NATO Group Catfished Soldiers to Prove a Point About Privacy
Credit to Author: Issie Lapowsky| Date: Mon, 18 Feb 2019 12:00:00 +0000
The phony Facebook pages looked just like the real thing. They were designed to mimic pages that service members use to connect. One appeared to be geared toward a large-scale, military exercise in Europe and was populated by a handful of accounts that appeared to be real service members.
In reality, both the pages and the accounts were created and operated by researchers at NATO’s Strategic Communications Center of Excellence, a research group that's affiliated with NATO. They were acting as a "red team" on behalf of the military to test just how much they could influence soldiers’ real-world actions through social media manipulation.
The group "attempted to answer three questions,” Nora Biteniece, a software engineer who helped design the project, told WIRED. “The first question is, What can we find out about a military exercise just from open source data? What can we find out about the participants from open source data? And, can we use all this data to influence the participants’ behaviors against their given orders?”
The researchers discovered that you can find out a lot from open source data, including Facebook profiles and people-search websites. And yes, the data can be used to influence members of the armed forces. The total cost of the scheme? Sixty dollars, suggesting a frighteningly low bar for any malicious actor looking to manipulate people online.
StratCom published its findings last week in a new report, which Biteniece, her coauthor Sebastian Bay, and their fellow StratCom researchers presented Thursday at an event on social media manipulation at the United States Senate. The experiment underscores just how much personal information is free for the taking on social media, and, perhaps even more troubling, exactly how it can be used against even those of us who are the best positioned to resist it.
“We’re talking professional soldiers that are supposed to be very prepared,” says Janis Sarts, director of NATO StratCom. “If you compare that to an ordinary citizen … it would be so much easier.”
Many of the details about how the operation worked remain classified, including precisely where it took place and which Allied force was involved. The StratCom group ran the drill during an exercise with approval of the military, but service members weren't aware of what was happening. Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined.
To recruit soldiers to the pages, they used targeted Facebook advertising. Those pages then promoted the closed groups the researchers had created. Inside the groups, the researchers used their phony accounts to ask the real service members questions about their battalions and their work. They also used these accounts to "friend" service members. According to the report, Facebook's Suggested Friends feature proved helpful in surfacing additional targets.
The researchers also tracked down service members' Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. “We managed to find quite a lot of data on individual people, which would include sensitive information,” Biteniece says. “Like a serviceman having a wife and also being on dating apps.”
“Everybody has a button. The point is, what’s openly available online is sufficient to know what that is.”
Janis Sarts, director of NATO StratCom
By the end of the exercise, the researchers identified 150 soldiers, found the locations of several battalions, tracked troop movements, and compelled service members to engage in “undesirable behavior,” including leaving their positions against orders.
“Every person has a button. For somebody there’s a financial issue, for somebody it’s a very appealing date, for somebody it’s a family thing,” Sarts says. “It’s varied, but everybody has a button. The point is, what’s openly available online is sufficient to know what that is.”
Members of the military happen to be particularly high-profile targets for scams like catfishing and sextortion. Recently, a group of inmates in South Carolina were busted for allegedly blackmailing 442 service members using fake personas on online dating services. Not only can these tactics hit service members' wallets, they may also represent a security risk if the victims have access to sensitive information.
A Facebook spokesperson said the company "welcome[s] researchers who inform social media and technology companies of their findings in a responsible manner."
"Social engineering and other scams continue to be a challenge for people using technology worldwide," the spokesperson said. "We encourage people to not accept suspicious requests and to report suspicious messages, which try to trick people into sharing personal and sensitive business information."
Facebook has taken a firm stance against networks of fake pages and accounts designed to manipulate the public, ever since the company discovered a widespread Russian propaganda campaign designed to influence the 2016 US election. Facebook prohibits what it calls "coordinated inauthentic behavior" and has suspended thousands of accounts, pages, and groups engaged in this kind of trickery all around the world. The company has scaled up its safety and security team to 30,000 people over the last year, and it also offers users guidance on dealing with phishing.
But the StratCom report shows that Facebook's efforts to crack down on this activity are having only middling success. Of the three pages the group created, one was shut down within a matter of hours, while the other two were cut off two weeks later after being reported to Facebook. Two out of the five phony profiles they created were never suspended. Neither were the closed groups. And StratCom's experiment was tiny in comparison to the scams that some bad actors run, using hundreds of accounts, profiles, and pages.
"We did this to test social media companies’ statements that they're doing a lot to investigate and protect against malicious activity," Bay says. "Obviously if it takes two people three weeks to find vulnerabilities within this context, they're not doing enough."
The researchers suggest some specific changes Facebook could make that would have made their experiment more difficult. For instance, they encourage the company to establish stricter control over its Suggested Friends feature, so it's not so easy to map out members of a given group.
For the military group that OK'd the research, the experiment effectively acted as a drill. But for the rest of us—and certainly for the social media platforms implicated in the report—the researchers hope it will serve as concrete evidence of why a fuzzy concept like privacy matters and what steps can be taken to protect it.
"We need to put more pressure on social media," Bay says, "to address these vulnerabilities that can be used for the detriment of national security for individuals and for society as a whole."