Social Scams – The Full Breakdown and Protection Plan
We’re exposing how scams work on social networks and giving away security tips
Remember the time when our email inbox was filled with requests to help endangered (and filthy rich) Nigerian princes?
Those scams never died, they just evolved. Attackers improved their tactics and changed the channel.
More people connected to the internet means that cyber criminals just have more potential victims. And when internet users migrate towards the social networks, guess where the attackers will be waiting?
Does this look familiar?
I bet you thought it’s a harmless post. But you could be just one click away from a nasty malware infection.
That’s why we decided to break down social media scams, so you can know what to expect and how to protect yourself.
Here’s the rundown of what you can learn from this article:
1. Make more money
Scammers plan most of their scams with one and only goal in mind: money. They will do anything to monetize your actions and your sensitive information.
They trick you to click on a link, download or install something, like or follow a social profile, share something or send it to your friends. They’ll try to gain any type of information from and about you that they can exploit or simply sell to others. They’ll even try to talk you into willingly sending them money.
2. Just for fun
However, some of these scams are done just for fun or out of curiosity, to find out if and how something works.
A quick example of a basically harmless scam: you’ve most likely come across at least one chain letter passed on via popular social networks. These are messages that claim that the owners of the network will start charging users or that it will shut down. They will prompt you to forward the message to everyone you know in order to shut down. Others claim that a brand or celebrity will donate money to a charity cause for every share of that message.
These kind of scams are only social media clutter and noise. But they can also turn malicious very quickly.
How scammers take advantage of social networks to make money
1. They trick you into visiting websites and / or clicking on ads
Most websites make money from selling advertisements. The most common type of advertising is based on paying for impressions (page views – how many times did a potential customer view an ad?) or clicks (how many times did a potential customer click on an ad?).
The impressions system is based purely on traffic, on the number of times an ad was displayed to a user while viewing a web page.
The pay-per-click system means that advertisers only pay the website when a user clicks on an ad.
This system can be tricked by generating clicks that don’t come from genuinely interested users, or by hijacking clicks that were intended for a legitimate advertiser.
You may argue that it’s harmless, and that an individual page view or click will only bring scammers a tiny amount of money.
So what if they trick you into clicking on an ad and you thought it’s a completely different thing? Only wasted time, right?
Well, if you start multiplying those few cents from your click with other millions of clicks that they managed to gather, you’ll see that scammers can fraudulently raise serious amounts of money.
This is called “Click fraud” and, according to a report from the Association of National Advertisers, marketers all over the world could lose this year up to $7.2 billion because of it.
It’s also worth noting that 90% of web attacks are delivered through advertising networks.
2. They trick you into liking pages, following people, tagging, commenting
This is similar to the previous point.
By making you like a page, follow an account, comment or tag people, scammers will raise the numbers of a social account. They also ensure that the action will appear in your news feed, providing them with access to more people.
Sometimes, this is for the own benefit of the scammers, so they can pretend their account has genuine online influence and then place ads it or even sell it.
Other times, third parties such as brands or companies will buy likes or followers for their social accounts. This way, they’ll be able to better sell their social media accounts, by making advertisers think they have real influence.
I’m just trying to clear how these things work, so I’ll not comment on the ethics of this action, as it’s not the main subject here.
3. They trick you into giving them sensitive information
Phishing is the name given to cybercriminals’ attempt to trick you into giving them sensitive information or money.
They will craft a plausible message that seems to come from a social network representative or from one of your online buddies. They will then lead you to a site that appears to be legit, where you’ll be prompted to enter sensitive information.
From name to email address, phone number, home address, social security number, to credit card details, bank account number, passwords, etc. – this kind of information can be used for financial fraud, identity theft, blackmail and so on. That’s why it’s important to keep in mind that your personal information is as precious as gold and you should do anything to protect it.
Phishing attacks used to happen mostly through emails, but the landscape has changed dramatically over the past years, due to the rapid growth in social networks usage.
How scammers can take advantage of social media for phishing attacks:
– By pretending to be a representative of a social network.
Phishers take their time to create websites that look identical to your favorite social media networks. They also create fake emails or social profiles, that seem to belong to genuine representatives of the network.
After they contact you either directly on the network, through private messages, or through emails that seem to be from the social network’s representatives, and they try to trick you to click on a link to: reset your password, reconfirm your account, confirm that you don’t want your social account to be cancelled and so on.
This kind of information can then be used to access your account and send messages to friends, to further spread the links.
Other times, they can make money by exploiting the personal information they’ve obtained, either by selling it to third parties or by blackmailing you with this repercussion.
– By sending messages that appear to come from a buddy. In those messages, they invite you to click on a link to check out a video or see some disturbing news.
– By finding out essential information about you that will then increase their chances of a spear phishing attack.
Spear phishing is directed at specific companies or individuals, and it’s not as automated as common phishing.
The attackers will take their time to gather all available information about their target, in order to create a highly personalized and believable email.
Last autumn, researchers from the Dell SecureWorks Counter Threat Unit identified a network of at least 25 well developed LinkedIn profiles, that were part of a social engineering campaign.
Spear phishing requires a bigger effort, but it’s the most effective kind of phishing attack. And with the publicly available information that we voluntarily share on social media, its chances for success will most likely increase in time.
Phishing is also a potential launch ramp for malware, which leads us to… trick nr. 4:
4. They trick you into downloading malware
Malware is used as a collective name for malicious software – the type designed to disrupt or damage your data, software or hardware. Viruses, worms, keyloggers, Trojans – all these are just different forms of malware.
Cyber criminals spread malicious software for profit through adware (forced advertising), spyware (stealing your sensitive information) or ransomware (software that encrypts your content, blocks access to your system and demands payment in return for they key that will decrypt your data).
Usually, attackers get malware into your device through a variety of mechanisms that involve exploiting human and technical factors. You can get infected with malicious software just because you thought you were downloading a browser extension, an app or a game.
Examples of harmful apps to steer clear from:
This kind of applications carry more or less dangerous types of malicious code. Afterwards, your social account will be used to spread the apps to your friends, sending them messages to encourage to download the software as well, thus further propagating itself.
These scripts can also command your profile to like other pages, helping scammers further monetize the con.
5. They trick you into spreading chain letters
We’ve mentioned these before. Chain letters are messages that catch your interest by claiming that a social network plans on charging users in the near future or that they will shut down. Chain letters ask you to distribute the message to everyone you know, in order to stop the network from charging money or shutting down.
Other forms of chain letters claim that a brand or celebrity will donate money to a charity cause for every share of that message. Bill Gates and Mark Zuckerberg are usually targeted for this one.
Variations include emotionally extorting you through fake stories of sick kids, false warnings of viruses circulating, monetary rewards, etc.
These letters used to be sent exclusively via email but, nowadays, because of the increasing popularity of social networks, cyber criminals started taking advantage of them and our decreasing attention span.
Chain letters can take the form of a post from an online buddy, or a direct message.
They are generally harmless, but, other times:
Many people have fallen for this kind of stuff and continue to propagate the messages.
Break the chain – report the message (or mark it as spam), delete it and inform the ones who sent them that they are fake.
Common tricks you can come across
Instead of focusing only on highly technical methods, scammers base their attacks on social engineering tactics.
Cyber criminals will cheat, lie, exploit your trust, take advantage of your emotions, curiosity or lack of technological knowledge, trick you to install malware or divulge sensitive information. No trick is off-limits.
It’s important to note that most people won’t even report when they were tricked via social engineering. They realize they were stupid and don’t want to further embarrass themselves. Reporting would benefit everyone involved, so it’s time to get over your mild embarrassment.
Here are a few scenarios that you must pay attention to:
1. Shocking news
Shocking news uses something that’s hot right then. It’s something that everyone is talking about in the media and on social networks, such as a terrorist attack or a flight crash. You might expect to see a video or news, but, instead, the link leads to spammy, pop-up filled or malware-laden websites.
“Curiosity killed the cat”.
2. Fake celebrity news
Kim Kardashian’s newest bum photos? Bin Laden’s video death? Vanilla Ice dead?
Always a sure way to get clicks from gullible users.
3. Emotional extortion
Photos of sick babies or endangered animals that lure you into watching a video or to see news.
4. Free stuff
Gift exchanges, free coupons, free trips, free iPhones, free likes or followers, gift cards – basically, free everything.
These scenarios usually take advantage of big brands names: Starbucks, Victoria’s Secret, the Cheesecake Factory. And they come in exchange for other potential ways for the scammer to propagate the con: click here, like and share, tag friends, follow someone, etc.
5. Easy money
Remember the Nigerian prince scam, where you’re typically required to send money over so that, in turn, you’ll receive several times more than the originally borrowed sum?
Or the spammy emails that claimed that you won millions of dollars at a lottery or a prize in a competition?
In order to receive the prize, they prompt you to send over some personal identification information and a small fee for post office.
These kind of scams just moved from email to direct messages on social networks. Here’s an example from LinkedIn.
Easy money doesn’t exist. These are usually bogus offers that claim to help you start making thousands and then require a fee for you to get going.
In this category you can fit any message that has urgent requests. “Click here now, confirm here, download this, fill in this, install this” – messages that require your urgent action are usually used in phishing attempts.
If a service is very popular or has recently started to gain traction, you can be sure that scammers will be there. They know they have potential new victims and they won’t miss the opportunity.
Unfortunately, many of the compromised accounts are linked to other social networks, so scams are often cross-posted on profiles from other social networks.
It’s easy to understand why Facebook users represent the biggest percentage of scams victims: because everyone has a Facebook account, everyone’s there, thus increasing cyber crooks’ chances to succeed.
Some of the most successful Facebook scams include malicious apps that claim to let you:
These apps usually carry malicious code, that first infects you, and afterwards spreads itself using your Facebook profile.
Here’s how scammers took advantage of Mark Zuckerberg’s announcement from last year, when he declared that Facebook is looking into ways to implement a way to dislike posts:
“[…] scammers have already begun spreading phishing attacks and malware under the pretense of offering the as-yet unavailable feature. Promising early access to the dislike button, they con Facebook users into spreading malicious links among their friends.”
Here’s another one for you:
IM worms being disseminated on Facebook Messenger and used to spread links to malware.
After the user clicks the link in the message, a malicious applet is installed and used to download some files, including code that steals the user’s Facebook login credentials. The infected profile begins to resend the message to other users. Once a user has been infected, the worm is also capable of spreading the message (and malicious link) to other social networks and IM.
Follow FaceCrooks.com for more scams that target Facebook users.
Ah, the infamous Twitter direct messages (or Facebook tags or post on walls) with bad links!
They usually ask you luring questions, such as “Is this you in this video?”. These are sent together with a malicious link, that never shows you a video, but instead downloads malware onto your computer.
Next up: Twitter mentions – scammers take advantage of your desire to see who’s mentioning you on Twitter. They come from followers you don’t know and try to trap curious users. The links they send you will likely lead you to a malware source.
Beware of profiles belonging to so-called lottery winners, posting pictures of the winning tickets.
Scammers will say that they just won millions of $ and intend to donate few thousand $ to the first 80.000 people that follow him. They only need to leave a comment with email address / tag some friends. Afterwards, they will link to another social media profile and say that it’s their accountant’s and that the users should follow him to get instructions on how to receive their money.
“I’m getting ready to send out checks, but first I need you to donate 99 cents for postage to receive your thousand $, click this link: …”
Another popular scam: profiles that claim to belong to airlines or travel agencies and give away free tickets anywhere in the world, in exchange for people following them and leaving comments where they tag other friends.
Rogue third party apps: Those are apps meant to garner automatic likes for users’ photos. Once it’s installed, the app will ask users to sign in with their Instagram credentials, but, actually, they are willingly opting into a botnet.
LinkedIn is constantly used as a tool in spear-phishing attacks. By creating false profiles, attackers can research high-value targets, such as senior executives and CEOs.
Another LinkedIn scam involved emails that looked like they were sent by LinkedIn. The messages had an attachment supposedly containing a list of business contacts. They claimed that the user requested the list and asked to check it “so they can close the support ticket”. Opening the attachment installed spyware on the victim’s PC, which then harvested usernames, passwords and other personal details.
More examples you can find in this article from Trip Wire.
A famous Tinder scam involves a bot messaging a user, going through a script and inviting them to an adult webcam show. The bot then sends a link and asks the user to click through.
“”You say, ‘But it’s asking for a credit card,’ and they say, ‘Oh, it’s just to make sure you’re 18,'” says Satnam Narang, security response manager at Symantec. “But if you don’t cancel within three days, you get charged a premium rate for service, anywhere between 40 and 80 bucks.””
Beware of fake prostitution profiles , where there is text over the image saying “girlfriend experience”, with URL and a username. These lead to adult dating or casual hookups sites. Scammers can use these to monetize via PPL (pay per lead).
Look out for requests to install apps, specifically games, on your phone. (more details here)
Again, monetization is the goal here.
Scammers send photos with captions where they were requesting that the recipient manually perform an action of their own.
Examples of actions: “visit a website that pushes diet spam” or “go to an external site to claim a prize”.
In order to protect their users, Snapchat now makes sure that chats from non-friends no longer have clickable URLs. Therefore, users should copy-paste links into their browsers, if they really intend to visit an address.
Attackers have been sending out fake invites to Google+ via emails. They contain malicious links to malware, specifically bank Trojans.
The body of the invitations can also contains link to a separate web form hosted on Google Docs, that asks you to fill out the form to send the invitation to friends, but it actually collects names and emails of new victims.
We can’t help but wonder if these actually work, since Google+ is not exactly popular. But it goes to show that cyber criminals are nothing less than dedicated to their goals.
8. Pinterest / Tumblr
Magic bullet-style diet pills – these are especially popular at the beginning of the year or when the summer starts and people want to look good at beach and are looking for quick, miraculous solutions to lose weight. Scammers use fake profiles, usually claiming to be celebrities, models, fitness trainers.
Get it done: Must have in-account & on-device security settings
Basic security and privacy rules for your account:
1. Check your privacy and security settings for every network and adjust them to fit your needs (sites allow you to choose how much personal information you want to make publicly accessible or keep private).
For Facebook, you can also enable tag approvals – this way, you’ll review all tagged photos and posts before they appear on your timeline.
2. Protect your personal information. Be careful of what you share online, you never know how that information can be used against you.
Food for thought: stories of people who posted photos of their credit cards or concert tickets.
3. Never download attachments that you never requested.
Never click on short, hidden links, that you don’t know where they lead.
If they were sent by one of your friends, be patient and ask them first about it, before opening the link or the attachment. They might either tell you they didn’t send any link, or they might not even be online to answer you.
4. Be aware of links that send you somewhere where you need to log in again or give up your credentials.
Look at the domain – is it correct or it just looks similar to the right one, but uses a variation in spelling?
Are you on a secure website connection? Does the link start with “https” instead of “https”?
5. Be aware of any kind of misspellings, extra punctuation, amateurish design (including stock photos or low resolution images).
These may all be signs of frauds or fake social profiles.
6. If a brand’s social profile seems suspicious, look if there’s any mention of the official website. Pay attention to it, make sure they don’t mention a similar website, but with a slight variation in spelling or domain.
You can also look out for blue check marks – these are used by social networks to mark verified brands.
7. Check all apps that you previously authorized or are linked to your account (third party apps). Remove any shady app, especially ones that don’t do what they claimed to, or ones that you don’t use anymore. Do not install or give credentials to third party apps that you don’t know or don’t trust.
8. Constantly change your passwords. Choose strong passwords, that are hard to break: they should be at least 14 characters long and make sure you mix lower with upper cases, symbols, digits. Never recycle them – they should be unique.
9. Start using two-factor authentication everywhere you can: email account, social networks, banking.
10. Report and then delete any kind of spam or malicious messages that you run into on your social media accounts.
Make sure that you also read our step-by-step guides on how to protect your accounts on:
Basic security rules for your device
1. Install a good, trustworthy antivirus.
3. Use a solution to detect second generation malware.
4. If it’s too late and you already got infected with malware, you can find help on these security forums.
Hopefully, by the time you reach this point, you already have a fair idea on how scams on social networks operate and what you can do to guard yourself against them. Of course, our article is not even near completion – it would be impossible for us to cover all the existent threats.
If we increased your appetite and you want to find out more on how to detect potential attacks, feel free to explore more of the blog!