The popularity of social media has provided criminals a way to create fake identities and wreak havoc for their own personal gain. Attackers are leveraging these accounts to extort money on false pretexts, spread spam and disinformation, post fraudulent product reviews on ecommerce platforms, abuse loyalty or reward points programs, and much more.
Easy availability of stolen consumer information, coupled with commoditized tools and cybercrime-as-a-service, enable attackers to create thousands of fake accounts in seconds. Fake account creation can then be monetized in numerous ways:
Creating a fake account requires some basic technical knowledge. Typically, attackers will try to mimic a real user’s behavior. This can be seen in activities such as liking, following and friending in a coordinated manner. It also includes using non-standard user agent strings and headless browsers that can be indicative of bot activity.
Another common tactic is to include misspelled names. This is done to avoid detection by security systems, but can also be used to impersonate a famous person and fool people into thinking the account is legitimate.
When building a fake profile, it is important to consider the “less is more” rule. Adding too many details that people can verify as inaccurate will give the profile away. A good practice is to create a new email address that is not tied to any of your other online activities. Additionally, the attacker should make sure to upload photos that are not of themselves or their real friends.