In an age when more public information is shared online than ever before, the dangers surrounding the misuse of this information are also greater than ever before. Scams, fraud, and phishing attacks permeate social networking, and are becoming incredibly prevalent on the most popular of social networking sites, Facebook. Due to its popularity, Facebook is rapidly becoming a new digital frontier for online fraud.
Facebook accounts make great targets for attackers, especially due to password re-use. Many people use the same password for Facebook that they use for banking, work, and many other web-based subscriptions. This makes that password a massive target for hackers... and due to the open information sharing dynamic that Facebook weaves into the zeitgeist of its online experience, that password is quite vulnerable. Many passwords can be guessed with a little knowledge of personal information and preferences. Sports teams, college names, and movie or book character names are often popular choices for passwords, and finding out personal information is easier on Facebook than nearly anywhere else.
Take a look at the social engineering attacks below. Have you already fallen victim to an information-gathering attempt?
Prevalent Facebook ScamsEdit
At first glance, many of these attacks may seem innocuous enough... but they all reveal some pretty personal information that could be used for hacks, further social engineering attempts, or outright identity theft.
Who knows you best?Edit
The message reads:
"Can you do this? My middle name __________, my age ___, my favorite soda _______, my birthday
___/___/___, whose the love of my life ______, my best friend _____, my favorite color
______, my eye color _______, my hair color ______ my favorite food ________ and my mom's
name __________. Put this as your status and see who knows you best."
How many of these are the same facts your bank asks to verify your identity? Put this as your status and everybody, including attackers who want to hijack your bank account and credit cards, will know you well enough to make a viable attempt.
Your friend [NAME HERE] just answered a question about you!Edit
Is it possible that an old friend answered a question about you that you need to "unlock?" Sure. But when you click on the link, the next screen should give you pause-
21 Questions is requesting permission to:
a) access your name, profile picture, gender, networks, user ID, friends and any other
information shared with everyone
b) send you email
c) post to your wall
d) access your data any time
Facebook application permissions is a murky realm. Sometimes it's hard to judge whether an application should need the permissions it asks for... and there's no way to use the application without granting those permissions. When it comes to allowing your personal data, and the data of your friends, to be accessed by people you haven't technically approved, it's far better to be safe than sorry. Which is all the more true with applications like these, which ask for a veritable cornicopia of personal data on which they might feast. Should you approve the application regardless, you must answer a plethora of questions about your friends before seeing what people said about you... further extending the network of shady information gathering.
Scams like this one spread in the same manner a traditional computer virus would... however, in this case, we're seeing something new. There is no malicious code being spread, no programming footprint that antivirus software could see and stop. Each insidious tendril of this threat is just... us. This phishing attack relies on the very same human impulses that draw people to social networking sites. A user might not think twice about sharing information the same way the have been all along... the difference is, this time they aren't just sharing it with their friends. This social trojan horse takes advantage of the social networking dynamic to obtain personal information... be wary of it.
LOL. Look at the video I found of you!Edit
This is the most immediately dangerous of the latest crop of social networking threats. If you see a message like this from a friend, it's likely that it's coming from a hijacked account. Following the link (which will sometimes ask you to download a video plugin (which is actually the virus) or, even more perniciously, simply install malware on your computer directly from the webpage (a more sophisticated, but rarer, technique)) will add your account to the growing network of hijacked, "zombie" accounts, as well as allow the attacker to install spyware, keyloggers, and any number of a host of viruses on your computer. This threat is similar in many ways to botnets... infected accounts infect other users, and the network of compromised systems grows. Up to date antivirus software will stop this attack... but it's far safer to recognize this attack for what it is, not click the link, and notify your friend that their account has been hacked.
It started out as an email scam, but now the "We're stuck in [Europe/Asia/Canada] and need money" scam has moved to instant messages on Facebook, where its effectiveness is greater. Most people have learned not to react to the email, but instant messages cause a more emotional reaction. Believing that your friend is right there, on the other end of the chat window, causes a much stronger response, and increases the effectiveness of the attack.
Facebook has its own page containing information about security threats, and includes a security quiz to gauge one's social network security savviness. See Facebook Security for more information.