Pinterest Stumbleupon Whatsapp
Ads by Google

Do you remember how life was without Facebook? Probably not. The site has pervaded our lives and it is no surprise that Facebook is now prime hunting ground for anyone with nefarious intentions.

They employ stealth and cunning, like a predator stalking its prey, looking for the slightest weakness to pounce on you. By simply visiting Facebook, you potentially expose yourself to viruses and malware. Criminals can make you take some unintended action, steal your data, spy on you or “enslave” your PC for their own illegal ends such as launching DDOS attacks What Is a DDoS Attack? [MakeUseOf Explains] What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More .

We take you through some of these Facebook threats and outline the precautions you should take to avoid becoming another statistic of cyber crime.

Clickjacking Threats

clickjacking

Clickjacking is one of the oldest tools used by scammers on the Internet and most common ingredient to all other threats listed below. Users are tricked, using psychological manipulation, into clicking links that do something totally different from what the user expects them to do. This is achieved by overlaying legitimate Facebook pages with malicious content from a third party site. For example, you may click on a button that is supposed to take you to a specific page but instead the action enables your webcam.

On Facebook and other social media websites, clickjacking has been employed in a variety of ways. For example, “likejacking”, a variation of the clickjack, is a malicious technique that tricks users into unintentionally “liking” a page. Clickjacking on Facebook has also been used to infect users’ computers with malicious code. Once you click a malicious link, you unwittingly download malware to your computer. Some of the techniques used in recent clickjacking attacks include:

Ads by Google
  • Breaking News – this could range from gossip to entertainment and will typical be controversial or intriguing to attract curiosity and ultimately get you to click the link. For example, celebrity death hoaxes.
  • Exclusive Content – these attacks come with statements promising access to exclusive videos or photos. Again, the content will be controversial or intriguing.
  • Latest News – this attack takes advantage of the latest trending news and takes advantage of the basic human instinct to want to  stay updated in real-time with an ongoing news event.
  • Promos/Contests – this attack entices users with a great promotion or contest. Users are asked to click a link in order to register for the promo or contest.

Precautions

too-good-to-be-true

Facebook continues to implement site updates to protect their users from clickjacking but there are a few ways you can proactively avoid the threat. To begin with, avoid clicking on links in your Facebook feed; if it’s too good to be true, it probably is.

Also, some headlines are dead giveaways that something is off. Be wary of catchy headlines you know can’t possibly be true, for example, “[RAW UNCUT VIDEO] MERMAID WASHES UP OFF COAST OF FLORIDA.” Seriously, if you click on such a link, you’re asking for it.

You should also restrict your Facebook contacts to people you know personally and make your Facebook profile private Make Sure You're Secure With Facebook's New Privacy Settings - A Complete Guide Make Sure You're Secure With Facebook's New Privacy Settings - A Complete Guide Facebook also means two other things: frequent changes and privacy concerns. If there’s one thing we’ve learned about Facebook, is that they’re not really concerned about what we like or our privacy. Nor should they... Read More . Don’t click on news links whose source appears dodgy; for breaking and latest news, read credible news sites.

Be a good net citizen and help out the community by proactively reporting suspicious sites to Facebook admin. If you are using the Firefox browser, install the free NoScript add-on. Its Clear Click feature  offers reasonable protection against clickjacking. Finally, install antivirus software The 3 Best Sites for Reliable Anti-Virus Software Reviews The 3 Best Sites for Reliable Anti-Virus Software Reviews Read More that offers complete Internet security.

Phishing Exploits

Phishing

A phishing attack is the online version of impersonation. The attacker masquerades as a trustworthy entity. For example, you may be presented with a Facebook login portal that looks like the real thing. Once you enter your username and password, you essentially hand over your Facebook account to the attacker.

One of the most recent common phishing attacks is a bogus application used to steal login credentials. You may have seen reports in 2013 of an app that boasted it could enable users to see who had viewed their Facebook profile Can You Really See Who Viewed Your Facebook Profile? Can You Really See Who Viewed Your Facebook Profile? Who is viewing my Facebook profile? This is probably the most frequently asked question of the last decade. But is it really possible to know? Read More . The site spoofed the appearance of Facebook’s login page and offered two options to activate the fake app. The first option asked users to enter their credentials into the fake website while the second option asked users to download and install software in order to receive notifications when someone viewed their profile. This software was in fact malware that would set up a keylogger on the victim’s computer and send the logged data to phishers as soon as an Internet connection was detected.

Precautions

facebook-https

One of the most basic ways to prevent a phishing attack is to check the URL in the address bar to be sure you are actually entering your login credentials in the genuine Facebook login page and not a spoof. Also, look for the padlock icon to ensure it is a secure page (https) and if you’re not sure, click on the padlock icon to confirm the site’s identity is verified as Facebook.com. Take this a step further and ensure you are using the latest generation of web browser; make sure you update your browser on a regular basis. Chrome, Firefox, IE and Opera all come with built-in phishing and malware protection. For added security, check out these three browsers designed to protect your privacy Three Desktop Browsers Designed To Protect Your Privacy Three Desktop Browsers Designed To Protect Your Privacy Read More .

Don’t click on Facebook links that promise something new or unusual before confirming the same with reputable websites. For example, in the phishing attack described above, all a potential victim needed to do was find out if “see who viewed your profile” was possible by posting a question on a reputable site like MakeUseOf.

You may also want to check out a new app known as Fakeoff Guard Yourself From Facebook Fraudsters Using FakeOff Guard Yourself From Facebook Fraudsters Using FakeOff Are all your Facebook friends real people? To check whether people with fake profiles are among your Facebook friends, install FakeOff. Read More . Fakeoff uses an algorithm to detect if a user’s profile is fake. It analyzes profile information and even checks to see if the profile photos are fake.

The “Facebook Team”

facebook-web-inject

This attack also employs impersonation. The attacker sends you a message while posing as Facebook admin or customer support. A typical message will ask you to take some action urgently, for example, clicking on an attachment or link to update your account or to respond to a query. The links lead to malware sites and any attachments are packaged with malware that infects your PC.

Another variation of the “Facebook Team” threat is a fake invite that offers a prize if you forward it to all your friends or post content (spam) on their walls. Fake pages can also be set up as front for clickjacking pr phishing schemes. One such example is iBanking, a malicious Android app designed for e-banking fraud and specifically to bypass the two-factor authentication feature used by banks. Users are lured into installing the app on their phones through JavaScript injected into Facebook web pages. The content shown in the screen capture above appears on the webpage.

Precautions

 

no-spam

This calls for a bit of good sense and sound judgement on your part. Facebook has strict anti-spam rules so it stands to reason that they will not ask you to spam other people. Also, many messages purportedly from Facebook are normally written in poor grammar or contain subtle grammatical errors (see the screen shot above) that should trigger alarm bells.

If you receive a suspicious message from the “Facebook Team”, delete it immediately without clicking anything and report the user to Facebook.

Rogue Facebook Applications

facebook-app-settings

Are you an avid fan of Candy Crush Saga, Family Heroes and other Facebook games? Apps are common targets for clickjacking, malware and phishing. Rogue apps look like the real thing and people click “Allow” without thinking twice about it. Before you know it, your Facebook account has been hijacked and used to spread spam to all your friends. Some apps also carry out “tag-jacking” where a photo tagging exploit is used to spread spam on Facebook.

Precautions

remove-facebook-app

Spotting a rogue app can be rather difficult because they are engineered to look as much as possible like the real deal. The best way to avoid a rogue app is to avoid third-party applications entirely. However, this may be a bit extreme to some people and may mean not getting their daily gaming fix. The more practical approach is to be very selective about the applications you install. Stick with well known developers and always carry out extensive research before allowing an app access to your Facebook account.

Also, re-check the list of applications you have allowed access to your account by going to the arrow down link at the top right of your Facebook page. Scroll down, click Settings > Apps. Review the permissions of apps you are currently using and delete any you aren’t too sure about. As a general rule, steer clear of any apps that request total access to your Facebook account, access to your chat messages and the right to manage pages and events. Spammers need access to the latter two to effectively spam your entire network.

To prevent “tag-jacking”, go to  Timeline and TaggingTag Review and enable Review posts friends tag you in before they appear on your timeline.

Malware Attacks

malware

Malware and viruses can be injected into your computer via Facebook using any of the methods listed above. Recent malware attacks propagated using Facebook include:

  • Zeus – this is a Trojan horse that attacks Windows computers. After clicking a link, it downloads itself to your computer and remains dormant until someone triggers its activation – in this case, attempting to log into a bank account acts as the trigger. Once that happens the virus comes alive and swipes user names and passwords. The attacker can then retrieve this information remotely and take you to the cleaners.
  • The Koobface attack also uses clickjacking to infect users computers. The attack usually arrives as a private message or status update from the user’s friends. Clicking on the messages or updates leads to a site (usually a fake YouTube site) with a hosted video. The play button launches a fake Adobe Instant player executable file, which is really a downloader of the Koobface components.
  • “LOL” Virus – The “Lol” virus spreads through Facebook’s chat function. Users receive a message from one their friends simply stating “lol” and with an attachment. Curious, they click the attachment which triggers the download of a Java file containing malware from Dropbox. The virus infects the computer and hijacks your Facebook account and spreads itself to your network of friends.

Precautions

facebook-malware-attack

New threats are coming up everyday but a good way to avoid malware is not to click chat message links from people that aren’t your friends. Update your privacy settings so that you can’t receive such messages.  More specifically, Zeus targets Windows users leaving Mac and Linux users unaffected. So, while avoiding Windows altogether may not be a sensible solution, you may consider using a different desktop operating system to access Facebook where possible.

As for the “Lol” virus, be on the lookout for messages that simply contain the words “lol” and an attachment. If unsure a message is from one of your friends, pick up the phone and call them or send an email.

Windows users should also ensure they have a good antivirus and once again, it is imperative to keep your browser up-to-date.

Eternal Vigilance!

Almost all the threats described above require the user to be careless in some way in order for an actual attack to take place. The best advice that anyone can give you about Facebook and other social media sites is to be vigilant and keep a healthy level of paranoia at all times. Also, Facebook is constantly on the lookout for new exploits and immediately notifies users. To receive regular security updates in your Facebook feed, like the Security Page.

Have you even been a victim of a Facebook attack? How did you resolve the situation? Please let us know in the comments below.

Image credits: JMiks via ShutterStockLaurel L. Ruswwurm via Flickr

  1. Bud
    September 2, 2014 at 9:00 pm

    People forget that a "fool is born every minute and there ARE 2 to take him!" Too many are seeking their 'pot of gold' at the end of a rainbow, only to discover it's elusiveness and unless they can capture a 'wee wittle ' Leprechaun, they' still end up with FOOL'S GOLD!!!

    A shame schools don't begin teaching common sense in the early grades and then graduating to courses in analytical thinking !!!

    • dragonmouth
      September 2, 2014 at 11:28 pm

      "A shame schools don’t begin teaching common sense in the early grades and then graduating to courses in analytical thinking !!!"
      In spite of its name, common sense is not very common.

  2. Fred Sagen
    September 2, 2014 at 7:08 am

    What about the latest spate of 'quizzes' ( e.g. "What do your eyes reveal about you?") that are really profiling surveys?
    Currently they are used for marketing information and 'reward' you with some sycophantic clap-trap about how incredibly intelligent you must be but future 'rewards' may not be so innocuous.

    • kihara
      September 2, 2014 at 7:48 am

      I agree, these "quizzes" seem innocuous but there is more than meets the eye like you say.

    • dragonmouth
      September 2, 2014 at 12:09 pm

      “What do your eyes reveal about you?”
      Since, as you say, the quizzes are profiling surveys, your eyes reveal quite a lot about you. :-)

  3. dragonmouth
    September 1, 2014 at 10:03 pm

    "Do you remember how life was without Facebook?"
    I don't have to remember, I live it every day. I have not succumbed to the siren call of social networks. From what I read every day, all this social crap is more trouble than its worth.

    • kihara
      September 2, 2014 at 4:12 am

      That's interesting, are you saying you don't use social media ...ever?

    • dragonmouth
      September 2, 2014 at 12:05 pm

      That depends on how "social media" is defined. Any blog site or any forum site, such as MUO, allows for social interaction, so it can be loosely called "social media." My day to day life is not impacted in the least by a lack of FB, Twitter, MySpace, LinkedIn, G+, Pinterest or any other similar account.

      Let me correct that. I am impacted because my wife has an FB account and I have to listen to her complain bitterly about "all the stupid crap" people send her.

    • Mark
      September 24, 2014 at 7:05 am

      Not using social media in the modern sense is probably more common than you think. Most of the people I know are in either the tech or creative businesses, and I know very few who give it the time of day beyond those services like linkedin that they might use for professional reasons, or their business might use twitter purely for business. Personally, email, messaging and web forums is the nearest I get, and I'm far from a recluse - I just completely fail to see the attraction.

      I reckon half the people who do use Facebook etc do so only because those around them do; if there was never the enthusiasm to begin with, it just never takes hold. There was a study a couple of years ago that suggested 50-60 percent of a population was about the high water mark for facebook usage, and of that a high proportion used it only to keep in touch with immediate family on important occasions. It seems more ubiquitous simply because the media loves it as a source of stories and scandal, so it assumes an over inflated importance and presence.

  4. ed
    September 1, 2014 at 6:37 pm

    My gosh! Though I don't use Facebook, these tricks make me want to move to Linux full time.

    I assume the phishing, impersonation scams and rogue apps are still an issue under Linux, but anything requiring a download would be one less thing to worry about under Linux and perhaps OS X???

    • kihara
      September 2, 2014 at 4:10 am

      You are right, Windows users are more at risk from malware contained in downloads.

Leave a Reply

Your email address will not be published. Required fields are marked *