People are often incredulous that a stranger would want to takeover their social network account.

I often hear: “Why me?”  My question: “Why not you?”

Scammers run their operations like a business. They need to get their scam in front of  as many people as possible. There are a couple of ways to make this happen.

Scenario 1: Create a new social network account, add a fake picture, put some profile information and posts out there. Then, start sending friend requests to strangers.

When was the last time you accepted a connection from a complete stranger? That’s creepy, right? You don’t want strangers to know where you live or what your children look like.

Scenario 1 probably takes more effort than it’s worth.

Scenario 2: Find a person on a social network with a lot of connections. (Those with public accounts or friends lists are the easiest place to start.) Send them a message or e-mail that appears to be from the social network and contains a link that directs them to a fake site that collects their username and password.

Scenario 2 is looking more promising. Creating a fake website and sending some misleading emails opens up access to hundreds of social media connections for each account that is compromised. This is a better business model (albeit for an illegal business).

How is this scam monetized?

Once the criminal has your account login, he will change your password to keep you out of it. Then all of your connections may be sent an attachment. The attachment may have ransomware which locks files, opening up an avenue to extort your friends for hundreds of dollars each.

Let’s do some math using hypothetical numbers.

Scammer John gains access to 1,000 people using social media messages containing a link to his account-stealing website. Of those 1,000 people, 50 people fell for the phish (hook, line, and sinker) and provided their account login. (He is new at this so only 5% fell for his phishing e-mail. With more experience, he can expect to successfully phish 12% of his targets.) Each compromised account has on average 200 contacts. Around 5% of these contacts will open the ransomware. This triggers the ransomware extortion scheme, which demands $800 to “unlock files.” Around 20% of the extorted victims paid up. What was Scammer John’s profit if his only costs were $10 of website hosting and $500 of contract labor?

Steps

1. Determine how many total connections were reached.
   50 people X 200 connections = 10,000 connections
2. 5% of total connections opened ransomware.
   .05 x 10,000 connections = 500 opened ransomware
3. 20% of ransomware victims X $800 = revenue
   .2 x 500 recipients x $800.00 = $80,000
4. Revenue – cost = profit
   

   $80,000 – $510 = $79,490  PROFIT

Back to the original question: “Why me?”

Your social currency is tied to the number of social media connections you have because each is an easy target. People are more likely to open an attachment (or visit a linked site) when it appears to come from a friend.

In Scenario 1, Scammer John spent an entire month building up one social network account and connecting with maybe 200 people. His (illegal) income that month was only $1,600.

In Scenario 2, Scammer John spent one month gaining access to around 10,000 connections and made $80,000 (illegally).

The answer to “Why me?” is pretty clear.