Read an Excerpt

Web of Deceit

Misinformation and Manipulation in the Age of Social Media

Information Today, Inc.

Social Media and Intentional Misinformation

Meg Smith

In October 2006, a whirlwind online romance came to a crashing halt. Four weeks after a stranger named Josh Evans wooed 13-year-old Megan Meier on Myspace with heartfelt messages and flirtatious compliments, he turned on her, saying that he didn't want to be her friend anymore. According to prosecutors, he said that "the world would be a better place without [her] in it." In despair and embarrassed that other online friends seemed to know about Josh's rejection instantly, Megan committed suicide in her bedroom with her parents just a few steps away inside the house. A police investigation revealed that Josh Evans actually did not exist: He was the creation of an adult neighbor, Lori Drew, who used "him" to spy on Megan after she stopped being friends with Drew's daughter. But the stunt quickly devolved from spying to something even more malicious: Drew gave three teenage girls access to the secret profile, and they used it to insult and reject Megan through the imaginary avatar better known as Josh Evans. Drew was prosecuted in what the New York Times called the country's first cyberbullying trial. Though Drew was found guilty of fraud in the emotionally charged trial, she was cleared on appeal. The appeals court found that violating Myspace's terms of use did not meet the legal definition of fraud.

Though Drew was ultimately cleared, the unprecedented trial left parents, school officials, prosecutors, and the media with the same disturbing thought: Deception on social networking sites is so easy, even a parent can do it.

As with art forgers and currency counterfeiters, the scammers who operate on social networking sites try to create messages that convince viewers they are looking at something authentic and trustworthy. But on social networking sites, where hundreds of millions of users create billions of pages of content by posting their own photos and messages, there are few monitors or regulators watching for fakes. Users have to be the curators of their own friends and make informed judgments about which messages to reply to and which links to click on. Those who fail to spot a phony profile or message can suffer consequences ranging from embarrassment to identity theft. But in the most extreme cases, such as what happened to Megan, when a victim's involvement with a deceiver crosses over into the real world, the consequences can be fatal.

Social Behavior

In the art world, the best way to spot a forgery is to know as much as possible about the original. Similarly, one of the best defenses against online deception is to understand how each of the most popular social networking sites in the U.S. is supposed to be used.

Social networking sites are essentially designed to digitally re-create users' social networks in real life; they bring together a user's friends, family, colleagues, neighbors, and schoolmates and give them a forum to communicate. As social media moved from being a hobby for the technologically adept to a popular pastime for the average internet user, it gained appeal in the commercial sector. Now, social networks also frequently encourage users to share their favorite products, news outlets, celebrities, and politicians.

For more than a decade, the rapid adoption of web-based applications has blurred the line between the internet and the real world. Now, the real world is online, too. Offline, our social networks are more than just the people we love and trust. Beyond their inner layers are people with whom we don't socialize: the strangers who cross our paths every day and who are also online. While most of them are using social media legitimately, some are eager to take advantage of unwitting victims.

Online scammers need their victims to trust them just long enough to fall for a scheme: They offer victims a link to click, a phony message to forward to associates, or a convincing sob story so victims wire the scammer money. Other scams are based on outright fraud. Just as email spammers have always tried to give their solicitations a sense of credibility by crafting return addresses and subject lines that appear to be from someone the victim knows, social media predators also camouflage themselves, sometimes going as far as to hijack the accounts of real people to target their friends list.

In a chilling demonstration of how often this can happen, MIT's Technology Review reported in May 2010 that hijacked Twitter accounts were for ssale on Russian hacker forums in lots of 1,000. The price varied from $100 to $200 per lot, based on how many followers the account had when it was hijacked; more followers ideally meant more people who could be tricked into thinking a scammer's message was actually coming from someone they knew. That same month, internet security researchers at VeriSign reported that a criminal broker attempted to sell 1.5 million hijacked Facebook accounts in February, offering them in lots of 1,000 with a similar sliding price scale based on the number of friends. If thousands of accounts change hands in transactions such as these two, it's hard to imagine how many hijacked accounts there are overall.

This chapter describes some of the most common forms of deception on Facebook, Myspace, and Twitter, three of the most popular social media sites in the U.S., and explains how to apply the lessons learned to other sites across the social web.

Facebook

Facebook is the second most popular website in the world, behind only Google in the number of unique visitors it receives. Facebook has more than 750 million users, who spend an average of about 30 minutes per day on the site. This means if Facebook were a country, it would be the third largest in the world behind China and India.

It is almost impossible to overestimate Facebook's reach and impact on internet users today. Google's advertising division, Ad Planner, estimates that 35 percent of web users visit Facebook each month. Corporations hire firms to monitor comments on the site for signs of customer unrest and fiercely guard their brand names for signs of infringement or misuse on fan pages. When consumers are happy, the groundswell of support that Facebook brings to an organization is nearly priceless. Saturday Night Live was rewarded with its fourth-highest viewership in 23 years when it acquiesced to a Facebook-driven campaign to have Betty White host an episode. It was the only time that year the NBC comedy show attracted as many 18- to 29-year-old viewers as a typical episode of American Idol.

Negative attention can be equally devastating when consumers turn against a product and use Facebook to announce their concerns. Proctor & Gamble Co. rushed to address a 10,000-member group called "Pampers bring back the OLD CRUISERS/SWADDLERS," which alleged that the company's new "Dry Max" diaper material was causing unusual diaper rashes for babies. The Facebook group drew the attention of the media and thousands of parents before the Consumer Product Safety Commission was able to verify that there was no connection between the product and the rashes.

When Facebook itself makes a change users don't like or understand, the consequences are even greater. In December 2009 and May 2010, Facebook changed its privacy settings so more of a user's information would be displayed by default, and some information would be permanently displayed for the first time. The uproar that followed had as much to do with Facebook's enormous userbase as with the changes themselves. Facebook had relaxed many privacy settings in the past, but none received as much attention in the media as these. Previous changes included the 2006 introduction of the News Feed, which reports on every action taken by a user's friends; a brief and much-despised partnership in 2007 with a service that broadcast what users bought online to their friends list; and the historic decision that year to allow profiles to be indexed by Google and other search engines. Though those changes were arguably more significant and made Facebook into what it is today, changes going forward will affect hundreds of millions more members. Many of Facebook's newest users are former social-media holdouts who avoided earlier services such as Myspace, Friendster, and Orkut and are experiencing the tension between privacy and interactivity that comes with cultivating an identity online for the first time.

All of Facebook's privacy changes are remarkable, given how cloistered users were when the service began. Mark Zuckerberg created Facebook in 2004 as a dynamic yearbook for his fellow Harvard students. A month later, he opened Facebook to students from three other Ivy League schools. By the following year, students from 800 universities were permitted to sign up with their branded ".edu" email addresses. Facebook organized these users into silos, allowing them to view all the profiles of users within their own college's network but not view users in other networks. In 2006, workplaces that supported their own branded email addresses were given networks on Facebook's site, allowing employees from more than 1,000 companies to join the service. Though the service was becoming more popular among these self-contained groups, the general public still had no way to join. The guiding ethic of Facebook's early years — you had to belong to a corporate or educational network in order to join — permeated the rest of the site as well. Instead of choosing a username, members had to use their real full names at signup. The network they were assigned to immediately revealed their school affiliation or employer to other users. Though Facebook could not verify other details users added to their profiles, the use of real names and clustering people together from the same school or employer had the effect of encouraging early users to behave online as they do in the real world: to be themselves. The very fact that members belonged to an institution of higher learning or worked for an employer that had issued them email addresses meant that users constituted an upscale demographic. Especially in the 2000s, branded email networks were usually backed by an expensive computer infrastructure, and users were often technologically more adept than the general population. Therefore, Facebook was a service that appealed to savvy internet users and socially integrated individuals. The real opportunities for mischief didn't begin until the end of 2006, when Facebook opened its doors to everyone else.

Impersonation Scams on Facebook

Social networks on Facebook are identity-based. Because people are using their real names and are organized into affiliation networks, they tend to know many of the people on their friends list in real life. So a hijacked account is valuable to thieves because trust between users has already been established, which makes a scam that much easier to carry out.

Computer worms are malicious programs that replicate and spread through a network once they have infected a host computer. On Facebook, the worm spreads through a user's social network. The highly effective Koobface worm, which first appeared in 2008, has never been completely eradicated. It takes the form of a message in a user's inbox from someone in his network who has already been infected. The message asks whether the user has seen himself in a new online video; the Trojan friend then appears to be offering a link of the video to the user. If the user clicks on the link, he will be diverted from Facebook.com to a website that will install malware on his computer. Once unleashed, Koobface changes the victim's Facebook password and sends the message to everyone on his friends list. It scans the computer for credit card information and searches saved cookies for passwords to other social networking sites such as Twitter and Myspace. It then sends the Trojan message to friends on those sites, too. Facebook worms that followed Koobface have tended to masquerade as videos embedded on profile walls or in messages. (For more information on Koobface, see Chapter 4.)

Genuine videos that are embedded in a message or on a wall will play directly from the Facebook page once clicked. If they are legitimate, these videos will not take you to an outside website. Watchful users will often notice details that reveal fraudulent links before they've even clicked on them. One is the tone: Often written with grammatical errors or crafted to read like a text message from a teenager, the message will often not match the personality of the friend who allegedly sent the message. The other is the subject matter: If the video seems to be in poor taste, or if the person offering the video is not known to make videos, it's best to call or email the friend and make sure the message is real. As described earlier in the chapter, these hijacked accounts have monetary value to hackers, who can then use them to unleash new worms in the future.

Since 2009, a growing number of scams involve guessing an individual's password and making personal, one-on-one appeals to friends to send money, claiming the hacked user was robbed or detained while visiting a foreign country. Because so many people use the same password for accounts all over the web, scammers often find victims by hacking less-sophisticated websites, stealing email addresses and passwords from the weaker sites, and then testing to see if the credentials work on Facebook as well. The scheme requires a sizable time investment to deduce the passwords, learn details about the victims' families that can be used to make the appeal for money more convincing, and use the chat feature in Facebook to persuade friends to send money. It works often enough to be worth the effort. The Associated Press reported that a woman in Missouri wired $4,000 to London after someone posing as an immigration official called her and said a Facebook friend of hers had been detained after losing her passport. For cases like this, attempting to reach the friend through other means before sending the money would defeat the scam. To protect Facebook accounts from being hijacked by scammers, internet security experts recommend using a different password for each of your web-based accounts. At the very least, create unique passwords for Facebook and email, which are currently the main targets of similar scams.

And then there is a type of scam that goes beyond a victim's login credentials and money to cause physical and psychological harm: blackmail and sexual coercion. Remarkably, examples of blackmail have increased in recent years, tied to the rise in "sexting" among young people, and the predators are sometimes barely older than their victims. While Facebook accounts for some of the examples because it makes the victims easy to track down and threaten in real life, several major social networking services have been the settings for blackmail.

In late 2009, a 19-year-old Wisconsin man pled guilty to sexual assault after he posed as a teenage girl on Facebook and tricked 31 teenage boys into sending him nude photos of themselves. He then threatened to send the photos to everyone in the boys' high school networks on Facebook if they did not agree to meet with him and perform sexual acts. Half of them met his demands, and their sexual assaults became the basis of his arrest and prosecution. In Ottawa the next year, an 18-year-old man whom the media dubbed the "Webcam Puppeteer" blackmailed 22 adult women and girls as young as 14 years old into undressing in front of their webcams at home while men paid to watch them over the internet. He had convinced them to send him nude photos of themselves in exchange for thousands of dollars, but instead of paying them, he threatened to send the photos to relatives and coworkers on their friends lists if they did not perform more acts under his command. In his confession, the man told police that one of his victims said she wanted to kill herself as she followed his orders over her webcam. Others cried throughout their remote-controlled sexual assaults.

Social Games on Facebook

Facebook users spend more than 700 billion minutes per month on the site, and a large amount of that time is spent using Facebook applications. The support invested in these apps behind the scenes is as enormous as the userbase: One million developers have built more than 500,000 applications. Just as users are expected to adhere to Facebook's terms of use, developers have policies they must adhere to as well. However, both are only as good as their enforcement, and it takes sharp-eyed industry experts to notice when the rules are not strong enough to protect users from deception.

In fall 2009, TechCrunch editor Michael Arrington published a series of articles exploring the "dark side" of social network game developers, including Zynga, maker of the wildly popular Farmville,Mafia Wars, and Texas Hold Em' Poker applications. More than 100 million Facebook users play Zynga's games, which are free to access and play through Facebook, but they require in-game virtual credits in order to progress to more advanced levels. Users have the option to buy in-game credits with a credit card, or they can sign up for trial offers of products and services to earn credits. Arrington demonstrated that many of the trials are actually opt-out programs that result in users receiving unwanted merchandise. Users then have to return this merchandize while reversing large charges or tracking down the service provider months later to stop a recurring charge from being added to cell phone and credit card bills. After Arrington's exposé attracted the attention of class action lawyers and the media, Myspace announced a change in its developer agreement that prohibited optout structured offers. Facebook announced 6 months later that it had entered into a 5-year agreement to keep Zynga's games on its site and stated that it had plans to roll out its own virtual-credit-granting service called Facebook Credits.

---

Excerpted from Web of Deceit by Anne P. Mintz. Copyright © 2012 Anne P. Mintz. Excerpted by permission of Information Today, Inc..
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---