With over 800 million registered users Facebook is the biggest thing since the Beatles (or Bieber, Beyonce and Barbara Streisand depending on who you are).  Never before have there been fewer obstacles to sharing everything you do with everybody. In. The. World. 

Communication barriers have tumbled with such force and finality that any individual or company can now reach virtually anyone with an internet connection.  But with that huge popularity and everyone “liking,” “commenting,” and incessantly posting status updates, Facebook has inevitably become a major target for abuse and attacks.

Symantec recently published a paper on the security risks of social networks, citing Facebook in particular, and while the social networking giant regularly and rapidly updates its security measures to protect its users, the opportunity for cyberattacks is still present.  The most prevalent scams start by grabbing the user’s attention either by posting in a friend’s status update or by chatting directly - but other techniques include sending an event invite or using a geo-location service to appear credible.  The cybercriminals then use social engineering to get the user to divulge personal information and passwords, give access to their lists of friends or access to their account (and Facebook identity) in general.

In the next few posts, we’ll outline the most widespread scams, we’ll tell you how to spot them and how to deal with them if you’ve been a victim. We’ll also give suggestions on how to make sure you’re protected in the future.

Scary Scams and Spam

Like/Share-Baiting

What it is: An attacker poses as a credible source and asks the user to like a page, photo, video or status update in order to see some promised (and usually sensational) content. 

What it does: When the user clicks “like,” they may be directed to a survey that requires some personal information, required to sign up for subscription services, or they are asked to post the link multiple times on Facebook. 

What’s the point? The cybercriminals behind these scams earn a commission on each person who fills out the survey or signs up for the subscriptions, making up to $20 from each person!

How Facebook is protecting users: Facebook uses third party services to analyze any direct links leaving the Facebook.com domain.  If the scam is already known and classified, it will appear as “blacklisted” and Facebook will warn users before they click it.

Recommendation: Be skeptical of any content that requires you to share personal details or to fill out a survey.  Always read the fine print – is it worth giving in to cybercriminals just for a voucher or to watch an online video?

Like Clickjacking

What it is: An attacker presents you with what appears to be a video with a simple ‘play’ button – but there’s actually an invisible frame on the page with a hidden “like” button. This links to a page created by the attacker, who may ask the user to click (sometimes multiple times) on a specific area of the page.

What it does: When the user “likes” the page, it actually posts a status update on the users wall – meaning their friends will possibly be tempted to also check out the page. The attacker can then reach their entire network of friends almost instantly.

What’s the point? The page the attacker links to may contain malware or an advertisement on which they receive a commission for every click. 

How Facebook is protecting users: Facebook has introduced modifications to prevent clickjacking that include a pop-up window that shows users what they’re actually liking or sharing, and has a page on the site where users can go to re-secure their account if they believe it’s been compromised.

Recommendations: If you receive a message with a sensational tone or subject matter that promotes a video or image, think before you click – even if it came from a trusted source.  Your friend’s account may have been compromised – and would they really have posted that video on their wall. Why would any legitimate message require you to click multiple times – it all sounds a bit phishy to us.

Malicious (iFrame) Application

What it is: An attacker dupes users into downloading an application that steals information or gains access to their accounts.  Posing as the victims, the attacker wreaks havoc in the Facebook universe.

What it does: It can ask for (or take):

1)      access to your personal data at any time,

2)     the ability to send you emails (which means it will know your email address),

3)     access to your publish stream (which means it can post to Facebook as you),

4)     your xmpp login (which means it can engage in Facebook chat as you).

What’s the point? Attackers can use this information to send you and your friends spammy advertisements, they can use your Facebook as a mule through which to distribute malware or it can use your personal information to glean passwords or steal your identity.

How Facebook is protecting users: Facebook requires that all applications ask users for permission to access information prior to download. 

Recommendations: Double-check the permissions that any application requests prior to installation and consider if it really needs access to that information. In fact, think twice before installing any apps on your account – are they from a reputable app developer?

That’s it for the first part – stay tuned for part 2 of this essential guide to avoiding scams on your favorite social media site!