Virus targets the social network in new fraud twist
In the world of cyber fraud, a fake fan on Instagram can be worth five times more than a stolen credit card number.
As social media has become increasingly influential in shaping reputations, hackers have used their computer skills to create and sell false endorsements - such as "likes" and "followers" - that purport to come from users of Facebook, its photo-sharing app Instagram, Twitter, Google's YouTube, LinkedIn and other popular websites.
In the latest twist, a computer virus widely used to steal credit card data, known as Zeus, has been modified to create bogus Instagram "likes" that can be used to generate buzz for a company or individual, according to cyber experts at RSA, the security division of EMC Corp.
These fake "likes" are sold in batches of 1,000 on Internet hacker forums, where cyber criminals also flog credit card numbers and other information stolen from PCs. According to RSA, 1,000 Instagram "followers" can be bought for $15 and 1,000 Instagram "likes" go for $30, whereas 1,000 credit card numbers cost as little as $6.
It may seem odd that fake social media accounts would be worth more than real credit card numbers, but online marketing experts say some people are willing to spend heavily to make a splash on the Internet, seeking buzz for its own sake or for a business purpose, such as making a new product seem popular.
"People perceive importance on what is trending," said Victor Pan, a senior data analyst with WordStream, which advises companies on online marketing. "It is the bandwagon effect."
Facebook, which has nearly 1.2 billion users, said it is in the process of beefing up security on Instagram, which it bought last year for $1 billion. Instagram, which has about 130 million active users, will have the same security measures that Facebook uses, said spokesman Michael Kirkland.
He encouraged users to report suspicious activity through links on Facebook sites and apps.
"We work hard to limit spam on our service and prohibit the creation of accounts through unauthorized or automated means," Kirkland said.
Knowing when to stop
The modified Zeus virus is the first piece of malicious software uncovered to date that has been used to post false "likes" on a social network, according to experts who track cyber crime.
Fraudsters most commonly manipulate "likes" using automated software programs.
The modified version of Zeus controls infected computers from a central server, forcing them to post likes for specific users. They could also be given marching orders to engage in other operations or download other types of malicious software, according to RSA.
Cyber criminals have used Zeus to infect hundreds of millions of PCs since the virus first surfaced more than five years ago, according to Don Jackson, a senior security researcher with Dell SecureWorks.
That the virus is now being adapted to target Instagram is a sign of the rising importance of social media in marketing, and the increasing sophistication of hackers trying to profit from the trend.
Online marketing consultant Will Mitchell said he sometimes advises clients to buy bogus social-networking traffic, but only to get an early foothold online.
When asked about the ethics of faking endorsements, Mitchell replied, "It's fine to do for the first 100, but I always advise stopping after that."
He said one of his clients once bought more than 300,000 "likes" on Facebook against his advice, a move that Mitchell felt damaged the client's reputation. "It was just ridiculous," he said. "Everybody knew what they were doing."
Still, experts say schemes to manipulate social networks are unlikely to go away. Creating fake social media accounts can also be used for more nefarious purposes than creating fake "likes," such as identity theft.
"The accounts are always just a means to an end. The criminals are always looking to profit," said computer security expert Chris Grier, a University of California at Berkeley research scientist who spent a year working on a team that investigated fake accounts on Twitter.