I may be a fraudster!

I’ve previously contacted a journalist via Help a Reporter Out (HARO), and I occasionally pitch to journalists on the service. In fact, I submitted a new pitch earlier this month.

So I noted with interest this story of how fraudsters fool Help a Reporter Out pitch recipients with synthetic or otherwise fraudulent identities.

When a reporter is writing a story that requires a source that he or she does not have, that reporter will likely turn to HARO, a service that “connects journalists seeking expertise to include in their content with sources who have that expertise.”…

Now, shady SEOs hide behind fake photos and personalities. The latest black hat search-engine optimization trend is to respond to Help-a-Reporter-Out (HARO) inquiries pretending to be a person of whichever gender/ethnicity the journalist is seeking comment from.

From https://www.johnwdefeo.com/articles/deepfakes-are-ruining-the-internet

As it turns out, I have never responded to a pitch that specifically requested comments from white males. (Probably because if a pitch DOESN’T request gender/ethnicity information, chances are that the respondent will be a white male.) But it’s clear how a HARO pitch scammer could create a synthesized identity of a biometric proposal writing expert.

So if you’re asking your source for a picture, John W. Defeo suggests that you ask for TWO pictures. I think that the technical term for this is MPA, or Multi Photo Authentication.

There’s one other suggestion.

Take those photographs and plug them into a reverse image lookup service like Tineye (or even Google Images). Have they appeared on the web before? Does the context make sense?

From https://www.johnwdefeo.com/articles/deepfakes-are-ruining-the-internet

I often use the picture that is found on my jebredcal Twitter profile.

So I plugged that in to a Google reverse image search. As expected, it hit on Twitter, but also hit on some other social media platforms such as LinkedIn.

I hadn’t heard of TinEye before, so I figured I’d give it a shot. Here’s what TinEye found:

Very odd, since as I previously mentioned this particular image is available on Twitter, LinkedIn, and other sources. But it turns out that TinEye honors requests from social media services NOT to crawl their sites. (No comment.) And TinEye apparently hasn’t crawled the relevant page on bredemarket.com yet.

Which leads to the scary thought – what if someone searched TinEye for me, and didn’t bother to search anywhere else after getting 0 results? Would the searcher conclude that I was a synthetically-generated biobot?

Wow, talk about identity concerns…

“Who Are You” by The Who. Fair use, https://en.wikipedia.org/w/index.php?curid=11316153

Fame, fortune, or both? Gradations of synthetic identity fraud, with a North Hollywood company as an example

In many cases, identity fraud is accomplished by a bad actor impersonating the identity of another person. Many people have found unauthorized credit or debit card transactions that they didn’t perform, and have had to shut down and re-open their cards as a result.

However, there are other cases in which the identity fraud is accomplished by inventing a “person” out of whole cloth. Or partial cloth; a real piece of identity, such as a legitimate U.S. social security number, is combined with fake information, such as non-existent addresses, stock photography headshots, and unverified social media accounts.

The process could be less rigorous, such as creating a Twitter bot to inflate followers (no government ID needed), or it could be more rigorous, in which the synthetic identity gains legitimate credentials such as passports (although this is becoming more difficult as facial recognition compares applicant faces to existing faces).

Synthetic identity fraud can be damaging. Henry Engler of Thomas Reuters cites a figure of $6 billion in losses to U.S. lenders from synthetic identity fraud.

But sometimes the fraud, while still fraudulent, is relatively innocuous.

Take the case of a particular web design company in North Hollywood, California. If you visit its website (which, oddly enough, is on the “org” domain), the only listed contact for the company is a guy named Eric.

It’s a whole different story on LinkedIn, however.

According to LinkedIn, the company has dozens of employees, including a vast number of co-founders, chief technology officers, and chief information officers. While some are based in Los Angeles, others are based in Chicago, Dallas, Maidenhead, Kyrgyzstan, and other exotic locations. Most remarkably, based upon some of the employee pictures, the company goes over and above in its attempts to attract female technologists. It’s a statistical anomaly!

Under normal circumstances, this remarkable string of oddities would have gone completely unnoticed. I have never interacted with any of these employees, and they don’t seem to be all that active on the LinkedIn platform. Well, with some exceptions; the Chicago-based CEO of the company has made a valuable contribution to the LinkedIn discussion.

Now most of this went under the radar, until a number of LinkedIn employees made connection requests to a particular individual. Unfortunately, this particular individual was Kris’ Rides, a cybersecurity specialist with Tiro Security.

(Before you ask whether Rides himself is a bot, I should note that he has received 40 recommendations on LinkedIn from people that appear to be real, and has amassed over 500 connections. So if Rides is a bot, he is a very effective one.)

When Rides received these connection requests (including two CTOs and two CIOs at the same company), they struck him as odd. So he shared his experience with his connections, which included other cybersecurity professionals, and people (such as me) who were connected to those other cybersecurity professionals. And they’re talking.

Pro tip: if you’re engaging in synthetic identity fraud, don’t reach out to a cybersecurity professional.

Now this story probably won’t be a trending topic on Twitter, even if the bots try to make it so, but it’s certainly gaining traction in the audience that counts: namely, technology experts who have the power to tell LinkedIn and others about questionable marketing techniques.

So what happens next? A mea culpa from Eric (or whatever his or her real name is)? Time will tell.