![](\"https:\/\/media.wired.com\/photos\/5c6735e42cbde374dceb08a9\/master\/pass\/Security-NATO-Report-568541943-w.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Issie Lapowsky| Date: Mon, 18 Feb 2019 12:00:00 +0000<\/strong><\/p>\n The phony Facebook <\/span>pages looked just like the real thing. They were designed to mimic pages that service members use to connect. One appeared to be geared toward a large-scale, military exercise in Europe and was populated by a handful of accounts that appeared to be real service members.<\/p>\n In reality, both the pages and the accounts were created and operated by researchers at NATO\u2019s Strategic Communications Center of Excellence, a research group that's affiliated with NATO. They were acting as a "red team" on behalf of the military to test just how much they could influence soldiers\u2019 real-world actions through social media manipulation.<\/p>\n The group "attempted to answer three questions,\u201d Nora Biteniece, a software engineer who helped design the project, told WIRED. \u201cThe first question is, What can we find out about a military exercise just from open source data? What can we find out about the participants from open source data? And, can we use all this data to influence the participants\u2019 behaviors against their given orders?\u201d<\/p>\n The researchers discovered that you can find out a lot from open source data, including Facebook profiles and people-search websites. And yes, the data can be used to influence members of the armed forces. The total cost of the scheme? Sixty dollars, suggesting a frighteningly low bar for any malicious actor looking to manipulate people online.<\/p>\n StratCom published<\/a> its findings last week in a new report, which Biteniece, her coauthor Sebastian Bay, and their fellow StratCom researchers presented Thursday at an event on social media manipulation at the United States Senate. The experiment underscores just how much personal information is free for the taking on social media, and, perhaps even more troubling, exactly how it can be used against even those of us who are the best positioned to resist it.<\/p>\n \u201cWe\u2019re talking professional soldiers that are supposed to be very prepared,\u201d says Janis Sarts, director of NATO StratCom. \u201cIf you compare that to an ordinary citizen \u2026 it would be so much easier.\u201d<\/p>\n Many of the details about how the operation worked remain classified, including precisely where it took place and which Allied force was involved. The StratCom group ran the drill during an exercise with approval of the military, but service members weren't aware of what was happening. Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined.<\/p>\n To recruit soldiers to the pages, they used targeted Facebook advertising. Those pages then promoted the closed groups the researchers had created. Inside the groups, the researchers used their phony accounts to ask the real service members questions about their battalions and their work. They also used these accounts to "friend" service members. According to the report, Facebook's Suggested Friends feature proved helpful in surfacing additional targets.<\/p>\n The researchers also tracked down service members' Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. \u201cWe managed to find quite a lot of data on individual people, which would include sensitive information,\u201d Biteniece says. \u201cLike a serviceman having a wife and also being on dating apps.\u201d<\/p>\n \u201cEverybody has a button. The point is, what\u2019s openly available online is sufficient to know what that is.\u201d<\/p>\n Janis Sarts, director of NATO StratCom<\/p>\n By the end of the exercise, the researchers identified 150 soldiers, found the locations of several battalions, tracked troop movements, and compelled service members to engage in \u201cundesirable behavior,\u201d including leaving their positions against orders.<\/p>\n \u201cEvery person has a button. For somebody there\u2019s a financial issue, for somebody it\u2019s a very appealing date, for somebody it\u2019s a family thing,\u201d Sarts says. \u201cIt\u2019s varied, but everybody has a button. The point is, what\u2019s openly available online is sufficient to know what that is.\u201d<\/p>\n Members of the military happen to be particularly high-profile targets<\/a> for scams like catfishing and sextortion<\/a>. Recently, a group of inmates in South Carolina were busted for allegedly blackmailing<\/a> 442 service members using fake personas on online dating services. Not only can these tactics hit service members' wallets, they may also represent a security risk<\/a> if the victims have access to sensitive information.<\/p>\n A Facebook spokesperson said the company "welcome[s] researchers who inform social media and technology companies of their findings in a responsible manner."<\/p>\n "Social engineering and other scams continue to be a challenge for people using technology worldwide," the spokesperson said. "We encourage people to not accept suspicious requests and to report suspicious messages, which try to trick people into sharing personal and sensitive business information."<\/p>\n Facebook has taken a firm stance against networks of fake pages and accounts designed to manipulate the public, ever since the company discovered a widespread Russian propaganda campaign designed to influence the 2016 US election. Facebook prohibits what it calls "coordinated inauthentic behavior" and has suspended thousands of accounts, pages, and groups engaged in this kind of trickery all around the world. The company has scaled up its safety and security team to 30,000 people over the last year, and it also offers users guidance on dealing with phishing<\/a>.<\/p>\n But the StratCom report shows that Facebook's efforts to crack down on this activity are having only middling success. Of the three pages the group created, one was shut down within a matter of hours, while the other two were cut off two weeks later after being reported to Facebook. Two out of the five phony profiles they created were never suspended. Neither were the closed groups. And StratCom's experiment was tiny in comparison to the scams that some bad actors<\/a> run, using hundreds<\/a> of accounts, profiles, and pages.<\/p>\n "We did this to test social media companies\u2019 statements that they're doing a lot to investigate and protect against malicious activity," Bay says. "Obviously if it takes two people three weeks to find vulnerabilities within this context, they're not doing enough."<\/p>\n The researchers suggest some specific changes Facebook could make that would have made their experiment more difficult. For instance, they encourage the company to establish stricter control over its Suggested Friends feature, so it's not so easy to map out members of a given group.<\/p>\n For the military group that OK'd the research, the experiment effectively acted as a drill. But for the rest of us\u2014and certainly for the social media platforms implicated in the report\u2014the researchers hope it will serve as concrete evidence of why a fuzzy concept like privacy matters and what steps can be taken to protect it.<\/p>\n "We need to put more pressure on social media," Bay says, "to address these vulnerabilities that can be used for the detriment of national security for individuals and for society as a whole."<\/p>\n