Military tactics and the art of catfishing

Catfishing can have a direct impact on a country’s security as soldiers might be more vulnerable to online personas than incoming fire.

Apart from catching the aquatic creature, catfishing is the term for luring someone with a fictitious online persona. While it may appear to be an irritating prank, recent live tests by a NATO Strategic Communications Centre of Excellence have demonstrated how vulnerable soldiers are – and how cheap this strategy is to deploy.

The “live fire” exercise had a secret NATO team in Latvia targeting a group of troops as they took part of a military exercise. The team managed to “identify all members of certain units, pinpoint the exact locations of several battalions, gain knowledge of troop movements to and from exercises, and discover the dates of active phases of the exercises.”

Even worse, they did it all for about $60 dollars.

Let’s be friends

The catfishing idea came as a result of the Cambridge Analytica scandal. Military minds started to think about just how much sensitive information soldiers might potentially reveal online and set up the special team to see what could be learned during a regularly scheduled exercise. The special team used a variety of tactics: impersonation, honeypot pages, social engineering, regular monitoring, and search engines. They started by setting up fake pages on Facebook and Instagram, then bringing the soldiers into closed Facebook groups where the fake accounts then asked them an array of questions about the military exercise they were involved in.

Lots of details

In just one month, the special team had snared 150 soldiers. Some of the details gleaned during the exercise included phone numbers, email addresses, and the location (within one kilometer) of the catfished soldiers. In addition, they also collected pictures of the unit’s military equipment and their movement in the field.

You don’t really want to do that

The goal was more than just collecting static information. They also wanted to see if social media activity could change real behavior by getting soldiers to leave their positions or not fulfill their details. The report did not give out any details on this, other than to state that “the level of personal information we found was very detailed and enabled us to instill undesirable behavior during the exercise.”

Real soldiers do not tweet

The team found not all social media was created equally, at least for harvesting military data. Instagram provided the most timely information. Facebook was the best for identifying individuals and their connections with its suggested friends feature. On the other hand, Twitter was rarely used.

So much for internal Facebook controls

Facebook had limited success in shutting down part of the operation. The team’s pages which impersonated other pages were suspended within hours as were some of the profiles impersonating other people. However the closed groups and the fake profile were left untouched by Facebook.

As the report concluded: “The privacy features and settings of social media platforms cannot be trusted to not leak information to other layers of the social media platform, or to other users and companies with an interest in such information.”

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.