How to sell the Brooklyn Bridge in the 21st century

Twitter in particular has been hit by a number of financial scams in recent years. In January, the platform accidentally promoted a tweet that, upon first glance, looked to be a legitimate PayPal account and promised an end-of-the-year sweepstakes including the chance at a new car or iPhone. All one had to do was verify their account details. This was, in fact, a pretty basic phishing attempt that had simply slipped through Twitter’s ad screening process. Upon realizing their mistake, Twitter immediately shut down the offending account.

Last year, a British man, frustrated by the time it took to set up a Barclays bank account, vented his frustrations on Twitter — as you do. He also posted a screencap of an email the bank had sent him, which included a number of personal details. Scammers leveraged that data to send the man a followup email, which he assumed was from the bank, and then siphoned off the £8,000 he’d originally intended to move between accounts.

“They targeted me because they are monitoring the big banks’ customer support Twitter channels where they can get enough information on name, location, and photo to then be able to track down further information,” the man told BBC News in 2018. The lesson here: never tweet angry.

It’s not always about the money. In 2009 and again in 2014, Twitter was ravaged by self-propagating worms. They used JavaScript commands embedded in the messages themselves to force any account using Tweetdeck that viewed them to automatically retweet the message. In 2014, a cross-site scripting (XSS) attack launched by user, @derGeruhn, spread through more than 87,000 accounts before it was halted. Luckily, there didn’t seem to be any malicious intent behind the stunt beyond playing with a TweetDeck security bug, the result of a coding error that prevented the program from filtering out Javascript commands from message bodies. The vulnerability has since been patched.

“The filter bypass in this case was a little tricky,” Jeremiah Grossman, former CEO of WhiteHat Security, told Ars Technica in June. “Cross site scripting is a cockroach. It’s all but impossible to exterminate completely. No matter how hard you try and how much you invest, you’re going to make mistakes.”

Even seemingly innocuous tweets asking for your favorite films or pictures of your dog, like the one below, can be dangerous since they often reveal information used in account security challenges.

Show me your pets, tell me their names then retweet. Go:

— David Leavitt (@David_Leavitt) September 6, 2019

“Yeah, that’s called grooming,” Cynthia Hetherington, a Certified Fraud Examiner and President of the Hetherington Group, a corporate intelligence and cyber investigation consulting firm. “Common intelligence practice. It’s just getting used now by the mainstream. It’s a way of eliciting information from people in order to gain vital reach into perhaps their passwords, user ID or personal identifying information.”

It’s wildly unlikely that Twitter-verified, award-winning multimedia journalist, David Leavitt, is a scam artist but the entire world can see these response tweets. Anyone can use that information to build a dossier on a person, like the Barclays guy we discussed earlier. Thus there is only one proper answer when participating in these Twitter memes. Lie through your teeth, as such:

Denis Leary

DarkSydePhil

“Big Pussy” Bonpiensaro https://t.co/K4JwfjAa44

— post breakup phone call with uncle (@ByYourLogic) October 3, 2019

Even Twitter co-founder and CEO Jack Dorsey isn’t immune to fraud on his company’s platform. Just this past August, his account was briefly hijacked using a technique known as SIM swapping. The attackers leveraged a widely forgotten application dubbed Cloudhopper that Twitter bought in 2010. Cloudhopper allows users to sign in to their accounts and tweet using SMS. With a bit of fancy codework the attackers were able to spoof Dorsey’s number and gain access to his account.

That most recent intrusion appears to have been the final straw for the company because the following month Twitter announced a set of revised rules regarding users conduct on the site regarding financial fraud.

We’re always updating our rules based on how online behaviors change. Today we’re expanding our policies to prohibit financial scams.

Read more: https://t.co/ihBxbTGKk5

— Twitter Safety (@TwitterSafety) September 23, 2019

“We want Twitter to be a place where people can make human connections and find reliable information,” the new policy reads. “For this reason, you may not use Twitter’s services to deceive others into sending you money or personal financial information via scam tactics, phishing, or otherwise fraudulent or deceptive methods.”

Specifically, Twitter is cracking down on four forms of fraud:

Relationship/trust-building scams: “You may not deceive others into sending you money or personal financial information by operating a fake account or by posing as a public figure or an organization,” states the amended policy. This means that the recent spate of cryptocurrency scams that have infested the site, wherein hucksters manipulate the avatar and handle of their account to mimic that of a well-known cryptocurrency personality and use that likeness to hawk fraudulent Bitcoin, is now a bannable offense.

Money-flipping schemes: “You may not engage in ‘money flipping’ schemes (for example, guaranteeing to send someone a large amount of money in return for a smaller initial payment via wire transfer or prepaid debit card),” the new policy declares. This is what is colloquially known as a Prince of Nigeria scam — you send in a small “deposit” in exchange for a larger windfall — ie this 2016 tweet below.

pic.twitter.com/AH3PZGIJqg

— money flip (@moneyflip3) August 9, 2016

Fraudulent discounts: “You may not operate schemes which make discount offers to others wherein fulfillment of the offers is paid for using stolen credit cards and/or stolen financial credentials,” reads the policy.

Phishing scams: “You may not pose as or imply affiliation with banks or other financial institutions to acquire others’ personal financial information. Keep in mind that other forms of phishing to obtain such information are also in violation of our platform manipulation and spam policy,” the new policy states. So whether you’re impersonating someone to spread spam or using their identity to install ransomware, that’s still a phishing violation of Twitter’s TOS.

While these policy changes cover most of the bases in terms of online fraud, there are other scams that users should also be aware of argues Hetherington.

“One of the real trending and troublesome spots is ad fraud, which is being propagated by social media platforms,” she explained to Engadget. She notes that there are plenty of reputable businesses advertising their wares on social media, but “for every good, legitimate company, there’s probably four fraudulent retailers out there who are offering an insubstantial version of a product or just flat out creating fraudulent schemes.” Once the jig is up for one scam account and it gets shut down, the user behind it simply starts another and gets back to work.

These scams can be run by individuals, criminal rings, even state actors. Hetherington recounts a recent case she was called to testify in the case of “world’s largest social media center” [ed note: we can’t disclose the identity of the business because litigation is ongoing]. “I want to be clear about that the platform itself wasn’t doing the abuse, but somebody was abusing the platform, through an organized crime group to play the [ad buying] system,” she noted.

It goes like this, Hetherington explained. “You could be Andrew Tarantola on Facebook, and your Facebook profile [could be] very clear, present, and obvious but you don’t realize… there’s an entire ad space behind your very legitimate profile.”

In this scheme, someone would approach me and offer anywhere from $50 to $50,000 to utilize my ad space. If I accept, that person would then use that space to market illegitimate products, all while paying Facebook’s standard ad fees so as not to raise any red flags or draw unwanted attention. Much like illegal cannabis operations are always on time with their power and water bills. This particular case has grown into a multibillion-dollar lawsuit and, again, is still ongoing because the perpetrator fled the country.

Additionally, Hetherington warns against getting caught up in “anything reputation minded.” If someone contacts you threatening to release damaging information on you they found on, say, the dark web, “it’s an extortion scam,” she said.

Unfortunately, online financial fraud likely won’t ever fully go away. As with invasive species, fully eradicating fraud is likely a pipe dream. But there is much that platforms can do to mitigate the negative impact.

Facebook, for example, is investing heavily in AI to help it monitor posts for violent and illegal content. For it’s part, Twitter does still largely rely on users to flag content violations but the company also maintains an active fraud department. Users have their own duty as well.

“We have a responsibility to be vigilant and our use of these products and services,” Hetherington explained. “If I joined Facebook, Instagram, LinkedIn, or any service, it’s my responsibility to know this very powerful tool that I’m bringing into my life, because I’m putting it out my cell phone, I’m incorporating into my computers, and I’m bringing into my household.”

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Comment


Comments

Read More