Scam #2: The widget
warrior
The scam: Facebook is famous
for its widgets -- you know, the third-party applications that you
can add onto your account. Sometimes, though, widgets turn into
warriors with a single mission: stealing your data.
The first rogue widget reared its head in 2008,
when researchers realized that a program called
Secret Crush had anything but sweet intentions. The
application, which was supposed to help you find your virtual
admirers, instead installed spyware onto your computer. Even
worse, it encouraged you to spread the love by getting other
friends onboard -- essentially "manipulating humans to pass it
along on their own," says Guillaume Lovet, senior manager of
Fortinet's Threat
Response Team.
Secret Crush has since been crippled, but the
potential for similar threats still exists. Recently, security
experts determined that an application called
Error Check System was misusing profile details and
possibly stealing personal information. A few months earlier,
researchers from Greece's Institute of Computer Science uploaded
a malicious app to Facebook
as an experiment (PDF). The team was able to
configure the widget, which posed as a "Photo of the Day"
displayer, to utilize its users' Internet connections for
denial-of-service attacks.
The protection: Use extra
caution when installing third-party applications. "When you accept
to install one, malicious or not, you are granting its author
access to all the info in your profile," Lovet says. Make sure you
know what the app's creator will do with it.
Scam #3: The Koobface
virus
The scam: Don't be fooled by the name -- there's
little to laugh about when it comes to the quickly spreading
Koobface virus. (The word, by the way, is an anagram
of "Facebook.") Once the virus infects your PC, it starts
sending messages or wall postings to your Facebook friends,
directing them to a "hilarious video" or some "scandalous
photos" of someone you both know.
"The link promises an enticing video, but when
the user clicks, he is presented with a Web page with a fake Adobe
Flash update or a fake codec that needs to be downloaded," explains
Ryan Naraine, a security evangelist with Kaspersky Lab. "That
download is malware."
The protection: Antivirus
software can help keep you safe, but some common sense can also go
a long way. "Be wary of any kind of direct URL in messages or
postings," advises Jamz Yaneza, a threat research manager with
Trend Micro. If a site asks you to download a
software update, Yaneza says, click Cancel and go directly to
the vendor's page to see if the update is legit.
Scam #4: The phishing
pond
The scam: Phishing, a favorite
hacker tactic, has found new life at social networking sites.
Scammers trick users into following links that open
official-looking Facebook login prompts. If you enter your user
name and password, the information is logged -- and your account is
theirs.
Brandon Donaldson, a pastor at the
Lifechurch.tv Internet
Campus, fell for the scam. Someone gained control of his
Facebook account and started sending messages to his friends and
followers, trying to persuade them to follow the same links and
unwittingly give up their accounts, too.
"This was a pretty bad ordeal, since I
regularly put video content up on the Web, and I use the Internet
as a tool for many relationships," Donaldson says. "You build a
certain social trust in these spaces, and you want to keep that
trust without these kinds of incidents."
The protection: The previous
plan also applies here: Watch where you click. Plus, if you're ever
asked for your password midsession, don't enter it. Manually
navigate back to the Facebook.com home page instead, and then log
in there if need be.
Scam #5: The contrived
community
The scam: Community enthusiasts, be cautioned:
Facebook user groups can sometimes be cleverly disguised vehicles
for marketing. And -- whether you realize it or not -- when you
click the join link, you're effectively opting in.
Brad J. Ward was
one of the first users to find such a scheme in action. Ward, then
a member of Butler University's admissions department, discovered a
Facebook group called "Butler Class of 2013." The only problem: The
people behind it had nothing to do with Butler. After posting about
the issue on his blog SquaredPeg.com, Ward soon learned that the names of
nearly 400 other schools appeared in similarly suspicious
groups, all created by the same small set of people.
"My initial reaction was that some company or
person was essentially setting themselves up to be the
administrator for hundreds of groups, which provides the
opportunity to send out mass messages or to collect data," Ward
says.
His instinct was right: The publisher of a
college guidebook had set up the groups, seemingly with the goal of
building a mass mailing list for marketing its products, Ward
discovered.
"Was any of it illegal? Not necessarily," Ward
points out. "But was it unethical, and could it be misconstrued as
an official university presence? Yes."
Once exposed, the publishing company College
Prowler
admitted its involvement and agreed to back out of
the groups. Still, that's only one company. More than likely,
countless others haven't been detected, and are actively using
groups to gain the trust (and information) of unsuspecting
users.
The protection: Be very
selective in deciding what groups you join. If you aren't sure who
runs a given Facebook community, or whether it's officially linked
to the organization that it claims to be, don't accept the request.
Your privacy is worth more than any
membership.