16 Social Media

A few years back there was a big turning point in social media with regards to security, when they started allowing third parties to build applications that expand their normal offering.  If these third-party applications were compromised, they have a way to access everything you’ve ever posted or written, despite having all the ‘privacy’ options ticked. If you can, avoid adding games and other enhancements to social media sites like Facebook, because each one you add is like giving out your front door key, especially if you use the same password for other sites and email accounts.

One of the biggest issues though, is what you say on social media. Writing about your holiday after the event is fine, though telling everyone how excited you are about taking the whole family to the Bahamas in two weeks’ time, is not the best idea. Add in the party invite that had your address details from last month, together with a completely public profile and you are a burglar’s dream.

Sharing social media systems with family members especially your parents can be a bad idea. Consider the following example of a mother and daughter both on Facebook, with links to each other’s profiles so that others know they are mother and daughter. If the mother has entries about her surname when she was in school, she has effectively given away sensitive information. By looking at the daughter’s social media profile, you could work out her mother’s maiden name. In the wrong hands with certain other bits of information, this can cause you lots of problems.

Remember to only post what you would want others to see and know about you. This is especially true when you are looking for a new job, as a candidate’s social media profiles are routinely queried as part of the interview process. 

Also, don’t forget, you can end up on social media sites without even having an account. Your friends can tag you in photos that they upload, without your knowledge. It is only when someone says ‘I saw your photo last night on…’ that you find out, unless of course you like to run online searches on yourself.

Social media in the workplace has also taken off with business focused sites like LinkedIn with over 1 billion users in more than 200 countries around the world. This is quite an attractive catch for online criminals; a high percentage of LinkedIn users have well paid jobs, which equals bank accounts and credit cards, compared to the many teenage Facebook users, who probably won’t have much to steal from digitally. 

And so, as a result, we have fake LinkedIn reminders and alerts like the one below:

Hovering over a link with a mouse shows a ‘tooltip’ with the correct website address, but this is a trick, as the link actually sends you to http://http//infoxamthoneplus.com/yysVuF/index.html/ 

The real destination address is displayed in the browser ‘status bar’ so make sure you have it turned on to avoid falling for these tricks. Remember, if you always manually type the address for all your social media websites, or use your browser’s favourites links, these tricks don’t work.

One major social media system Facebook now has over two billion active monthly users which represent a massive target for scams by cyber-criminals. In fact, the antivirus company Bitdefender analysed over 850,000 Facebook scams in a two-year study, to give you an idea of the scale of the problem. Facebook itself reported that millions of its accounts are fakes created for spam and other purposes.

The study revealed the ‘hooks’ or ‘baits’ used by the five most popular types of Facebook scams to trick people into installing malicious software, visiting an infected website or ‘liking’ a fake account or post.

45.50% - Guess who viewed your profile? (can be tailored to individuals)

29.53% - Facebook functionality scams (bogus add-ons and enhancements)

16.51% - Giveaway scams (often used to harvest personal info)

7.53% - Celebrity scams

0.93% - Atrocity videos

Curiosity is a major element in many of these scams as well as a general lack of knowledge of what features are built-in to Facebook and what it will allow third parties add-ons to do. Basically, a lot of people can be easily tricked to a lessor or greater degree, so your best defense is stick to the basic functionality of Facebook and avoid add-ons, enhancements and giveaways. Curiosity may still get the better of you, for which there is no easy answer. I recommend that you download and read the short 6-page Bitdefender study yourself called ‘A Glance Into The Psychology Of Facebook Scam Victims’ at: http://bit.ly/facebook-scams

Also, criminals are embedding malicious hyperlinks in social media posts and sending emails that point to the social media post as a way of avoiding email security filters. By using phishing techniques to compromise social media accounts, they add malicious links into message posts from people you know. You may receive a notification about a post or message like this:

Clicking the video link then takes you to a fake Facebook login / age authorisation page before forwarding you on to webpages to further the criminals aims, by tricking you into installing plugins and other software. And, because you gave the criminals your login credentials, you will also find that your Facebook contacts will receive posts and messages that you would never ordinarily send them, helping the criminals find their next victims.

More recently there has been a trend for cyber criminals to use compromised credentials of social media accounts, especially those with large followings, in order to create fake posts or direct messages with malicious links. A lot of businesses have focused their cyber security training and security solutions around email, so by using social media, many of these defences are effectively bypassed. There is also the social engineering factor, you may have built up a high degree of trust with this particular person, they may be a peer or leader in their field, so if they post an offer or deal via their account, your first instinct is not typically to question whether it is a genuine post by them. 

Unfortunately, being cautious when it comes to following links any form of social media is counter intuitive. Everything is designed around sharing and promoting information, and the criminals are exploiting this. Be wary of anything in a social media post or message that when clicked takes you to a webpage or opens a dialog box that then asks for a username or password. You would typically already be logged into the social media platform concerned or taken to a shared area of another platform, so logging in is not required.

Cyber criminals are also focusing little know features on social media platforms like LinkedIn’s voice message feature. Take this example below that was sent to me via a compromised LinkedIn account (the name has been changed) that has been made to look legitimate.

Lastly, following the news in 2018 about the data analytics firm Cambridge Analytica, who allegedly used personal information gleaned from over 50 million Facebook profiles without permission to create personalised political advertisements, social media companies are facing hard questions from their users. In response they have highlighted how you can download everything they have on you, which was always available by the way.

Facebook: https://www.facebook.com/help/405183566203254

In Facebook go to Settings - General Account Settings - Download a copy of your Facebook data.

LinkedIn: https://www.linkedin.com/help/linkedin/answer/50191/accessing-your-account-data

Google: https://takeout.google.com/settings/takeout

Google holds a lot of data on individuals, so much so it is split into 32 products when you go to download your data. Here’s what the process looks like:

Index or next chapter Online Gambling