Hack attacks, ID theft and malicious software target growing membership of online communities: Internet Scambusters #306
With online communities firmly in their sights, hackers and
criminals use a variety of techniques to launch social
Membership of these sites exceeds 70 million and, without
taking sensible precautions, no one is safe from attack — even
people who aren’t members.
We explain the 5 most common social networking scams and show
you what to look out for.
Before we get started, why don’t you take a look at this week’s
issue of Scamlines — What’s New in Scams?
Next, we suggest you visit last week’s most popular articles
from our other websites:
Answers to 7 of the Biggest Questions About Lighting in Photography:
An Interview With John Siskin: Learn from an expert about lighting photography as he takes you through the use of strobe lighting and more.
Would You Like To Apply For A Store Credit Card? Look beyond the perks of store credit cards to see these potential pitfalls.
A Few Secrets for Getting Rid of Pet Odor: Pet odor tips that will keep your home smelling as fresh as non-pet households.
Creative Halloween Gifts for Those Who Still Need Ideas: Halloween gifts for those who still haven’t found what they’re looking for.
Time to get going…
The 5 Most Common Social Networking Scams
Internet security experts are increasingly concerned about the
rapid growth of social networking scams — attacks on members
of online communities like Facebook, MySpace, Flickr and
Latest official estimates say that more than 70 million
Internet users belong to one or more of these virtual community
groups but the actual number is likely significantly larger —
and rising rapidly by the day.
The attraction? Like-minded people can meet and get to know
each other, whether they’re teens exploring music and fashion
tastes or business people using them as a marketing tool to
make new contacts.
And, as one expert at a recent Black Hat hackers conference in
Las Vegas explained, steering clear of membership doesn’t
necessarily guarantee protection from social networking scams.
Someone else could easily open an account in your name.
Awhile back we reviewed how to keep your teens (as well as
yourself) safe on MySpace and other social networking sites.
In this issue of Scambusters, we review the five most common
types of social networking scams and offer tips on how to avoid
1. Downloading malware
Running social networking sites is a competitive business with
rich rewards from ad revenues for the winners. To give
themselves an edge, most online community operators are
constantly upgrading site functionality.
One technique allows members to install user-created
applications on their profile pages. These might be used, for
example, for animation, calendars, photo-feeds or simple games.
Trouble is that there are so many of these programs around that
even the site security people struggle to keep pace with them.
This opens the door to the tricksters who are churning out
spyware, trojans and viruses that members then unknowingly
either download to their own computers or post on their profile
Experts believe this is by far the most common social
networking scam. In a recent attack that hit all the big online
communities, a supposed link to a video prompted users to
install a plug-in; this then not only installed malware on the
victims’ PC computers but also mailed itself to everyone on
each victim’s “friends” list.
According to one expert, the reason social networking sites are
particularly vulnerable is because the very essence of an
online community is trust. People don’t expect to be scammed by
other users. That makes them easy prey.
Keeping your Internet security software up to date creates the
first line of defense against this sort of attack. You should
also be wary about downloading and using new applications from
And just like with email, don’t believe that a message you got
from a supposed friend or contact necessarily did come from
2. False identity
It’s easy to set up a profile on the big social networking
sites. For criminal types, this means an opportunity to pass
themselves off as someone else — either real or non-existent.
Their motives may just be to have some anonymous fun but
they’re more likely to be sinister, like establishing phony
friendships that lead to face-to-face meetings with
who-knows-what consequences, or to float invitations to adult
Sometimes, the scammers use the identities of genuine people,
using information and photographs trawled from the Internet. In
the Vegas conference referred to above, two experts did just
that to set up a LinkedIn profile. It garnered 50 friends in 24
The bottom line: Realize how easy it is to establish phony
identities and don’t blindly trust that someone is who they say
they are. Be wary about accepting new friends you haven’t
It’s often hard to avoid personal details and pictures of
yourself appearing on the Internet but, at the very least,
monitor (via Google) what is available and try to remove
anything that could make you vulnerable.
And if you’re not a member of these online communities, it’s
still worth visiting them. Consider setting up a limited user
account, or at the very least do a search on your name, just in
case someone’s pretending to be you.
3. Identity theft
In addition to passing themselves off as someone else, scammers
also steal identities via social networking sites.
For a start, individual profile pages often bristle with
personal information that can be used for ID theft — things
like your age/birthdate, your location, phone number, email
address, maybe your job and family details. And, of course,
They might try to build on that by phishing for your log-on
password. They know that the chances are you use the same
password for other sign-ons.
The most common technique is the message through the
network that appears to have come from an online buddy,
inviting you to check out a new profile page.
Clicking the link takes you to a bogus page that asks you to
log on “again.” In reality, you’re handing over your
confidential password to a scammer.
You can limit the risk of this type of identity theft by not
posting too much giveaway detail about yourself on your profile
page and watching out for suspicious invitations to view
Beware of any links that ask you to sign on again. This would
be very unusual, if not unheard of, if you’re already signed on
to the network. If the invitation comes via email, contact the
friend to confirm he/she sent it.
4. Profile page hacks
When it comes to social networking scams, it’s just as easy for
criminals to hack your profile page as it is for them to create
their own phony profiles. All they need is your username and
Sometimes, hackers do this just for their own idea of having
fun, scrawling graffiti over a user’s page. Other times they
install invisible code that can be used for malicious purposes.
Or they simply use your ID as a platform for spamming
Occasionally, their intent is pure evil. In one recent,
well-aired case, bogus identities were used to launch a
cyber-bullying attack, repeatedly defacing the victim’s site
with malicious comments The victim subsequently committed
The key to preventing this type of attack is not only to have a
strong password but also to change it very frequently. Read
more about this and pick up some useful computer password security tips in this Scambusters article.
If your profile or your identity are in any way compromised,
you should also inform the site operator. If threats are
involved, tell the police.
5. Sending and receiving spam
A college student from Chicago recently reported how his
MySpace friends became infuriated after receiving messages,
purportedly from him, promoting the sale of adult products.
Recipients included his 14-year-old niece.
Turned out he’d installed a widget program of the sort
described in social networking scam #1 above. Its supposed
purpose was to help decorate the user’s page but additionally
it mailed the spam to all his friends.
If they subsequently clicked on any of the links, it did the
same thing all over again.
But scammers don’t only want to use your profile to spam
others. They want to spam you. And they want to do this with
very carefully targeted emails.
Especially on sites for business professionals, they scour
members’ personal details. They use the sites’ own search tools
to identify members’ areas of expertise and interest.
Messages are then sent to them from a bogus-identity account on
the network. Recently, this included variations of the Nigerian
419 advance fee scam which, because it was passed between
network members, using the network software, it bypassed
individuals’ spam filters. You can find more on Nigerian Fee 419
scams on our site.
Alternatively, the names and details gleaned are combined
together into master lists of people with specific interests
that are sold on to other spammers.
Reduce this danger by limiting the amount of information you
post on your profile page and listing a short-term or
disposable email address for contact.
Social networks have become part of the fabric of online life
and their popularity is likely to increase for many years to
come. And there’s no doubt they’re a great way to make friends
or do business.
Don’t let the criminals spoil the party. Wise up to their
tricks — and make sure your online friends know about them
That’s a wrap for this issue. Wishing you a great week!