February 27, 2009, 10:05 AM — Beny Rubinstein knows computer security. An employee of a Seattle-area tech giant with 20 years of IT experience under his belt, Rubinstein has seen a side of the industry that most people will never know. He holds a degree in computer engineering, and--oh yeah--he just got scammed out of $1100 on Facebook.
Rubinstein's experience isn't entirely uncommon. (We'll get to the specifics in a moment.) What's striking about his story, though, is that it demonstrates how easily anyone--even a highly trained expert in computer security--can be ensnared by a seemingly simple social network scam. And all kinds of these scams are on the loose.
More than 20,000 pieces of malware attacked social networks in 2008 alone, estimates the online-security firm Kaspersky Lab. That's no surprise, either: While e-mail is still the most spam-filled medium, researchers suspect that social network cybercrime is growing at a far faster rate.
"People are used to receiving spam and malicious messages in their e-mail, but it is much less common on Facebook," says Graham Cluley, a senior technology consultant with Sophos. "They are lulled into a false sense of security and act unsafely as a result."
You can avoid becoming one of the many who make that mistake. We've dug up the dirt on five scams currently posing a threat on Facebook. We turned to analysts who study them as well as to users who have fallen for them, all to help spread the word about how these things work and how you can best dodge them. (Facebook representatives did not respond to our request for comment.)
Knowledge is the greatest weapon against becoming a victim. Read on, and arm yourself well.
Scam #1: The Nigerian 419
The Scam: It may sound like a hip new emo band (or a somewhat old e-mail scam), but the Nigerian 419 will do more than just offend your ears--it'll also empty your wallet. The moniker refers to a scam dating back decades that has recently entered the social network scene.
Back to Beny Rubinstein. A couple of months ago, Rubinstein received some alarming Facebook messages from a friend and fellow tech professional.
"[He said] he was in the UK and was robbed, and needed $600 to fly back to Seattle," Rubinstein recalls.
The messages came both in Facebook-based IMs and in e-mail. They included details such as family members' names, making the notes appear all the more authentic. It wasn't until 2 hours and $1100 later that Rubinstein realized what had happened: Someone had hijacked his buddy's account, contacted his friends, and--at their expense--made off like a bandit.
"Scammers figured out that even though social networks don't have direct access to money, they have access to information that gives you a good shot at getting someone else's money," says Vicente Silveira, a product management director at VeriSign and a personal friend of Rubinstein's.
The Protection: Before you send cash to a pal who seems to be in trouble, try to contact him or her outside of the social network--either by phone or by external e-mail. Not feasible? Ask an extremely personal question that a hacker couldn't possibly figure out from information within the profile. We'll leave the specifics up to you.
Next: Be Wary of Widgets, The Koobface Virus, Facebook Phishing
Scam #2: The Widget Warrior
The Scam: Facebook is famous for its widgets--you know, the third-party applications that you can add onto your account. Sometimes, though, widgets turn into warriors with a single mission: stealing your data.
The first rogue widget reared its head in 2008, when researchers realized that a program called Secret Crush had anything but sweet intentions. The application, which was supposed to help you find your virtual admirers, instead installed spyware onto your computer. Even worse, it encouraged you to spread the love by getting other friends on-board--essentially "manipulating humans to pass it along on their own," says Guillaume Lovet, senior manager of Fortinet's Threat Response Team.
Secret Crush has since been crippled, but the potential for similar threats still exists. Just days ago, security experts determined that an application called Error Check System was misusing profile details and possibly stealing personal information. A few months earlier, researchers from Greece's Institute of Computer Science uploaded a malicious app to Facebook as an experiment (PDF). The team was able to configure the widget, which posed as a "Photo of the Day" displayer, to utilize its users' Internet connections for denial-of-service attacks.
The Protection: Use extra caution when installing third-party applications. "When you accept to install one, malicious or not, you are granting its author access to all the info in your profile," Lovet says. Make sure you know what the app's creator will do with it.
Scam #3: The Koobface Virus
The Scam: Don't be fooled by the name--there's little to laugh about when it comes to the quickly spreading Koobface virus. (The word, by the way, is an anagram of "Facebook.") Once the virus infects your PC, it starts sending messages or wall postings to your Facebook friends, directing them to a "hilarious video" or some "scandalous photos" of someone you both know.
"The link promises an enticing video, but when the user clicks, he is presented with a Web page with a fake Adobe Flash update or a fake codec that needs to be downloaded," explains Ryan Naraine, a security evangelist with Kaspersky Lab. "That download is malware."
The Protection: Antivirus software can help keep you safe, but some common sense can also go a long way. "Be wary of any kind of direct URL in messages or postings," advises Jamz Yaneza, a threat research manager with Trend Micro. If a site asks you to download a software update, Yaneza says, click Cancel and go directly to the vendor's page to see if the update is legit.
Scam #4: The Phishing Pond
The Scam: Phishing, a favorite hacker tactic, has found new life at social networking sites. Scammers trick users into following links that open official-looking Facebook log-in prompts. If you enter your user name and password, the information is logged--and your account is theirs.
Brandon Donaldson, a pastor at the Lifechurch.tv Internet Campus, fell for the scam. Someone gained control of his Facebook account and started sending messages to his friends and followers, trying to persuade them to follow the same links and unwittingly give up their accounts, too.
"This was a pretty bad ordeal, since I regularly put video content up on the Web, and I use the Internet as a tool for many relationships," Donaldson says. "You build a certain social trust in these spaces, and you want to keep that trust without these kinds of incidents."
The Protection: The previous plan also applies here: Watch where you click. Plus, if you're ever asked for your password midsession, don't enter it. Manually navigate back to the Facebook.com home page instead, and then log in there if need be.
Next: Fake Facebook Communities, Web of Trust
Scam #5: The Contrived Community
The Scam: Community enthusiasts, be cautioned: Facebook user groups can sometimes be cleverly disguised vehicles for marketing. And--whether you realize it or not--when you click the join link, you're effectively opting in.
Brad J. Ward was one of the first users to find such a scheme in action. Ward, then a member of Butler University's admissions department, discovered a Facebook group called "Butler Class of 2013." The only problem: The people behind it had nothing to do with Butler. After posting about the issue on his blog SquaredPeg.com, Ward soon learned that the names of nearly 400 other schools appeared in similarly suspicious groups, all created by the same small set of people.
"My initial reaction was that some company or person was essentially setting themselves up to be the administrator for hundreds of groups, which provides the opportunity to send out mass messages or to collect data," Ward says.
His instinct was right: The publisher of a college guidebook had set up the groups, seemingly with the goal of building a mass mailing list for marketing its products, Ward discovered.
"Was any of it illegal? Not necessarily," Ward points out. "But was it unethical, and could it be misconstrued as an official university presence? Yes."
Once exposed, the publishing company College Prowler admitted its involvement and agreed to back out of the groups. Still, that's only one company. More than likely, countless others haven't been detected, and are actively using groups to gain the trust (and information) of unsuspecting users.
The Protection: Be very selective in deciding what groups you join. If you aren't sure who runs a given Facebook community, or whether it's officially linked to the organization that it claims to be, don't accept the request. Your privacy is worth more than any membership.
The Web of Trust
In the end, staying safe comes down to maintaining control of your information and carefully selecting with whom you share it--because you never truly know who's on the other end of electronic communication. This past month, for example, a high school student was charged with 12 felonies after investigators say he posed as a girl on Facebook and tricked male classmates into sending him nude photos.
"An online version of the 'web of trust' is formed among users," notes Trend Micro's Jamz Yaneza. "Although this does work in the noncyberspace environment, the platform ... is really different when someone else is in charge of your medium."
It's easy to feel invulnerable while reading about such scams. The second you let your guard down, though, it's even easier to become the next victim. Just ask people who know Beny Rubinstein, the IT pro who lost more than a grand to a Facebook scammer.
"Worse than losing the money, he realized how exposed you are in a social network," says Vicente Silveira, Rubinstein's friend. "We're exposing things now that are in many ways a lot more valuable than money."