If you thought privacy was the only thing at risk when using Facebook, it turns out there is even more to be concerned about. This is because there are other ways Facebook can compromise your security. In fact, Facebook is a major tool for cybercriminals to hack and steal information from others.
But how do they do this, and what do they gain? Here are the crucial ways criminals use Facebook to hack your devices, and steal sensitive information.
— Chandra Majumdar (@n3onli8) November 17, 2017
If you thought advertisements were annoying, imagine ads that actually download malware to your PC. This is what can happen with fake adverts called malvertising. These are ads linked to malicious websites; they can also prompt your browser to download a malware to your device.
In recent years Facebook has tightened security on its ad delivery platform. But there have been multiple instances where criminals have bypassed the social network’s restrictions.
Ads for ineffective diet pills, and non-existent miracle cures, are the modern equivalents of snake oil salesmen. But malvertising is more insidious. This is because the malware in these ads can steal your credentials, banking information, personal data, and more.
While Facebook has gained more control over the problem, malvertising continues to be something users should look out for.
2. Social Engineering Hacks
Scammers use social engineering to manipulate targets into divulging sensitive information, using social, and psychological techniques.
It is commonly used in phishing since you are more likely to believe a scam that is tailored towards your personal information. This type of phishing scam even has its own sub-category: spear phishing.
In fact, this form of phishing is significantly more successful than regular phishing. According to cybersecurity company FireEye, personalized phishing emails have a much higher success rate than general scam emails. In their white paper on the issue:
“Spear-phishing emails work because they’re believable. People open 3% of their spam and 70% of spear-phishing attempts. And 50% of those who open the spear-phishing emails click on the links within the email—compared to 5% for mass mailings.”
But where are scammers finding this information? Often, it’s on your Facebook profile. Even if you have privacy protections that keep most of your information from being viewed by the public, it’s not uncommon to have scammers send you a friend request to get a better view of your details.
It’s best to not accept friend requests from strangers. You should also set most of your details to private or friends only. Every detail that scammers can see can help them make their phishing emails more believable. They will often name one of your Facebook friends as the person who gave you their contact information, they can comment on new jobs or relationships, and they can personalize the email according to your location.
3. Facebook Messenger Links
A general internet rule is that if a contact sends you a URL in a message with little context or explanation, you shouldn’t click on it. This is because malicious links sent through messaging apps are one of the most common ways to hack accounts and spread viruses. Considering Facebook Messenger has such a huge reach, it makes the app a no-brainer for hackers.
As such, a lot of malware uses Facebook Messenger to spread. As recently as May 2018, hackers were able to use the messaging platform to trick users into downloading a fake Chrome extension.
This turned out to be malware used to steal cryptocurrency wallet credentials. The malware, dubbed Facexworm, also infiltrated users’ computers to siphon off processing power for cryptocurrency mining.
Unfortunately, if you’re not on guard, it’s easy to end up reflexively clicking on one of these links.
Don’t click links!
If it is probably just your friend sending you a link they want you to see, message them back and ask about it. Automated malware bots don’t tend to hold a conversation.
If you do click on a link and a site asks you to download a file—again, don’t. It’s the inherent trust users have for friends’ messages that makes this form of spreading malware particularly effective. You should also make sure that you have enough anti-malware protection to prevent automatic downloads from cross-site scripting.
4. Dodgy Apps and Quizzes
Most of us know just how much information quizzes (and other apps) on Facebook can actually gain from your account. The Cambridge Analytica scandal brought this issue starkly into the public eye. In fact, just a few weeks after news of their abuses broke, it was revealed how a quiz dubbed myPersonality also harvested user info and left it exposed due to lax security.
While Facebook is cracking down on these types of apps, they still exist. Data harvesting is one problem these apps pose, but they have also been used to deliver malware, or steal account credentials. Clickbait quizzes are an easy way for advertisers and scammers alike to harvest user data. Many people don’t hesitate to give the quiz or app access to their Facebook account.
Sometimes the quizzes also include malicious code which infiltrates your PC once you access it. If you think that you may have approved access for a dodgy app, read our guide on how to revoke app access on Facebook and increase your privacy.
5. Scams Shared Through Timeline Posts
This is another form of malvertising, but rather than relying on Facebook to deliver ads on their platform, scammers share Facebook posts on their timeline or page. These posts then lead to malware or scam sites.
Sometimes scammers promote these posts through Facebook’s advertising tools. But they are also spread and shared by regular and fake users alike. This is especially true for scam sites which promise some sort of reward, such as the chance to win money.
The sites that are shared in these posts often attempt to replicate the appearance of legitimate news sites. However, when a user visits the page, the site will either attempt to inject malware into the user’s device or a popup will appear. These popups present a fake product, offer a free item to users or promote a fake service such as an “amazing Bitcoin opportunity”. When users click on this popup, a page asks them to enter payment information or other credentials. This information is then used to steal money, identities or access to user accounts.
The problem is significant enough that a broadcaster and entrepreneur named Martin Lewis is suing Facebook for a flurry of sponsored fake posts that use his name and reputation to promote scams. Since the announcement of his lawsuit, the social network has removed thousands of posts that use Lewis’ name and reputation to scam users.
How to Avoid Malware and Viruses on Facebook
It may feel like Facebook is a minefield to navigate in terms of privacy and cybersecurity risks. But if you do get struck by malware, there are options available to help remove it.
For more information on how to avoid these cybersecurity threats on Facebook, check out our guide on preventing and removing viruses on Facebook.