Heimdal Online Security: Social Scams The Full Breakdown and Protection Plan

Heimdal Online Security: Social Scams The Full Breakdown andProtection PlanRemember the time when our email inbox was filled with requests to help endangered (and filthy rich)Nigerian princes?Those scams never died, they just evolved. Attackers improved their tactics and changed the channel.More people connected to the internet means that cyber criminals just have more potential victims. Andwhen internet users migrate towards the social networks, guess where the attackers will be waiting?Does this look familiar?I bet you thought it’s a harmless post. But you could be just one click away from a nasty malwareinfection.That’s why we decided to break down social media scams, so you can know what to expect and how toprotect yourself.  Here’s the rundown of what you can learn from this article:  Core reasons behind scams on social networks  How scammers take advantage of social networks to make money  Common tricks you can come across  Social media scams on Facebook, Instagram, Twitter and more  Get it done: Must have in-account & on-device security settingsCore reasons behind scams on social networks

1. Make more moneyScammers plan most of their scams with one and only goal in mind: money. They will do anything tomonetize your actions and your sensitive information.They trick you to click on a link, download or install something, like or follow a social profile, sharesomething or send it to your friends. They’ll try to gain any type of information from and about you thatthey can exploit or simply sell to others. They’ll even try to talk you into willingly sending them money.2. Just for funHowever, some of these scams are done just for fun or out of curiosity, to find out if and how somethingworks.A quick example of a basically harmless scam: you’ve most likely come across at least one chain letterpassed on via popular social networks. These are messages that claim that the owners of the networkwill start charging users or that it will shut down. They will prompt you to forward the message toeveryone you know in order to shut down. Others claim that a brand or celebrity will donate money to acharity cause for every share of that message.These kinds of scams are only social media clutter and noise. But they can also turn malicious veryquickly.How scammers take advantage of social networks to make money1. They trick you into visiting websites and / or clicking on adsMost websites make money from selling advertisements. The most common type of advertising is basedon paying for impressions (page views – how many times did a potential customer view an ad?)The impressions system is based purely on traffic, on the number of times an ad was displayed to a userwhile viewing a web page.The pay-per-click system means that advertisers only pay the website when a user clicks on an ad.This system can be tricked by generating clicks that don’t come from genuinely interested users, or byhijacking clicks that were intended for a legitimate advertiser.You may argue that it’s harmless, and that an individual page view or click will only bring scammers atiny amount of money.So what if they trick you into clicking on an ad and you thought it’s a completely different thing? Onlywasted time, right?Well, if you start multiplying those few cents from your click with other millions of clicks that theymanaged to gather, you’ll see that scammers can fraudulently raise serious amounts of money.

This is called “Click fraud” and, according to a report from the Association of National Advertisers,marketers all over the world could lose this year up to $7.2 billion because of it.It’s also worth noting that 90% of web attacks are delivered through advertising networks.2. They trick you into liking pages, following people, tagging, commentingThis is similar to the previous point.By making you like a page, follow an account, comment or tag people, scammers will raise the numbersof a social account. They also ensure that the action will appear in your news feed, providing them withaccess to more people.Sometimes, this is for the own benefit of the scammers, so they can pretend their account has genuineonline influence and then place ads it or even sell it.Other times, third parties such as brands or companies will buy likes or followers for their socialaccounts. This way, they’ll be able to better sell their social media accounts; by making advertisers thinkthey have real influence.I’m just trying to clear how these things work, so I’ll not comment on the ethics of this action, as it’s notthe main subject here.3. They trick you into giving them sensitive informationPhishing is the name given to cybercriminals’ attempt to trick you into giving them sensitive informationor money.They will craft a plausible message that seems to come from a social network representative or fromone of your online buddies. They will then lead you to a site that appears to be legit, where you’ll beprompted to enter sensitive information.From name to email address, phone number, home address, social security number, to credit carddetails, bank account number, passwords, etc. – this kind of information can be used for financial fraud,identity theft, and blackmail and so on. That’s why it’s important to keep in mind that your personalinformation is as precious as gold and you should do anything to protect it.Phishing attacks used to happen mostly through emails, but the landscape has changed dramaticallyover the past years, due to the rapid growth in social networks usage.How scammers can take advantage of social media for phishing attacks:– By pretending to be a representative of a social network.Phishers take their time to create websites that look identical to your favorite social media networks.They also create fake emails or social profiles that seem to belong to genuine representatives of thenetwork.

After they contact you either directly on the network, through private messages, or through emails thatseem to be from the social network’s representatives, and they try to trick you to click on a link to: resetyour password, reconfirm your account, and confirm that you don’t want your social account to becancelled and so on.This kind of information can then be used to access your account and send messages to friends, tofurther spread the links.Other times, they can make money by exploiting the personal information they’ve obtained, either byselling it to third parties or by blackmailing you with this repercussion.– By sending messages that appear to come from a buddy. In those messages, they invite you to clickon a link to check out a video or see some disturbing news.– By finding out essential information about you that will then increase their chances of a spearphishing attack.Spear phishing is directed at specific companies or individuals, and it’s not as automated as commonphishing.The attackers will take their time to gather all available information about their target, in order to createa highly personalized and believable email.Last autumn, researchers from the Dell Secure Works Counter Threat Unit identified a network of atleast 25 well developed LinkedIn profiles that were part of a social engineering campaign.Spear phishing requires a bigger effort, but it’s the most effective kind of phishing attack. And with thepublicly available information that we voluntarily share on social media, its chances for success will mostlikely increase in time.Phishing is also a potential launch ramp for malware, which leads us to… trick nr. 4:4. They trick you into downloading malwareMalware is used as a collective name for malicious software – the type designed to disrupt or damageyour data, software or hardware. Viruses, worms, keyloggers, Trojans – all these are just different formsof malware.Cyber criminals spread malicious software for profit through adware (forced advertising), spyware(stealing your sensitive information) or ransomware (software that encrypts your content, blocks accessto your system and demands payment in return for they key that will decrypt your data).

Usually, attackers get malware into your device through a variety of mechanisms that involve exploitinghuman and technical factors. You can get infected with malicious software just because you thoughtyou were downloading a browser extension, an app or a game.Examples of harmful apps to steer clear from:  Apps that claim to let you know who visited your profile  Apps that claim to enable the Dislike button on Facebook  Apps that claim to be a virus removal tool that will clean up your computer  Apps that claim to change the color of your Facebook profile  Apps that claim to provide you free likes or followersThis kind of applications carries more or less dangerous types of malicious code. Afterwards, your socialaccount will be used to spread the apps to your friends, sending them messages to encourage todownload the software as well, thus further propagating itself.These scripts can also command your profile to like other pages, helping scammers further monetize thecon.5. They trick you into spreading chain lettersWe’ve mentioned these before. Chain letters are messages that catch your interest by claiming that asocial network plans on charging users in the near future or that they will shut down. Chain letters askyou to distribute the message to everyone you know, in order to stop the network from charging moneyor shutting down.Other forms of chain letters claim that a brand or celebrity will donate money to a charity cause forevery share of that message. Bill Gates and Mark Zuckerberg are usually targeted for this one.Variations include emotionally extorting you through fake stories of sick kids, false warnings of virusescirculating, monetary rewards, etc.These letters used to be sent exclusively via email but, nowadays, because of the increasing popularityof social networks, cyber criminals started taking advantage of them and our decreasing attention span.Chain letters can take the form of a post from an online buddy, or a direct message.They are generally harmless, but, other times:  They will ask you to donate money for a charity cause (that’s actually controlled by a cyber criminal).

 They will urge you to download something in order to protect yourself from a virus that is circulating on the web. This can be done either by clicking on a link that redirects you to a phishing site, or by downloading an attachment that contains malware.Many people have fallen for this kind of stuff and continue to propagate the messages.Break the chain – report the message (or mark it as spam), delete it and inform the ones who sent themthat they are fake.Common tricks you can come acrossInstead of focusing only on highly technical methods, scammers base their attacks on social engineeringtactics.Cyber criminals will cheat, lie, exploit your trust, take advantage of your emotions, curiosity or lack oftechnological knowledge, trick you to install malware or divulge sensitive information. No trick is off-limits.It’s important to note that most people won’t even report when they were tricked via socialengineering. They realize they were stupid and don’t want to further embarrass themselves. Reportingwould benefit everyone involved, so it’s time to get over your mild embarrassment.Here are a few scenarios that you must pay attention to:1. Shocking newsShocking news uses something that’s hot right then. It’s something that everyone is talking about in themedia and on social networks, such as a terrorist attack or a flight crash. You might expect to see a videoor news, but, instead, the link leads to spammy, pop-up filled or malware-laden websites.“Curiosity killed the cat”.2. Fake celebrity newsKim Kardashian’s newest bum photos? Bin Laden’s video death? Vanilla Ice dead?Always a sure way to get clicks from gullible users.3. Emotional extortionPhotos of sick babies or endangered animals that lure you into watching a video or to see news.4. Free stuffGift exchanges, free coupons, free trips, free iPhones, free likes or followers, gift cards – basically, freeeverything.

These scenarios usually take advantage of big brands names: Starbucks, Victoria’s Secret, theCheesecake Factory. And they come in exchange for other potential ways for the scammer to propagatethe con: click here, like and share, tag friends, follow someone, etc.5. Easy moneyRemember the Nigerian prince scam, where you’re typically required to send money over so that, inturn, you’ll receive several times more than the originally borrowed sum?Or the spammy emails that claimed that you won millions of dollars at a lottery or a prize in acompetition?In order to receive the prize, they prompt you to send over some personal identification informationand a small fee for post office.These kind of scams just moved from email to direct messages on social networks. Here’s an examplefrom LinkedIn.Easy money doesn’t exist. These are usually bogus offers that claim to help you start making thousandsand then require a fee for you to get going.6. UrgencyIn this category you can fit any message that has urgent requests. “Click here now, confirm here,download this, fill in this, install this” – messages that require your urgent action are usually used inphishing attempts.Read and Visit us for more information about Social Scams the Full Breakdown and Protection Plan