Fraud on Social Networks 2

Malware (malicious software) is a term that describes a wide range of programs that install on a user’s computer often through the use of trickery. Malware can spread quickly on a social network, infecting the computer of a user and then spreading to his or her contacts.  This is because the malware may appear to come from a trusted contact, and thus users are more likely to click on links and/or download malicious programs.

Some common techniques used in spreading malware include:

·         Shortened URLs, particularly on status update networks or newsfeeds.  These may lead the user to download a virus or visit a website that will attempt to load malware on a user’s computer.

·         Messages that appear to be from trusted contacts that encourage a user to click on a link, view a video or download a file.

·         An email appearing to be from the social network itself, asking for information or requesting a user click on a link. 

·         Third-party applications that infect computers with malicious software and spread it to contacts.  

·         Fake security alerts – applications that pose as virus protection software and inform the user that his or her security software is out-of-date or a threat has been detected.  

Social Engineering

There are a variety of social engineering scamming techniques which trick users into entering sensitive information. This section describes a few of the well-known techniques.

·         Phishing attacks are when emails, instant messages or other messages claiming to be from a trusted source ask for information. For example, an email may appear to be from a bank and could direct a user to enter a password at a fake login page, or tell a user to call a phone number or risk having their account closed. For tips on how to spot and avoid phishing attacks, see FTC Alert How Not to Get Hooked by a 'Phishing' Scam and OnGuardOnline's Phishing page. Some Internet browsers, such as recent versions of Mozilla Firefox and Internet Explorer, have taken steps to help identify fake websites. (See GetSafe Online's Avoid Criminal Websites for these and other tips.)

·         Spear phishing is a type of phishing attack that appears to be from a colleague, employer or friend and includes a link or something to download. (This is often the result of account hijacking.) These links or downloads can be malicious, such as viruses or fake websites that solicit personal information.  

·         Misleading solicitations. A social network might use social engineering to make people feel obligated to join. This often occurs when one person joins and (often inadvertently) provides the social network with access to his or her contact list. The social network then sends out emails to all of his or her contacts, often implying they are from the individual who joined.  For example, it has been reported that Tagged.com solicits contacts of users with emails claiming the recipient has been “tagged.”  These emails state: “Is <user name> your friend? Please respond or <user name> may think you said no :( ” or “<user name> sent you photos on Tagged.” The recipient may believe this is a personal invitation from the user and feel obligated to join the network, giving out his or her information and perhaps perpetuating the solicitations. 

·         Hijacked accounts. A legitimate account may be taken over by an identity thief or malware for the purpose of fraud such as posting spam, sending out malware, stealing the private data of contacts or even soliciting contacts to send money.  One typical scenario is when a hijacked account sends out messages stating that the account owner is overseas and in desperate straits.  Contacts are urged to immediately wire money.  A user may not realize his or her account has been hijacked for quite some time. An attack could also be in the form of a chat conversation.