Hack attacks, ID theft and malicious software target growing membership of online communities: Internet Scambusters #306
With online communities firmly in their sights, hackers and criminals use a variety of techniques to launch social networking scams.
Membership of these sites exceeds 70 million and, without taking sensible precautions, no one is safe from attack — even people who aren’t members.
We explain the 5 most common social networking scams and show you what to look out for.
Time to get going…
The 5 Most Common Social Networking Scams
Internet security experts are increasingly concerned about the rapid growth of social networking scams — attacks on members of online communities like Facebook, MySpace, Flickr and LinkedIn.
Latest official estimates say that more than 70 million Internet users belong to one or more of these virtual community groups but the actual number is likely significantly larger — and rising rapidly by the day.
The attraction? Like-minded people can meet and get to know each other, whether they’re teens exploring music and fashion tastes or business people using them as a marketing tool to make new contacts.
And, as one expert at a recent Black Hat hackers conference in Las Vegas explained, steering clear of membership doesn’t necessarily guarantee protection from social networking scams. Someone else could easily open an account in your name.
Awhile back we reviewed how to keep your teens (as well as yourself) safe on MySpace and other social networking sites.
In this issue of Scambusters, we review the five most common types of social networking scams and offer tips on how to avoid them.
1. Downloading malware
Running social networking sites is a competitive business with rich rewards from ad revenues for the winners. To give themselves an edge, most online community operators are constantly upgrading site functionality.
One technique allows members to install user-created applications on their profile pages. These might be used, for example, for animation, calendars, photo-feeds or simple games.
Trouble is that there are so many of these programs around that even the site security people struggle to keep pace with them.
This opens the door to the tricksters who are churning out spyware, trojans and viruses that members then unknowingly either download to their own computers or post on their profile page.
Experts believe this is by far the most common social networking scam. In a recent attack that hit all the big online communities, a supposed link to a video prompted users to install a plug-in; this then not only installed malware on the victims’ PC computers but also mailed itself to everyone on each victim’s “friends” list.
According to one expert, the reason social networking sites are particularly vulnerable is because the very essence of an online community is trust. People don’t expect to be scammed by other users. That makes them easy prey.
Keeping your Internet security software up to date creates the first line of defense against this sort of attack. You should also be wary about downloading and using new applications from unknown providers.
And just like with email, don’t believe that a message you got from a supposed friend or contact necessarily did come from that person.
2. False identity
It’s easy to set up a profile on the big social networking sites. For criminal types, this means an opportunity to pass themselves off as someone else — either real or non-existent.
Their motives may just be to have some anonymous fun but they’re more likely to be sinister, like establishing phony friendships that lead to face-to-face meetings with who-knows-what consequences, or to float invitations to adult sites.
Sometimes, the scammers use the identities of genuine people, using information and photographs trawled from the Internet. In the Vegas conference referred to above, two experts did just that to set up a LinkedIn profile. It garnered 50 friends in 24 hours.
The bottom line: Realize how easy it is to establish phony identities and don’t blindly trust that someone is who they say they are. Be wary about accepting new friends you haven’t checked out.
It’s often hard to avoid personal details and pictures of yourself appearing on the Internet but, at the very least, monitor (via Google) what is available and try to remove anything that could make you vulnerable.
And if you’re not a member of these online communities, it’s still worth visiting them. Consider setting up a limited user account, or at the very least do a search on your name, just in case someone’s pretending to be you.
3. Identity theft
In addition to passing themselves off as someone else, scammers also steal identities via social networking sites.
For a start, individual profile pages often bristle with personal information that can be used for ID theft — things like your age/birthdate, your location, phone number, email address, maybe your job and family details. And, of course, your photo.
They might try to build on that by phishing for your log-on password. They know that the chances are you use the same password for other sign-ons.
The most common technique is the message through the network that appears to have come from an online buddy, inviting you to check out a new profile page.
Clicking the link takes you to a bogus page that asks you to log on “again.” In reality, you’re handing over your confidential password to a scammer.
You can limit the risk of this type of identity theft by not posting too much giveaway detail about yourself on your profile page and watching out for suspicious invitations to view another profile.
Beware of any links that ask you to sign on again. This would be very unusual, if not unheard of, if you’re already signed on to the network. If the invitation comes via email, contact the friend to confirm he/she sent it.
4. Profile page hacks
When it comes to social networking scams, it’s just as easy for criminals to hack your profile page as it is for them to create their own phony profiles. All they need is your username and password.
Sometimes, hackers do this just for their own idea of having fun, scrawling graffiti over a user’s page. Other times they install invisible code that can be used for malicious purposes. Or they simply use your ID as a platform for spamming (mispelled intentionally).
Occasionally, their intent is pure evil. In one recent, well-aired case, bogus identities were used to launch a cyber-bullying attack, repeatedly defacing the victim’s site with malicious comments The victim subsequently committed suicide.
The key to preventing this type of attack is not only to have a strong password but also to change it very frequently. Read more about this and pick up some useful computer password security tips in this Scambusters article.
If your profile or your identity are in any way compromised, you should also inform the site operator. If threats are involved, tell the police.
5. Sending and receiving spam
A college student from Chicago recently reported how his MySpace friends became infuriated after receiving messages, purportedly from him, promoting the sale of adult products. Recipients included his 14-year-old niece.
Turned out he’d installed a widget program of the sort described in social networking scam #1 above. Its supposed purpose was to help decorate the user’s page but additionally it mailed the spam to all his friends.
If they subsequently clicked on any of the links, it did the same thing all over again.
But scammers don’t only want to use your profile to spam others. They want to spam you. And they want to do this with very carefully targeted emails.
Especially on sites for business professionals, they scour members’ personal details. They use the sites’ own search tools to identify members’ areas of expertise and interest.
Messages are then sent to them from a bogus-identity account on the network. Recently, this included variations of the Nigerian 419 advance fee scam which, because it was passed between network members, using the network software, it bypassed individuals’ spam filters. You can find more on Nigerian Fee 419 scams on our site.
Alternatively, the names and details gleaned are combined together into master lists of people with specific interests that are sold on to other spammers.
Reduce this danger by limiting the amount of information you post on your profile page and listing a short-term or disposable email address for contact.
Social networks have become part of the fabric of online life and their popularity is likely to increase for many years to come. And there’s no doubt they’re a great way to make friends or do business.
Don’t let the criminals spoil the party. Wise up to their tricks — and make sure your online friends know about them too.
That’s a wrap for this issue. Wishing you a great week!