No, you can’t win tickets for Radio 1’s Big Weekend festival by liking a Facebook page. It’s not true that there are free business-class flights being given away by Qantas Air. And no, TV show Total Wipeout isn’t bringing a tour to your local city. But all three are recent examples of convincing scams on Facebook where fraudsters pretending to be trusted brands have mocked up pages in search of likes, comments, shares and more from unwitting users.
They are seen as a cost-effective method of compromising many users with relative ease, according to Cisco’s director of cybersecurity in the UK, Ireland and Africa, Terry Greer-King. Facebook scams take a number of forms, from fake news stories to suspect quizzes to pages that phish for users’ personal details.
One of the common tricks is to tempt users with clickbait headlines that seem to link to interesting or quirky news stories, but in fact lead to dangerous waters. Gavin Hammer, of social-media software firm Sendible, says: “The issue is they are legitimate websites who are paying to advertise, but are subsequently changing content. It’s the click-through with all the promise and no delivery.” Viruses, worms, trojan horses, ransomware, spyware and other malware are installed in this way.
Dmitri M, cybersecurity analyst at BestVPN, says that changes to initiallyinnocuous content can catch Facebook users unawares. “One increasingly popular guise cybercriminals take starts with the mundane. A potential threat source will post a funny meme, video, or cute pet picture, the type highly likely to go viral,” he says. “Then, once the post (or page with multiple posts), has received a high number of engagements, the content flips to something more nefarious, or simply gets hidden behind a task the user must now complete to view content.”
Jovi Umawing, a malware intelligence analyst at Malwarebytes, says scammers take advantage of real-world events with fake news links. “We have noticed a growing trend where scammers are not only stealing login credentials but asking for victim’s payment information, too,” she adds.
Be quizzical about quizzes
Fake news stories aren’t the only thing putting users are at risk. Those quizzes and surveys that your relatives delight in completing and sharing? Some security experts think they’re very dangerous, too. AVG’s senior security evangelist Tony Anscombe says social-engineering attacks are dominated by surveys that promise free things but actually harvest personally identifiable information about the user with the intent to use this for malicious or fraudulent reasons.
Richard Patterson, director of Comparitech.com, says people often unknowingly give permission for their data to be passed on. “Consumers readily click ‘accept’ on terms and conditions for Facebook apps and quizzes, often without a second thought,” he says.
His company published a blog post in 2015 about a Facebook quiz called Most Used Words, which signed up more than 18 million people to terms and conditions that gave permission for their data to be sold to third parties, as well as giving the app access to their name, profile picture, age, sex, birthday, friend list, entire history of Facebook posts through to details of their IP address and device.
“It should be noted that the company behind this app, Vonvon, has since stated it does not make commercial use of or sell any personal data and has amended its terms and conditions following this story,” says Patterson. “However, not all companies will be as ethical.”
Comparitech recently surveyed 1,000 British internet users, and found that only 7% said they would willingly give up their personal information to use Facebook apps like quizzes if they knew that data would be going to third parties. “This figure is in stark contrast to the millions who agreed to the terms and conditions of the Most Used Words Facebook quiz and points to a need for education of Facebook users to be more privacy conscious,” says Patterson.
For all the scams that catch people out on Facebook, the social network has a lot of success in stopping many more. That has forced scammers to move off site to try to tempt users. Mike Lee, director of social media solutions at security firm Proofpoint, says there has been a drop in the kind of scams that try to get people to click on links to malware directly from Facebook.
“As a result, those threats are being replaced by more complex text-only schemes that try to trick people into buying bogus products or directly volunteering personal information (banking credentials, healthcare, identity, etc.) without relying on links,” he says. He cites the example of one common scheme that encourages people to engage in a private email or phone conversation, then pay a fee to join a “Make great money working from home” scheme.
“One of the things that makes social media attractive to bad actors is its efficiency at delivering malicious content. A single comment on a popular Facebook page may be viewed by 10,000 followers,” says Lee. “It’s much more difficult for a perpetrator to send out 10,000 scam emails that avoid spam filters.” He also warns of a trend for fraudulent accounts pretending to impersonate trusted brands, creating profiles that impersonate that brand and then deliver scam lures. “For example, a bogus branded customer care account may direct fans to a bogus web site to reset their password as part of a system upgrade. That bogus web site is, of course, owned by the bad actor who is stealing credentials,” he says.
As Facebook has evolved and acquired more services, scams have evolved too. Facebook users are also being targeted on Facebook Messenger, WhatsApp and Instagram. “The addition of interactive, one-to-one communications has opened Facebook users to more social engineering attacks. These attacks aren’t new, but they do follow the population of users from platform to platform,” says Tim Erlin, director of security and product management at Tripwire.
“Scams on WhatsApp, Messenger, and Instagram are not that different from those on Facebook or on Twitter. Weight loss, ‘increase your follower count’, and ‘see who viewed your profile’ scams are common across the board,” says Umawing. She warns that WhatsApp and Instagram are targets for scammers who want to persuade users to download PUPs – Potentially Unwanted Programs – which for example might ask for a mobile number then use it to contact premium numbers and charge users, who don’t know until their bill arrives.
Even if you’re not being directly targeted, some experts say that Facebook users should also be mindful of how much information they’re sharing on the social network. “If a user’s Facebook account is locked down so that only friends and family can see pictures and updates it is relatively safe but the settings must be verified on a periodic basis because they are subject to change without much notice,” says Tripwire’s senior director of security R&D, Lamar Bailey, who cites the example of a criminal contacting your friends or family while you are out of the country, pretending to be you and asking for money due to some holiday disaster.
“Many users would argue that they only share this content with friends but, like we saw with the Ashley Madison breach, a large number of Facebook profiles are fake and set up to harvest information,” says James Maude, senior security engineer at Avecto. “Many have hundreds of ‘friends’ they don’t even know and so they are leaving themselves vulnerable to attack.”
Scams are declining – but we’re not out of the woods
But it’s not all bad news. Some security firms report that, overall, Facebook scams may be declining. “During 2015 AVG detected fewer exploits being initiated from Facebook pages,” says AVG’s senior security evangelist Tony Anscombe. Meanwhile, the nature of Facebook attacks is changing. “Facebook scams are also used to gain access into organisations – this is where the big money is and these targeted ‘watering-hole attacks’ appear to be on the rise,” says James Maude, senior security engineer at Avecto.
“Although employees are often aware of the dangers of clicking links and opening documents that arrive via email, they are less wary of links on social media. This makes businessmen and women on Facebook a prime target.”
“Facebook is doing a good job of building security into to the platform across the board. In particular, they do a very good job with baseline measures like blocking profanity or links to known malware,” says Mike Lee, director of social media solutions at security firm Proofpoint. “For more complex threats like bogus service scams and fraudulent accounts, they face a tough challenge in balancing the need for security with the need to provide an open platform that encourages communication between varying audiences and risk tolerances.”
Lee notes that scammer tactics are changing constantly, meaning that if Facebook tries to automatically block anything that might be a scam, it will end up blocking legitimate content and annoying users.
So is there less to be worried about now? Not necessarily. Anscombe warns that declining attacks through Facebook is no reason for complacency. “As the opportunity for cybercriminals to launch attacks through Facebook are reduced, cyber criminals will look for alternate ways to launch attacks and to make money,” he says. “Consumers should stay vigilant and not become complacent about the threat.”
“Most of the websites offer advice on how not to fall victim to a scam,” says Guy Bunker, senior vice president at security firm Clearswift. “But there is still a fundamental lack of knowledge in the general population as to what scams looks like and how to avoid them.”
Patterson strikes an optimistic but cautious note. “Hopefully, 2016 will be the safest year yet for Facebook users, but that onus doesn’t lie squarely with the company – users will have to start taking more control of their own privacy and security,” he says.
Maude turns to advice older than social media itself for a general rule of thumb. “The best advice is something that your parents probably taught you: if it looks too good to be true it probably is.”
guardian.co.uk © Guardian News & Media Limited 2010