How Facebook is fueling a new breed of social scams

Social Scamming

User engagement is a top priority for every social network. As the average user’s number of ‘friends’ continues to increase, a critical problem for social networks has been to develop tools that help users filter and categorize relevant content

Historically, most scammers have geared their tactics towards mass audiences rather than producing targeted content as personalized filters were rudimentary or undeveloped. This is why we’ve seen many large-scale, non-targeted scams spread through social networks for so long. Last spring, we measured that the average social scam wave reached approximately 1.5 million clicks.

However, the launch of Facebook’s ‘highlighted content’ stream and Google+ ‘circles’ has lead to a decrease in threats based around mass distribution techniques as content filtration leaves such ‘impersonal’ content out of peoples’ feeds.

Facebook and Twitter, the most popular social networks, have made major changes in recent months to features, design, security and privacy. While these changes increase interaction between users and decrease the number of large-scale scams, they may open the door for highly targeted attacks.

We are seeing scammers get smart by focusing their many tools on developing seemingly legitimate personalized content to increase their “conversion rates” in the face of filters.

A deeper look at the new Facebook changes

Today Timeline, the most important profile update in Facebook’s history, is being offered to nearly a billion users. The Timeline update alone is likely to redefine the concept of privacy itself, as the tiniest details of users’ lives can now be publicly shared and indexed. Of course, we were able to share information about health, relationships and work before on Facebook, but it was never indexed in a way that was easy for people to see and search.

While Timeline allows users to avoid content they don’t find interesting, it also provides scammers the opportunity to develop targeted content just for you.

For example, smart lists, which help users control content sharing and content consumption, and a defined “Close Friends” list have been designed to increase the visibility of content from the people listed in these groups.

For scammers, this functionality offers the opportunity to create highly visible, targeted attacks. Malicious applications can request the “read friend lists” permission and then distribute attacks to your close friends, coworkers past or present and even your family.

Because these targeted attacks don’t generate large-scale issues for all of Facebook, they are also extremely difficult to detect and remove than the older style of social attack.

The new News Ticker and App Ticker have also been redesigned to increase interaction between users and serve them more interesting content in real-time. Considering that most online scams have a short lifecycle, these improvements actually increase the amount of contact of users will have with fresh scams.

Then there are the latest granular evolutions of Facebook’s Privacy Settings – we can certainly say that Facebook has made important improvements by giving users control over the way their content is shared. However, the glaring issue remains that their ‘automatic opt-in’ policy for essential features like tagging and location-sharing, can still be exploited to create dangerous or, at the least, embarrassing personal situations.

How do social threats “engage” Twitter users?

Twitter’s delivery of fresh news in just 140 characters makes it compatible not only with smartphones, but also with phone carriers’ existing text message services, meaning access to any modern mobile device. This kind of compatibility means everything is smaller: screen names, URLs and, ominously, the amount of information we can see about a user, making it easier for scammers and hackers to spoof identities or keep you from seeing the source of a scam altogether on a small screen.

Since most Twitter users use the platform to distribute public content, Twitter privacy is not as big a concern for us as it is with Facebook. Rather, it is the rapid proliferation of content, the shortening of URLs and the ability to target audiences through simple search queries that make Twitter attractive for targeted attacks and a minefield for businesses and consumers.

Although trending topics or gossip hashtags are seriously plagued by Twitter scams, the real danger on Twitter comes in the form of Direct Messages. According to statistics gathered by our security app for Facebook and Twitter, more than half of the spam detected in users’ direct messages lead to malware or phishing sites.

Of course there are classic scams in Direct Messages like falsified donation sites, but the growing instances of malware and phishing links within direct messages is a worrying development. While our user sample doesn’t yet allow for generalized conclusions that apply to all of Twitter, other security researchers also report a high incidence of phishing and malware in direct messages. When combined with the constant stream of malicious tweets that can be easily distributed on Twitter, direct message scams turn the bumpy road of Twitter into a malware and scam laden minefield.

What’s next?

With the explosion of popularity in Tumblr and the increased visibility of Google+, you may be wondering why malicious attacks on them aren’t a concern for the near future. To put it simply, these two growing networks are in the enviable position that Apple is compared to Microsoft – they are not large enough to warrant the development of compatible scams and malware still. Furthermore, Tumblr isn’t a social network that is focused on user engagement and Google+ is still in the stage of increasing its user base meaning it will be a while before their ubiquity warrants attacks.

Still, every important update to the major social networks designed to minimize irrelevant content has been followed by scams that utilized the new features for improved social engineering attacks. These new tools designed to engage users may very well render most of the classic and, frankly, obvious mass-scams less effective. But the new user engagement experiences also means that they will place more trust in the content shared from “Close Friends” or “Current co-workers.” That alone will increase efficiency of targeted attacks.

[Conversation image via ShutterStock]

George PetreGeorge Petre is a leading researcher in social media security. In 2008 he presented one of the first ever workshops on social media security at the MIT Spam Conference, and has since presented again at MIT and VB conferences. George holds degrees in Mathematics and Computer Science, and a master’s in Psychology applied in National Security. His work focuses on monitoring existing and emerging threat trends in social media and privacy issues. He also plays a lead role in the development of Safego, Bitdefender’s free social media security tool, currently available for Facebook and Twitter.


VentureBeat is studying mobile marketing automation. Chime in, and we’ll share the data.
0 comments