You’re a nobody unless someone is faking you

Graham Cluley
Graham Cluley
@[email protected]

Fake Vint CertYou can’t trust anybody on the internet these days.

There has been a fake Steve Jobs, a fake Tony Benn (for the benefit of our non-British readers, Tony is a famous left-wing veteran politician), and a truly confusing squabble over whether al_gore, algore, or TheRealAlGore, were ahem.. the real Al Gore on Twitter.

The technology press delights in snacking on these sort of stories, but they underline a more serious problem with the net. How do you know you’re talking to the person you think you’re talking to?

The latest celeb to have his identity hijacked by an imposter is Vint Cerf, the so-called “father of the internet” who helped weave the threads of the internet together to make it the marvel it is today.

Sign up to our free newsletter.
Security news, advice, and tips.

Dancho Danchev blogged earlier this week that’s Vint’s Twitter account (@cerf) had been compromised by spammers, who were using it to spew out adverts luring the unwary with less than 140 characters of gossip about the likes of the Nintendo Wii and Apple iPhone.

Twitter, to their credit, were quick to leap into action and froze the account once it determined it was being used for nefarious purposes.

Everyone was shocked, of course, that such a calamity could happen to Google’s Chief Internet Evangelist. How could he, of all people, have let his Twitter account fall into the hands of the bad guys?

It took John Leyden, a journalist with The Register who has a nose for sniffing out nonsense, to contact Vint Cerf himself and ask him if the account really did belong to him. It turned out, it didn’t.

Cerf said he was too busy for things like Twitter, and clearly the account was set up by some enterprising opportunist who delighted in getting people to follow him and his unwanted adverts.

So, how is this relevant to you? Well, how do you know that people are who they say they are when they – say – connect with you via Facebook or Twitter?

Picture the scene. Fred Hacker wants to gather information about Joe User. Fred Hacker goes to a website like Classmates or FriendsReunited to find out who Joe went to school with. Fred Hacker creates a Facebook account in Joe’s friend’s name, and uploads a photo of a baby as his main profile picture.

Plastic Frog or ID Fraudster?

(Have you noticed how many people have pictures of themselves as a baby, or their pets, or a plastic frog, or someone in a completely obscuring sombrero as their Facebook mugshot? How are you supposed to tell if that really was them as a child?)

So, what does Joe do? Most likely, he accepts the friend request from Fred Hacker and thinks nothing more of it.

I’ve even seen people agree to add as friends people who happen to share the same name as them. Imagine that! You’re really making it easy for the cybercriminals if you don’t even make them do the most basic work to try and fool you.

If people add complete and utter strangers – who claim to have the same name (“How cute, lets be friends”) – to their friend list, then you’re not just exposing your own private information to an unknown third party, you’ve also let them enter your circle of trust. You’ve effectively given them some additional credibility through your association with them if they try and next connect with your friends.

So, it’s not just the famous who can have people faking them online. Receiving an invitation to connect from someone on Facebook or seeing they have an page on Twitter, doesn’t necessarily mean they are legitimate. Likewise, just because you see someone’s name at the end of a message or internet posting doesn’t really mean that that is the person who wrote it.

I’ve even had my own experience of having a chump pretending to be me on Facebook – with some unpleasant consequences.

Sites like Facebook and Twitter and web email services don’t have real procedures for confirming the identity of who signs up for them – so you should always be careful not to jump to the conclusion that just because a message appears to have come from say – Bill Gates, that it really is from that nerdy guy with the glasses.

By the way, if you want to follow me on Twitter you can find me @gcluley. You’ll have to take my word for it that that’s the real me, unless you all plan to phone me up to check. (please don’t)

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.