning message that "An update to YouTube
player is needed" but the download is in fact a trojan which
will infect the user's computer.
CYBER BULLYING AND TWITTER TROLLS
100. Cyber bullying and Twitter Trolls are terms
that relate to cyber bullying on social media sites. This type
of bullying is particularly high amongst young people. Parents
have spoken out about their children being bombarded with vicious
or sexually explicit taunts from their peers and being pressured
to take part in sexual activities, sometimes of a violent nature.
There have been several high profile cases of celebrities and
public figures becoming victims of 'Twitter Trolls', users who
send malicious, offensive and threatening tweets to others. In
a recent court case Frank Zimmerman, who sent a message to Louise
Mensch threatening her children, was given a 26 week suspended
Trolls are not just an issue for Twitter however, Facebook recently
launched a campaign in Australia to encourage users to stand up
to online bullies. Bullying can and does occur on many other web
101. Online services should be 'secure by design'
e.g. new account settings should be set by default to private
with the user sharing information with friends or publicly only
if they actively choose to do so. Users should not be asked to
submit personal details that are known to be helpful to fraudsters.
For example, users should be discouraged from giving their date
102. We recommend that providers of web services
take users through a short explanation when they sign up for an
account about how to keep their data secure and how criminals
could use certain data against them. Users should not be asked
to provide such valuable personal data.
103. We are concerned that many users may not
grasp the full extent of the data they are sharing with private
companies. The interest in and opposition to plans to increase
data availability to the Government (e.g. witness the fate of
the proposed Data Communication Bill) makes us question whether
public are really relaxed about sharing so much data or if they
are simply unaware they are doing so.
104. We are deeply concerned that it is still
too easy for people to access inappropriate online content, particularly
indecent images of children, terrorism incitement and sites informing
people how to commit online crime. There is no excuse for complacency.
We urge those responsible to take stronger action to remove such
content. We reiterate our recommendation that the Government should
draw up a mandatory code of conduct with internet companies to
remove material which breaches acceptable behavioural standards.
105. We note those companies that donate to the
Internet Watch Foundation, and encourage them to increase their
contributions. Additionally, we recommend that the Government
should look at setting up a similar organisation focused on reporting
and removing online terrorist content.
106. We are concerned to note the Minister's assertion
that off the shelf hacking software is increasingly available
to untrained criminals and recommend the Government funds a law
enforcement team which is focused on disrupting supply.
Improving software standards
107. Engineering the Future has been outspoken about
the need to improve the design of new software to make it more
resilient against attack. It says that:
The capability of seemingly benign attachments,
such as pdf files or jpeg pictures to execute malicious code or
website attacks ... all result from wholly avoidable mistakes
by the developers of the faulty software.
the main source of risk is not, as widely claimed,
unsafe behaviour by computer users but, rather, the design flaws
and programming errors that make normal, reasonable behaviour
108. Engineering the Future says that improving public
awareness about online risks will be ineffective if sufficient
incentive is not given to software manufacturers to create products
that do not expose their customers to such serious risks. It would
like to see a timetable announced for introducing a Europe-wide
measure of liability on manufacturers and importers of faulty
software for the damage that avoidable defects cause.
109. Symantec however has raised doubts, from the
point of view of anti-virus software providers, about the extent
that software companies can be held responsible for security breaches.
It says that since the company cannot control how effectively
consumers install and use their products it cannot be liable for
a security breach as the fault may lie in the use of the software
rather than in its design.
110. It has said that software providers would only
accept liability for their products if they could assume a level
of control over the way in which they were being used. This, Symantec
says, would involve companies using
'privacy invasive technology to provide the ability
to monitor and control the behaviour and actions of users for
example to ensure that the software is being used for only the
purpose for which it was supplied or sold.'
111. Symantec says that the legal, privacy and cost
issues that this approach would give rise to is unlikely to make
it an attractive option for users. It has also said that such
an approach would stifle innovation and competition:
An approach along these lines could not only
impact the control users have on their PC's but could also stifle
technological innovation and competition in the marketplace by
promoting particular business models. A move towards more closed
platforms or a situation where one dominant technology provider
could dictate what can, or cannot, be installed on its system
due to liability concerns may limit consumer choices to only sites
or online content that are approved by PC providers based on
a level of risk.
112. We recommend that software for key infrastructure
be provably secure, by using mathematical approaches to writing
73 Q 169 Back
Q 168 Back
Ofcom, the 2012 Telecommunications Market Report, p263-264 Back
ComScore, Top 10 need to know about social networking and where
it's headed, p4 Back
Q 172 Back
Q 171 Back
ComScore, Top 10 need to knows about social networking and where
it is headed, 2010-11, p20 Back
Sophos, Four Data Threats in a post PC World, p12 Back
Norton, 2012 Cyber Crime Report, p13, http://now-static.norton.com/now/en/pu/images/Promotions/2012/cybercrimeReport/2012_Norton_Cybercrime_Report_Master_FINAL_050912.pdf Back
Imperva, Hacker Intelligence Initiative, Monthly Trend Report
#13, p7 Back
Q 100 Back
Ev 87, para 13 Back
Q 177 Back
Q 177 Back
Ev 87, para 9 Back
Sophos, Four Data Threats in a post PC World, p12 Back
Sometimes referred to as "catfishing" after the 2010
film of that title Back
Laura Bates, 'Next generation of social media exposing girls to
sexual abuse', The Independent Website, 13 February, 2013 Back
Ev 72 Back
Ev 90 Back