National Security

'Cat-and-mouse game': Facebook, Twitter fight daily scourge of fake accounts

Just as spam once overwhelmed email inboxes, fake social media accounts are now a plague. Facebook and Twitter fight a daily battle with fraudsters trying to set up bogus accounts or hijack existing ones. It happens millions of times a day.

Social media companies say that sophisticated algorithms give them an upper hand against swindlers, hackers and cheats. But many fake accounts invariably evade detection.

Even cyber experts find themselves repeat victims.

Maj. Gen. Garrett S. Yee, who occupies a top cyber post for the U.S. Army, has been a victim of fake accounts before. But even he was surprised by what occurred a few days ago.

Visiting his daughter back in California, Yee told her about the occasional fake accounts set up in his name and how he always took care of them right away.

“I said, ‘Let me show you what happens,’” and he went to his keyboard as she observed. “I typed my name into the Facebook search line and three fake accounts came up,” he told a cybersecurity forum in Washington last week.

“I’ve had about a dozen fake accounts over the past year. But it was interesting that right when I said, ‘Look, here’s how you look yourself up,’ three fakes came up. (I) sent them into Facebook and they took them down right away,” Yee said.

Facebook founder Mark Zuckerberg told a hearing before the European Parliament May 22 that in the first quarter of the year, his company took down 580 million fake accounts. Facebook has more than two billion monthly users around the world.

In other appearances, including two before Congress in April, Zuckerberg said that powerful artificial intelligence tools help Facebook detect fake accounts, identify terrorist propaganda, and block malicious content. They scan constantly in conjunction with a human workforce of monitors that will climb to 20,000 people by the end of the year, he said.

“These are not unsolvable problems,” Zuckerberg said in an April 25 earnings call.

Despite the best efforts of the social media companies, some fake accounts still make it past the digital guardians. Today, just as big email services like Yahoo and Gmail once fought a tidal wave of spam before learning how to filter it, social media companies are constantly at battle with malicious automation. Some of the activity is powered by robotic networks, known as bots.

“It’s a cat-and-mouse game. They are trying to fight the bots all the time. But at the same time, the botmakers are trying to find new ways to get around these preventive mechanisms,” said Janne Pirttilahti, vice president of F-Secure, a Helsinki, Finland, cybersecurity company with offices in 20 nations around the world.

Those behind creation of fake accounts can include hackers, cyber bullies, enemy nations trying to sway political sentiment, people with axes to grind against companies or ideas, and those pushing a political, religious or ethnic agenda, among others.

A telltale sign of a fake account is when a Facebook user gets a "friend" request from someone they are already friends with. Whoever is behind the fake account seeks to leverage the network of friends of the real person.

While Facebook and Twitter say that their artificial intelligence tools are getting better at detecting irregularities, researchers say motivations are strong for devious parties to hijack social media accounts, create bogus ones or install malicious code on a computer to post content as if it were the work of the owner.

“Fake accounts, I would say, are largely information warfare or propaganda,” said Steve Grobman, senior vice president and chief technology officer for McAfee, a Santa Clara, California, security technology company.

The fake or hijacked accounts trade on the reputation or trustworthiness of the real user among his or her group of friends, Grobman said.

“Your machine would get infected and then on your behalf it would either post stories as you or ‘like’ fake news stories in order to have them gain additional credibility,” he said.

While artificial intelligence, or AI, tools can make headway against bogus activity, Grobman said, hackers constantly seek to game the tools.

“Many of the AI detection algorithms are highly fragile and if an adversary is crafting their content specifically with the purpose to evade AI-based detection, they are very likely to be successful,” Grobman said. “It’s one of the best tools available but I also think that we need to be careful to understand the limitations of artificial intelligence as well as the power.”

A Facebook product manager, Samidh Chakrabarti, said in a company blog posting March 29 that Facebook believes it can get the upper hand.

“Over the past year, we’ve gotten increasingly better at finding and disabling fake accounts. We’re now at the point that we block millions of fake accounts each day at the point of creation before they can do any harm,” Chakrabarti wrote.

Precisely how Facebook does this, and what percentage might slip through, is not known. A few do slip through, as Maj. Gen. Yee discovered. Facebook has a mechanism for reporting an account that pretends to be a user or someone a user knows.

“It’s very hard to monitor Facebook. It’s a walled garden,” Pirttilahti said of the company. “There are fake accounts, for sure, and they typically are used to drive an agenda distribute information, call it fake news, call it whatever you want.”

For its part, San Francisco-based Twitter, whose 330 million monthly active users post and interact with short messages known as tweets, says it has sharply increased its detection rate of suspect accounts and tweets, challenging eight million per week.

“We challenge them in a range of ways, like requesting they type in a phone number or ReCaptcha code,” a spokesperson said in an email, asking to remain anonymous. She referred to a test that tells humans and bots apart by asking them to solve a test that is easy for humans but hard for machines.

“We thwart 530,000 suspicious logins a day -- again by harnessing machine learning. That’s twice what it was a year ago,” the spokesperson said. She noted that many healthy bots exist on Twitter, ranging from “things like weather and traffic trackers to automated feeds like those that media outlets news to push out news.” The challenge is letting the healthy bots work and halting the malicious ones.

The best consumers can hope for, Pirttilahti said, is that social media companies get the upper hand over those who want to create fake accounts, rather than vanquish them.

“I don’t necessarily see an end to this,” he said. “Like, we haven’t really seen the end of spam either.”

Tim Johnson, 202-383-6028, @timjohnson4
Related stories from McClatchy DC