Ghost accounts, depending on context, have various definitions. A Ghost Account can be:
- A social media account made solely to view other people’s content
- An inactive account that is still live but has either been forgotten about or is seldom used.
Ghost Social Media Accounts
People make ghost accounts on social media platforms for a variety of reasons. Many people with ghost accounts also have primary accounts which they do use to project their public image, whereas a secondary account could be used for a specific purpose (e.g. business). Often people will create a second account on a social media platform for posting content that they wouldn’t post on their primary account. This is by not always suspicious as there might be a legitimate reason, for example reaching out to an LGBTQ+ forum as a means of getting support, whereas their primary account would have all their family and friends on it and where they would post regular content.
They can also be used for the purpose of quietly “lurking”, which isn’t always malicious but can be creepy for example an adult may follow children’s account with a child persona.
There are many reasonable reasons to have a second account (e.g. I have a Twitter account for this site and another for my personal postings). However, the alarm bells should be ringing are when the social media account:
- Has no postings
- Is following a lot of people but no followers
- Contains a lot of re-blogs (re-tweets) but no original content
- Posts that are primarily adverts or links to other sites (that could very well be malicious)
- Contains a lot of adult oriented content.
Cyber Criminals can use these types of accounts to initiate surveillance and to gather personal information from people interested in the subject matter. The more personal information you post the more they will be able to harvest. They can also be used to initiate cyber attacks through posting malicious links or through Direct Messaging. If your social media account closely mirrors the email account used to open it, they can also move laterally to attempt to determine your email account. Using information on your social media postings they may have several options for guessing your password (e.g. your cats name, birth place, interests).
How many times have you opened an account with a website, only to never use it past the purpose for which you initially created it? I suspect you have several accounts like this.
Accounts you create and rarely go back to means you are not monitoring the activity on the account. This is an issue especially when there is a financial component to it like a payment method that you activated for that one purchase and email accounts that you rarely login to.
Accounts you use for identification purposes
You may open an email account with Google (GMail) or Microsoft (Outlook) for a specific purpose, e.g. to access a certain service that you didn’t want to disclose your primary address to. You may never go back to that account after you have stopped using that service, but the account still remains live. If this account is then not secured using a strong password and 2-Factor Authentication, it is open to attack by anyone who has the email address. As you are not monitoring this account, you won’t know that it has been co-opted to benefit someone else.
There are various precautions you should take when opening an account:
- Enable a complex password
- Enable a 2-Factor Authentication (2FA) method (preferably not via SMS)
- Add a security email address/mobile phone number that can be notified if settings are changed and in the event you need to recover the account.
Once you have stopped using the account, go back to the service and delete it.
Accounts for accessing services
When I talk about a service I am referring to, for example:
- News sites
- Social Media
- Shopping sites
- Work related accounts (e.g. cloud services).
You may open an account at a news site to access certain articles, but then never login again. The same can be said for shopping sites (e.g. Amazon, eBay).
In the work environment these accounts can be opened for employees so that they can do their job. However, if that persons job no longer needs that access, or they leave the company, the account will become inactive and a target for cyber criminals. In the work environment accounts should be closely controlled to remove access when it is no longer needed. This is often automated based on activity, or via HR when the person leaves the firm.
It is normal for an account that has been inactive for a specified time to be locked requiring a password reset to re-gain access. After a period of time that account may also be deleted from the service.
Mitigating Inactive Accounts
Some years ago I underwent an exercise to secure all my online accounts with strong/complex passwords and 2FA where possible. I found a lot of accounts I had created several years ago I could no longer login to. Some required a password reset to regain access but a lot of them just remained with the original credentials I had set them up with. The ones I could not login to had probably been deleted by the service owner, but I couldn’t be sure which email address I had given them, if I have given them one I had subsequently deleted or if I had given them an inactive phone number. I had to assume, in this case, that the account had been deleted, but I couldn’t be sure.
The first thing you should do is proactively remove any accounts you are not actively using by going to the service, logging in and deleting the account. You may want to extract an archive of all your information before you delete the account as you won’t be able to access this after it has been removed. You should monitor any emails from services you don’t use anymore and remove the account at that service.
If you want to retain the account:
- Periodically reset the password for a highly complex one that is at least 16 characters (including upper/lower case letters, numbers) and retain it within a password manager
- Login to the account and use it for something (e.g. sending a test email to another account) to reset the inactivity clock on the account
- If it is an email account have email automatically forwarded to another account so that you can see any activity going through the account
- Setup a security account/phone number that can be used to confirm setting changes.
Inactive accounts can also be phone numbers you don’t use anymore, in fact anything used to identify yourself at a service.
A Ghost account like these can be taken over by a cyber criminal and used for their own purposes. Because you will have provided some identifying information as part of the opening process, you will be the one that is contacted when law enforcement tracks down the perpetrator. The fact that you have no knowledge of the activity is no defence of innocence.
If someone has taken over your email account they can take out services in your name. You should consider your email accounts to be highly confidential and must be secured. It can also be very hard to undo the effects of identify theft where fraudulent services have been taken out using the account. Adding layers of security to these accounts often creates friction when you are trying to use them, but better that than losing access to an account.
Ghost accounts are a serious security threat and can be broken into, taken over and used by cyber criminals for whatever purposes they want to. They can gain access via several means, including:
- Credentials (e.g. email address, password) disclosed as part of a data breach
- Weak passwords that can be easily guessed from social media
- Phishing attempts that trick you into login into a fake website disclosing your login details.
Ways to beef up access is to:
- Actively monitor the account
- Add strong/complex passwords and use a password manager
- Use biometrics for login verification
- Use a hardware token (e.g. a Yubikey) to verify access
- Do not use your email address as a public nickname on the account
- Regularly check sites like “have i been pwned” to see if your email address and/or password have been disclosed in a data breach.
If an account has been disclosed in a data breach, then:
- Reset passwords on that account
- If you have re-used the email address on several accounts, reset the password on those accounts too
- Similarly if your password has been disclosed.
Ghost accounts that are used by cyber criminals to harvest information on social media are particularly dangerous. Ways to mitigate this are:
- Never openly accept someone as a friend on social media
- Monitor alerts for people following you on social media and if they are suspicious, or you just don’t want them to follow you, then block them
- Report suspicious accounts to the social media site admins
- Enable security measures (e.g. restricting access to friends only).
This blog has touched on a number of subjects that we will be going a deeper dive on in future blogs. For example:
- Identity Theft, although you can already read our blog on Digital Identities
- Using Social Media securely
- Use of hardware tokens for 2FA.
Please keep a look out for these blogs.