International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Impact Factor (2012): 3.358 Volume 3 Issue 6, June 2014 www.ijsr.net Licensed Under Creative Commons Attribution CC BY Profile Impostoring: A Use Case on the Rising Social Engineering Attack on Facebook Users Cephas Mawere 1 , Thabiso Peter Mpofu 2 1 M.Tech. Student, Department of Bioinformatics, School of IT, Jawaharlal Nehru Technological University Hyderabad, India 2 M.Tech. Student, Department of Computer Science, School of IT, Jawaharlal Nehru Technological University Hyderabad, India Abstract: Social engineering attacks have taken a new twist as a growing number of people use online social networking sites to foster social relationships among each other and market products. Of interest is Facebook whose users have exponentially increased; some of these users are prominent individuals with high influence in various communities like celebrities, philanthropists, religious ministers and non- profit organizations. Data retrieval from Facebook profiles is thus becoming a major tool for business which has led to most unsuspecting users being victims of deception. Profile impostoring, also known as identity theft, is increasingly on the rise and becoming an underlying threat to information security. The cyber perpetrators are creating fake Facebook profiles of prominent individuals who have a large following. Ordinary individuals are also not at their mercy. With such high pending risk of identity theft there is need to develop methods that help Facebook fans to automatically detect deception, identify imposters and get them arrested. Keywords: Social engineering, social networking, profile impostoring, identity theft, information security, cyber perpetrators 1. Introduction Social engineering (as used by the military or law- enforcement) is the emerging technique for obtaining classified information by interacting and deceiving people who can access that information [3]. Rather than using traditional techniques of attacking the technical shields such as firewalls, many sophisticated computer hackers find that social engineering is more effective and difficult to detect by humans. In the domain of information security, social engineering can get into information system by using people’s weakness, just not using the computer's leak [4]. The weakest link in an information-security chain is often the user because people can be manipulated. Social engineering attacks can be complex with multiple ploys and targets [2]. For example, the use of real/fake organization's uniform is frequent everywhere in the world. If anyone can verify the uniformed person in front of him/her quickly, they can escape the damage from above fraud [5]. Social engineering attacks have taken a new twist as a growing number of people use online social networking sites to foster social relationships among each other [1]. Of interest is the ever widening network Facebook, whose following is attributed to the strong growth from emerging markets such as India and Brazil. For example, In India its user base rose by 50 percent to 78 million as of March 31, 2013 compared to the same period in 2012 [8]. Data retrieval from Facebook profiles has thus become a major tool for business which has led to most unsuspecting users being victims of deception [6]. Profile impostoring, also known as identity theft, is increasingly on the rise and becoming an underlying threat to information security. The cyber perpetrators are now creating copy facebook profiles of individuals ranking from ordinary users to brands and prominent accounts who have a large following like philanthropists and religious ministers. 2. Trends in Facebook Impostoring As of September 30, 2013, it is estimated that 143.3 million accounts (which doubled in less than six months of the same year) on the popular social networking site Facebook may be false or duplicate, with a major chunk of them coming from developing markets like India and Turkey [7], [15]. Facebook revealed that such accounts were duplicates, misclassified or undesirable [10]. A user-misclassified account is one where users create personal profiles for a business, organization or non-human entity such as a pet. As per Facebook guidelines such entities are permitted using a page rather than a personal profile. Undesirable accounts, which represent user profiles that Facebook determines, are intended to be used for purposes that violate its terms of service like spamming. It is unfortunate that people have not only been creating accounts for their pet rabbits, but also for imaginary friends and other fictional characters for years. Figure 1: Statistics of Facebook accounts as at Sept. 30, 2013 Facebook, which globally witnessed 1.19 billion monthly active users (MAUs) , an 18% increase on year-over-year (YOY), in a US Securities and Exchange Commission (SEC) filing the SEC filing for the quarter which ended on September 30, 2013 said it estimates up to 7.9 per cent accounts being duplicate, and up to 2.1 per cent and up to Paper ID: 0201486 69