Using a throwaway account to keep things private
Last year I was "sex-torted" on Facebook but not by a ring of French criminals. Instead, it was by someone I had chatted with on the internet years ago (while we were both still teenagers)
She had recently gotten divorced and contacted me after many years away. We spoke about intimate things (I never shared intimate images, though she did) and were getting closer and closer to each other.
She eventually asked me for money to cover an expense for her daughter, but I didn't send it fearing I was being scammed. In exchange, she took screengrabs of the most intimate parts of our conversations and shared them to all of my professional contacts via LinkedIn as well as friends , colleagues and family on Facebook.
The experience haunts me to this day, I discussed consensual kinky stuff with her and she used this to paint me as a freak and deviant. The only people who understood it were those who had been in a similar situation or those who were in the "lifestyle" as well. Strangely, most of the support I received after the fact were women who have been similarly extorted. Men in my entourage just whispered and snickered.
To this day, I still feel shame in certain circles because of what is unsaid. The police have done absolutely nothing even in the face of evidence (reports filed with local police and FBI) but it's simply not a priority. Facebook won't even pull the posts because no intimate images were actually shared and it doesn't technically violate their "guidelines"
Net result: I've deleted my social profiles. Every last one of them (and feel better as a result). However, the damage is done and I'm totally still feeling PTSD as a result of the ordeal.
I consider myself very tech savvy (engineer, infosec background, on the internet since the early 90's) and able to smell a scam. However, it's really really easy to fall victim to something like this. Be careful.
I've managed to limit his internet usage to an iPad and a chromebook - but as mentioned above that does little good. He is extremely proud and talking to him is useless. A good chunk of these events come while browsing porn, which he refuses to admit. I feel hopeless and am in the process of separating any financial connections with my mother for fear I'll become a victim. My mother has been saving cash for years to insulate herself (my dad also refuses to write a will - but thats another problem entirely).
I know a major event is coming soon. While I'm fairly certain his porn usage is tame, all it would take is a fake $THAT_ACTRESS_WAS_ACTUALLY_17_WE_WILL_REPORT_TO_FBI email and he could probably be extorted for everything he has. I don't know what to do honestly. This is a real threat to millions of Americans and it seems there is no solution.
1. I got told many years ago, that when you get that crazily bad emails, where it claims to be from some official source, but there are spelling mistakes, the return email address is obviously wrong, grammer is terrible, etc. the sort where it is so completely obviously it is a scam - often this is done on purpose, they aren't intereseting >99% of people who can spot a scam, they are interested in the <1% who can't spot it is obviously a problem. Basically they cast a wide net, but when the haul it in, only the whales are found within. At that point, they can use a large amount of resource, per victim, as they know they have a reasonable chance of success.
2. Separately to the above, a reasonable amount of men (perhaps women to? I don't know, I feel like it is more men) will happily look at girls, whether this in a Playboy Magazine in the 50's, looking at girls as the enter a bar in the 90's or whether it is flicking through images of a girl on Facebook/Instagram in the 21st century. Some of these men actually know it is a scam, but don't really care, at the end of the day it's a picture of an attractive girl/woman, they so they look through. Maybe they even add that profile as a friend, as they don't mind having the pictures appearing naturally in their news feed. I don't know whether many (any?) of this group of people end up getting scammed. Perhaps somehow overtime, they get convinced the account isn't fake, or perhaps they still think it is fake but agree to go onto a video chat and then are convinced on there, or perhaps they are trying to catch the scammer out, but end up being caught out themselves.
I think the saddest part of this is that they prey on people. Many of the peeps here on HN can look at a profile and say "spam," so it's hard to imagine the people who can't. The 1% return from SPAM that click on those links, or put in their credit card details.
There was a ReplyAll podcast episode where one of the reporters actually tracks down a shop in India; even goes there and talks to people who've worked at a "tech support" places which charges $400 to remove fake viruses they've implanted.
I think this is even more insidious because they're preying on people who may be extremely lonely or desperate. When you really think about that, it's really sad. It's either psychopathic or they justify it to themselves in some horrible way like, "These people are losers anyway," or "If we say the girls are underage, then we're only going after sexual predators." .. The same crazy logic used by the Ashley Madison leakers.
I find it unbelievable that Facebook doesn't have the fake profile situation under control. Facebook builds an incredibly detailed social graph of every user (and non-user) with a big trail of activity, on and off Facebook.
Surely there are signs; surely there are common characteristics, and if this journalist can write such a detailed exposé with only public data, Facebook can do much better.
"One of them said that she made 10,000 euros ($14,800 CDN) in a single month by “sharing links on Facebook.” She also claimed that the network was based in France, Spain and Italy. Both women abruptly ended all communication with us after initially agreeing to an interview."
I'd rather suspect those are false confessions and more an attempt to attract new members in this scheme network who hope to make huge amount of money.
Worth reading despite many from HN likely knowing this existed already.
What I find interesting is that to me and I assumed a lot of people, fake profiles are very obvious and as such I assumed there were, relatively, easy techniques to deal with them.
After working on some twitter marketing campaigns over the years and witnessing the swarming bot networks do their thing I have concluded that they are not dealt with whole heartedly on purpose.
Lately I have been getting contacted by random 'women' on gtalk who 'just want to be friends'. I usually just block them but last week I decided to play along.
Long story short: they wanted me to cam with them and to see my picture. I sent them a link to non-existent page on my domain and logged their IP. I confronted them with their IP and the fact that they were in Nigeria and not south Carolina. The account was immediately deleted.
I deleted my facebook app since half of the posts in my feed were fake anyway. Facebook disguises ads as friend's share and likes, even when it is obvious that a particular friend would never like a corporate page. They even pushed the bad taste by making my deceased father (who's account we didn't think to delete) like things after he passed. So if you add fake profiles to that...
As a note, I hadn't received an email from facebook since pretty much I registered many years ago. Since I deleted the app a few weeks ago, facebook started spamming my email with notifications. And they use this trick that is really a new low, they create a thousand different kinds of mailing list so that every time you unsubscribe from one, you still receive new spam because it's "another" mailing list.
This is why Facebook's new Non Consensual Image Program seems like a really bad idea.
The technical implementation is fine, seems reasonable, only concern is that a human has to screen every image.
The real problem is that internet users have learned "Anything you upload to the internet is as good as public." Facebook is trying to teach people a new precedent: "Images uploaded to facebook in the right way will REMOVE images from the public".
People are going to fail to read the fine print, and thousands will be phished for nudes through facebook with similar schemes.
The 2010 documentary catfish, and subsequent mtv series, offers an interesting look behind the curtain at the type of people who create fake facebook profiles. It covers a wide variety of reasons for creating them spanning from people who suffer from low self-esteem and confidence issues to not being able to reveal that they are homo-sexual out of fear of their friends and family finding out, just out of pure malice or even in one case creating a fake account story to get the show to pay for flights so they could finally meet face to face. Its crazy some of the lengths people go to keep up the charade and how much evidence certain people will ignore to keep the idea that the person is real alive.
All of the problems with fake profiles are fixable if we just use the social graph. It drives me nuts that this a problem. I have a solution, which i'll share here. I'm sharing it because i hope SOMEONE can build this or share it with someone at a high level at FB or twitter.
I have a mortgage in silicon valley and a young child, so i'm not in a position to take the time and risk to do this. But i really desperately want to see it in the world.
All we have to do is use the social graph to verify each other, and follow 'verified' edges to determine trust in a third party. People can just tell fb or twitter 'yes i know this account', and that's all we really need.
If I can't follow any 'yes i know this person edges' to a remote account, don't let me interact with that account. Shadowban them. It's THAT simple. This technique stops bots and it stops trolling by fake remote accounts.
If someone claims "i know all these fake accounts", then we ban that person, for creating all the fake accounts. Fake accounts are easily identified after the fact; when no real person pays any price, they'll keep getting created.
Yes it has the downside of temporarily slowing adoption. That's the main reason imagine twitter and FB haven't done this. They think us being harassed is less important than onboarding new people.
Facebook recently started sending me notifications that somebody unknown was trying to log into my account, that they'd temporarily blocked it, and later re-enabled it. The emails actually come from Facebook, the problem is that the email address they're contacting me on is one I've never used for Facebook. The email contains a link to log into Facebook to "fix" the situation, but I obviously can't log in. The other link in the email is to unsubscribe from their notifications, but not from Facebook. There is absolutely no way for me to say "yes, this is my email address, and no, it should not be tied to Facebook in any way". There is also no way for me to check what Facebook account is supposedly attached to this email. This feels incredibly underhanded, it's either "join Facebook, or risk having somebody steal an account you never created". So back to the point of the article, Facebook is at the very least passively encouraging this fake profile stuff, and the cynic in me thinks it might not be that passive...
I find it amusing and sad at the same time when I get targeted with these sorts of things. Amusing because they seem so obviously 'honey traps' of one form or another, and sad because I'm sure there are many people that fall for them (this article just confirms that suspicion).
I had hoped they would have done a bit of work to track the money flow in these scams. Clearly there is an opportunity here to disrupt that cash flow since most use electronic payment providers with at least some level of tracking. I want the electronic equivalent of 'marked bills' which have mandatory reporting requirements at all financial institutions that process them.
Two stories that I remember about this:
1. Sextortion scam for personal gain Back in 2002 i was using MSN Messenger as a teenager, being like 17yo and full of testosterone, I accepted any girl wanting to share intimate details with me. There was one local girl, chatting with me for 2 years, but always had excused for not opening her cam. I was sharing intimate details while being on cam, but finally stopped, as she never wanted to meet me, despite living 20km away. She always had excuses. Two years later, I was dipping again into script kiddie stuff and trying out some trojan generators, combining it with an exe cryptor to make it undetectable for the early anti-virus tools. I contacted that girl again, and told her I had some new videos of my holidays. Sent it to her (holiday-in-france.avi.exe) and two mins later I was on "her" PC. Turns out it's a local guy, 5 years older than me, having like 100 folders named after local boys, where he kept videos, screen grabs and photos neatly organized. Most of them underage. Fortunately I found a word document with his resumee, even with a photo of him. I reported that guy to the feds the same day.
2. Sextortion with the wrong guy
Years later I migrated to an asian country. I now speak the local language and have a second Facebook and Skype profile that I only use for local contacts here, that I barely know and who are not family, friends or business contacts.
Every now and then some fake russian/eastern european girls try to add me on Skype or Facebook randomly. This time those girls are real, they even start a real webcam conversation.
But this time I'm prepared, being interested in infosec and online since the early 90ies and prepared because I was scammed before (see story 1.).
Those girls quickly start skype video calls, where they try to scam guys. Me, knowing this scam for years, had a laugh and continued the video chat, also sharing intimate details with them, and who says no to watch a beautiful girl undress herself and sharing her sexual preferences?
After usually 20-30 minutes of showing off on the camera, asking my sexual preferences and begging to add me on Facebook, they will change the tone of the conversion and try to blackmail me. Since I knew the scam, I was laughing and telling them, that my whole online presence is fake and all the profiles they have from me are filled with fake friends. They swore at me and immediately blocked me on Skype and Facebook.
Happened several times.
I'm glad others are digging into this. It's a fairly common problem. I had to deal with my with my deceased friend's account being hijacked by a 'bait' account a few months ago. Facebook seemed fairly indifferent to the issue.
Wrote about the process here: https://medium.com/@vonkunesnewton/facebook-parasite-the-sec...
The article explores sextortion, but doesn't ponder too deeply whats going on the with sharing images of disabled people etc. Perhaps people who respond sympathetically are also easy marks for sob story and pleading for money?
One of the worst thing about it is that they seemed to have started this not to make money but to have fun and hurt some people.
Thank you for sharing this investigation.
Sometimes when I warn my friends and family about oversharing online, and the "dangers of social media" (on-the-internet-nobody-knows-you're-a-dog 1993 cartoon) they think I'm paranoid.
This is a very good case study for all social media users to understand.
Ironically, if you try sharing this piece on social media you'll see that their graphic designer could spell neither "temptation" nor "extortion" correctly. In Canada! Yikes!
It's about time Facebook should start taking action against fake profile. They should make use of AI to separate them out.
How does the SEC not crack down on Facebook misleading investors around the number of "active" users?
Is there a plugin that tags fake profiles?
This is what technology is - a double edged weapon. Use it wisely.
What do you do with the real profiles, that are fake too? Too many people just present on Facebook what they perceive to be their best self.
This... was an unreadable experience. Gratuitous animations, football field sized paragraph widths, proportional/fluid CSS sizing (thought maximizing my browser on a 1080p screen would allow me to see more), bite sized paragraphs interspersed with information-thin graphic inserts, full width graphics that have a larger height than your browser viewport, text swooshing down the screen while you're scrolling because the above graphic is dynamically resizing.
I appreciate the desire to experiment with the medium, but it just does a disservice to the content.
Ugh, there is no way to just read the text, you have to scroll from short paragraph to short paragraph, like a fancy tweet storm. Do they even want people to read that thing?
Society has a tiny part in this, it seems it's as bad to be seen masturbating on a computer than threaten people to ruin their lives for money.
I an employee of mine was caught in this, I'd laugh it off faster than it takes to say it. But I'd hammer down hard on the scammers.
Hah, how stupid do you need to be to fall into this obvious trap. Let's see... a random cute girl approaches you online and wants to initiate a sexy chat. The chances of this happening for real and not being a scam are about the same as you being a distant cousin to a Nigerian prince who just passed away and left you millions of dollars of inheritance.
I can totally understand that as i was into the same situation earlier
Is this something that the blockchain could help with? Seems to me that a scalable method of authentication would be a real asset to solving the problem.