How many celebrities do you see in the picture below? Probably 12? We count 3,448 celebrity impersonations.
The 2014 Oscars saw the stars align for a mega-selfie that would nearly break the internet. After the 86th Academy Awards ceremony, talk show host Ellen DeGeneres posed along with a handful of other celebrities including Brad Pitt, Jennifer Lawrence, Jared Leto, Julia Roberts and Channing Tatum, for a record-breaking selfie destined to set the web ablaze. The photo in question was uploaded to Twitter and became an instant hit with star-struck fans around the globe, garnering over 1.8 million retweets within the first hour. The image has been retweeted a total of 3.3 million times to date, twice as many as the next highest on record (a sappy bromance tweet between One Direction band members Louis Tomlinson and Harry Stiles, as if you didn’t know/retweet that already).
Being the cyber security geeks that we are, ZeroFox decided to put the stars into our platform and calculate the number of celebrity impersonations per individual. We directed our impersonation detection algorithms on the celebrities in the fab photo: we use image recognition, fuzzy name matching and expert models to determine the number of impersonators. Generally, we run the profiles through a machine learning classifier to analyze if they are malicious or parody accounts, but for this little experiment, we took the full number.
Our conclusion? These stars have quite a following/stalking. Seven of the 12 celebrities boast over 200 online impersonators, and Hunger Games star, Jennifer Lawrence, has an award-winning 539 fake accounts associated with her name. Either these stars suffer from multiple personality disorders, or they’re being targeted by a combined thousands of copycats (we assume the latter).
The sheer number of celebrity impersonations is staggering and underlines how low the barrier to entry is for social media identity thieves. Though social has always been a haven for cybercrime, Cisco’s Midyear Report identifies Facebook as the primary access point for web-based scammers. Social engineering, scamming and fake identities have never been so easy to carry out.
Now not all celebrity impersonators are cold-hearted scammers bent on defrauding your bank account—some just wanna have a little fun. In fact, most of these phony profiles are classified as relatively benign parody accounts. Online trolls will create spoof accounts to poke fun at celebrities, posting goofy updates under the star’s name as an attempt at humor.
However, a second, more devious category of copycat is comprised of scammers that plan and conduct phishing and social engineering operations against unwitting followers. These attackers are the most vicious of the bunch, and unfortunately, consist of a significant fraction of fraudulent accounts. Due to the trusted nature of social media, unsuspecting followers will readily respond to “celebrity” generated content, clicking links and divulging credit card information in return for incredible promotions and offers. These scammers hide behind a starlet façade, wreaking havoc on everyday users’ bank accounts.
Celebrity impersonations also pose a huge risk for the media companies associated with the celebrity. When attackers leverage the hard-fought following of celebrities to scam customers, they’re not only directing potential followers away from legitimate stars, they’re outright defrauding or scamming customers and would-be followers of the media organization. Media and entertainment organizations invest a huge amount of time and money into creating and marketing their personalities, shows, characters and more. Attackers have learned to exploit this investment by impersonating highly-visible social media accounts, disseminating scams to followers & fans and hijacking clicks.
Unfortunately for organizations, similar phishing tactics bleed over into the corporate world. Attackers impersonate the social media accounts of executive level staff–CEOs, CMOs, VPs, etc.–in hopes of befriending employees and infiltrating organizational networks. After all, what employee wouldn’t be flattered to accept a LinkedIn connection from their CFO? Once connected with the phony executive, employees will accommodate the faux authority figure with sensitive corporate information, relaying intellectual property, login credentials and customer details. The fallout associated with account impersonations can be disastrous—an ugly, unintended consequence of the far sweeping reach and trusted nature of social media.