Beware the fake Facebook sirens that flirt you into sextortion

library
crime | hacking | security

Fake Facebook profiles of hot women who invite targets to join them in sexy webcam masturbation sessions – sessions that lead to image capture and extortion – are part of a “three-tiered, industrial process” that allows a sophisticated criminal network to “find, filter and defraud victims, all the while protecting itself,” according to an investigation done by Radio Canada.

We’ve covered plenty of lone-wolf sextortionists: one who targeted underaged girls until he was caught by investigators’ booby-trapped video; the guy who preyed on Miss Teen USA and 150 others; and a former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office. And there are many others.

Not to downplay the suffering caused by such operators in any way – there have been multiple suicides related to such cases – but those lone wolves are rank amateurs compared with the massive network of fraudulent accounts that catfish male victims using stolen photos of young women and adolescent girls.

To find out how the networks spin their webs, Radio Canada journalists Marie-Eve Tremblay and Jeff Yates – an expert in online disinformation who’s found and mapped the connections between fake profiles to learn how they support each other – conducted a months-long investigation into what he believes is a “massive network.”

They knew that the accounts were fake because the photos had been stolen from Instagram accounts or personal Facebook profiles. Some of the fake accounts are massive: they have 100,000, 200,000, or even 500,000 followers.

Yates believes that the fake profiles are just the first layer of a massive sextortion scheme.

It starts with a friend request from a young, hot babe. Within minutes of an intended victim accepting the request, the fake account will invite the target to join her in a sexy webcam chat, such as on Skype or Google Hangouts.

What hetero man – or anybody else who likes the attention of young, hot women and is innocent enough to fall for the come-on – wouldn’t jump at the chance? Once they do, the first step into a sextortion trap has been taken. If the target can be coerced into taking off their clothes and/or masturbating, images are collected, and the ransom demands soon follow.

Yates, in the Radio-Canada web series Corde sensible, paraphrases a typical sextortion threat:

‘If you don’t give me this or that amount of money, I’m going to tell your girlfriend or your boyfriend or your friends that you’ve been chatting with sexy girls on the internet and that you’ve sent me nude pictures of yourself,’ etc.

To scam the scammers while still protecting Yates from having his photos fall into the crooks’ hands and then getting extorted himself, Radio Canada turned Tremblay into a guy. Using a facial transformation app, the journalists turned her into “William,” a 24-year-old from France who likes soccer and his BMW. They opted for France because they’d found evidence that that’s where the network is based.

To attract the network’s attention, “William” liked fake accounts’ photos and wrote a few comments. That worked quite well, Tremblay said:

Result: friend requests from sexy girls began overloading my inbox.

Private conversations soon ensued. Within an hour, one fake account asked “William” to add her on Skype. After six minutes of chatting, she asked him to turn on his camera so they could have video sex.

Radio Canada didn’t get into the steamy details, but it did talk to a real-life victim whose experience paralleled what the media outlet described.

Cédrick said that within 20 minutes, “you’re already in over your head.” “She” will have taken off her clothes, and/or done a sexy dance, and/or started touching herself, and will have asked her target to do the same. The point is to get a full-body shot, along with the victim’s face, all the better to extort.

Once they have the images they want, everything cuts, and that’s where the intense stuff begins. She starts off by showing you the video, she sends you a link on YouTube.

‘If you disconnect, if you leave, if you block me, I’m sending this videotape to everyone.’

It’s too well-organized for there to be only one person running it, Yates says. To figure out how it was structured, he analyzed around 200 Facebook posts from about 40 fake accounts. Every time one fake profile tagged another, he recorded the source and its target.

Then, using network analysis software, he mapped accounts according to their relationships. He also used a network-detecting algorithm that determines which profiles interact with each other more than with the rest of the network.

What he came up with was a structure comprising three categories: feeder accounts, bait accounts and hunter accounts.

Feeder accounts are on the front line, serving as a gateway into the network. They often have hundreds of thousands of followers, but they themselves don’t share sexy images. Instead, they publish clickbait: phony contests, dummy IQ tests and lifehacks. Radio Canada says the posts often get hundreds or thousands of likes, shares and comments.

The feeder posts, acting as advertisements, tag other fake accounts belonging to the second layer, which is where the “bait” accounts are. Given that those bait accounts appear to belong to beautiful women, the titillated will click on the bait accounts and start following them. That’s how perfect victims self-select: they’re obviously interested in following Facebook profiles of sexy young women and girls, so they venture that much further into the sextortion web.

Bait accounts often share links that purportedly lead to a pornographic video – some of which are promoted as being of underage girls – but Radio Canada says they “invariably” lead to phishing sites where visitors are asked to enter their credit card information. (Radio Canada didn’t click on links purporting to lead to illegal images of minors.)

The second tier isn’t where sextortion takes place. Given that they promote porn, the bait accounts are sometimes flagged and removed by Facebook. It doesn’t matter, though: the gateway feeder accounts stay up, given that no racy material is posted at that initial layer.

Bait accounts entice targets to write comments, either by asking questions such as “Do you think I’m hot?” or by promising to send private photos to those who post a comment. Radio Canada says that this is an important step that leads to the innermost layer where the sextortion trap is sprung: the layer of fake accounts it calls hunter accounts.

Bait accounts have created a perfect environment for sextortion to happen. The users who have commented aren’t afraid of publicly signaling their interest in young girls and, moreover, don’t have the wherewithal to realise that they’re dealing with fake accounts. They are perfect targets for the hunter accounts. These users receive, by the dozen, friend requests from the hunter accounts.

These hunter accounts often get banned, having triggered Facebook algorithms that spot fake accounts by picking out ones that amass a huge number of followers in a brief amount of time. That’s why the “women” in the hunter accounts quickly send private messages to intended victims, trying to hustle them off Facebook as soon as possible: once they’re in a web chat, they’re out of Facebook’s reach and can go after the photos they need for extortion.

Radio Canada focused on one network, but it became clear that there are most likely several interconnected networks “that co-operate to attract a mutually beneficial audience.”

The journalists caught one operator red-handed: it started with a photo of a group of Facebook friends, one of whom went by a name that had been popping up in Yates’ notes for months. The same man was tagged in a second photo, but his tagged name was listed as “Amandine Ponticaud”: the same name as “one of the biggest fake profiles in the network.” Yates noticed that the operator jumped in and out of conversations and arguments under various fake profile names, at one point admitting to publishing “porno links.”

One thing led to another, until the journalists eventually saw a screen capture of a Facebook chat window in which the operator – they referred to him as “Mehdi” – asks a friend to make him administrator of a page:

I’m gonna scam a dude and I just told him that I was admin.

They also found a screengrab of a PayPal transfer worth 500 euros.

The network’s scams are apparently multifaceted. Radio Canada found another part of the network, based in northern France and Belgium, that’s using fake profiles to attract men to certain Snapchat accounts. The accounts seem to be running a cyberprostitution ring, Yates writes…