HackerUp on Facebook Security (2016)
Avoiding Scammers
It’s human nature to avoid dangerous situations. See a piano falling from the roof? You’re going to automatically move out of the way. See a scam email? You should automatically delete it and report it as spam.
On Facebook, identifying scams is trickier since messages can appear to be coming from people you know and trust. So how do you spot a scam on Facebook? Let’s begin with a bit of context.
Online scams tend to be moving targets. In the beginning, the obvious scams were email attachments from people you didn’t know. Then it was “Security alerts” from banks or credit cards. Today, it may also be a status update from a Friend asking you to watch a viral video, read about a celebrity scandal, or sign up for free giveaways.
In addition to the run-of-the-mill scams you find all over the Internet, there are several scams that target social networking sites and Facebook users. Some popular phishing scams offer to show you who is viewing your profile or pretend to provide new functions. One especially long-running phishing scam claims to provide a Dislike button (something Facebook has repeatedly announced it will not do because the negative approach simply isn’t consistent with the company’s culture). In another scam that continues to make the rounds, victims receive a Facebook message from a (hacked) Friend’s account claiming that the friend just saw them in a compromising video. Of course, there is no such video. The “video” link connects the victim to a website that infects their computer with malware. Another scam uses Facebook messenger to try to convince you that a friend is in trouble when in fact that Friend’s account has been taken over by an impostor. Have a Friend claiming to be in trouble? Phone that Friend to make sure that’s who you’re really chatting with.
Conventional scammers
Scammers hit Facebook for the same reason they target the rest of the Internet. They want access to your information, or your computer, or the money in your pocket. And sometimes they want to trick you into downloading malicious software to your computer. To avoid being tricked, learn how to recognize the phishers, account thieves, and malware pushers.
Phishing: An attempt to trick users into revealing personal information or financial data.
Phishers steal personal information, often the data needed for identity theft and fraud. Phishing is an attempt to trick users into revealing personal information or financial data. You’ve already seen phishing scams in your email. On Facebook, phishers can try to scam you from multiple places—in status updates, posting links on your Timeline, and in Facebook messages. They may even send you regular email pretending to be Facebook or a popular App like Spotify or Pinterest. The most common phishing scams in 2015 pretended to be from Facebook and asked victims to confirm their account information and/or identity. The link provided connected victims to a fake site that looked like Facebook.
Facebook account thieves
Why would anyone want your Facebook account? They hope to access other accounts using your password. They might want to sell your information, or to scam your Friends to steal their credentials. People are far more likely to fall for a scam when it comes from someone they trust, like a Friend.
So how do the scammers trick you? Scammers try to catch you off guard and hit you with the fake Facebook login WHILE you’re actually using Facebook. The scammer might post a comment on your Timeline that includes a link to something enticing. They might even do this using an account they’ve stolen from one of your Friends so they gain your trust. The message will be something that will grab your attention and usually contains a malicious link. The link will be enticing, promising something like scandalous photos, a sneak preview of a hot upcoming film, or a weird video. When you click on the malicious link, you’re asked to log into Facebook again. Except that you’re not on Facebook anymore. The link actually takes you to a fake Facebook site, so when you re-enter your Facebook login credentials, you’re handing them over to a scammer.
Unlike the insanely horrible email scams written in poor English by scammers, many of the fake Facebook login screens are pretty believable.
How do you avoid Facebook login scams? Beware of anything coming from a Friend that appears silly, or too good to be true. And, ALWAYS, look carefully at both the link in the address bar and links you click. If it looks suspicious—DON’T CLICK. Facebook will never ask you to log back in once you have logged in.
Facebook will never ask you to log back in once you have logged in.
Don’t click on links provided in emails or private messages. If you want to log into Facebook, type the address www.facebook.com into your browser or click on the app on your mobile device.
Facebook only needs you to log in once each session. If you’re asked to log in again—it’s NOT Facebook.
Malware pushers
Malware pushers want to install destructive software on your computer. That malicious software, called malware, is designed to harm your computer or steal personal information. Malware might do a number of nasty things. It could install spyware to log your keystrokes and collect financial account numbers and passwords. It might even lock up your computer unless you pay a ransom.
How do malware pushers target Facebook users? You’ll be presented with an offer to download and install new software. They may even trick you into installing the software yourself with something called a Self-XSS scam.
Self-XSS: A cross site script scam in which users are tricked into hacking their own accounts.
How does that work? Like most scams, Self-XSS scams rely on social engineering. That’s a form of psychology that uses general knowledge of human behavior to trick users into breaking their own security rules. First, Self-XSS scams come to you as status posts or messages from a Facebook friend. And it’s basic human nature to trust your own friends. Second, the scams often bring in a little schadenfreude. That’s a German word that means taking pleasure at another’s misfortune. While that sounds terrible, that’s exactly the draw of popular videos claiming to show famous movie stars in compromising situations. Pop star arrest videos or mug shots. Super models falling off the diet bandwagon. In other cases, you’re offered cool functions that Facebook “doesn’t want you to have!”
Now that you know how the scam works, how exactly does the hack work? To get to those videos that "Facebook doesn’t want you to see" or add those functions “Facebook doesn’t want you to have,” you need to trick Facebook by pasting the secret code into your browser’s JavaScript console. Naturally, people always want what they’re being told they can’t have—yet another application of social engineering.
What’s really happening with that secret code? That text is actually a type of Java program called JavaScript. JavaScript is used on most websites. While most JavaScript isn’t malicious, you can bet that any script you’re tricked into pasting into your browser’s JavaScript console is definitely malware.
Social engineering: Using general knowledge of human behavior to trick users into breaking their own security rules.
In some cases, users know that up front. One of the most common Self-XSS scams is Wanna Hack Facebook?. In this scam, you’re tagged in a Friend’s post claiming that you can hack anyone’s Facebook account with this simple trick. Of course, your Friend’s account has already been hacked and you’ve actually been tagged by the scammer. If you follow the instructions, while you’re being patient as instructed, the script is hacking your Facebook account—not someone else’s. The final touch of social engineering? Victims of the Wanna Hack Facebook? scam are fairly reluctant to report the account theft to Facebook or ask for help. After all, they were trying to hack someone else’s account. Asking for help at that point would be like going to the police for help because you were mugged while trying to rob a bank.
The best help is to protect yourself up front. Never paste code you don’t understand into your browser because a Friend suggested it. Unless you are a software developer, you really have no reason to ever paste code into your browser console.
Wanna Hack Facebook? You really shouldn’t! Why?
• Hacking someone else’s account isn’t cool. It’s criminal.
• That message didn’t come from your friend. His account’s already been hacked.
• The only account that secret script is going to hack is yours.
• Yeah, it’s a trick. Hard to believe you can’t trust people promising to teach you how to steal.
Be sure to give your Friends a heads up if you start seeing this type of post from them. Your Friends may be completely clueless that their Facebook accounts have been hacked. Let them know to change their passwords and how to recover a hacked account if needed.
Clickjacking
Clickjacking is a technique used by attackers to trick users into clicking on links or buttons that are hidden from view. Clickjacking is possible because of a security weakness in web browsers that allows web pages to be layered and hidden from view. You think you are clicking on a standard button, like the PLAY button on an enticing video, but you are really clicking on a hidden link. Since you can’t see the clickjacker’s hidden link, you have no idea what you’re really doing. You could be downloading malware or making all your Facebook information public without realizing it. Yikes!
Clickjacking: A technique used by attackers to trick users into clicking on links or buttons that are hidden from view.
One form of clickjacking is to hide a LIKE button underneath a dummy button. That’s called likejacking. A scammer might trick you into saying that you like a product you’ve never heard of in an underhanded bid to create viral marketing buzz. At first glance, likejacking sounds more annoying than harmful, but that’s not always true. If you’re scammed into liking diet pills, the world isn’t likely to end. But you may be helping to spread spam or possibly sending Friends somewhere that contains malware.
How can you avoid being jacked? Technologically, you can minimize your risk by staying current on browser updates. The browser companies are continually adding updates to shut down vulnerabilities that allow clickjackers and other scammers to operate. If you’re using the Firefox browser, also consider installing the NoScript add-on. NoScript allows active content to run from sites trusted by you. Giving you protection against XSS and clickjacking attacks. This is one of the best free security tools on the Internet. Beyond that, pay attention to what you’re getting and from whom. Would a college professor really share a post about watching hidden camera videos? If a post from one of your Friends seems suspicious, don’t click on it!
A suspicious post could be a sign that your Friend’s Facebook account has been hijacked or that your Friend has been clickjacked to LIKE or SHARE something without knowing it. If you know your Friends, you’ll know what those Friends really would LIKE or SHARE. That’s why one of your best protections against scams is not accepting Friend requests from people you don’t actually know.
Likefarming scams rely on sympathy and compassion.
Likefarming is a relatively new Facebook scam, similar to Likejacking. With Likefarming, a spammer uses social engineering to create a page or meme likely to go viral. Likefarming scams usually rely on sympathy and compassion. These posts ask you to pray for sick children, Like and type Amen, or Share if you Love Jesus. Sharing is important for the post to acquire a large number of Likes.
Once the page has acquired a large number of Likes, the scammer sells the page to a company that renames the page and uses it to promote a product or service. Overnight, that post that asked you to pray for hurricane victims may be selling timeshares or peddling a pyramid scheme. The thousands of Likes make the seller seem reputable. If you think you may have fallen victim to a Likefarming scam, you can look at the pages and posts you’ve Liked by selecting View Activity Log. If you see a page or post you know you most certainly didn’t like, you can Unlike it.
Targeted ads
In addition to scamming you into promoting pages you really and truly don’t like, Likefarming can cause Facebook to show you some very strange ads.
How does this happen? By default, Facebook tailors the ads that it shows you to match your interests. Facebook determines what you’re interested in by what you do on Facebook. That is, Facebook looks at what you Like, which groups you join, which words appear in your status posts, and even which apps you use from within Facebook. It then uses that information to display ads that it assumes you’ll be interested in based on your Facebook activity.
Although this sounds a bit creepy or at least intrusive, the rationale is that “ad targeting” allows Facebook to show you products you’re more likely to be interested in. And of course, it allows advertisers to reach Facebook users most likely to be interested in their products.
While targeted ads may in fact be more relevant to Facebook users, they also make some users very uncomfortable. If you don’t want to see targeted ads, navigate to SETTINGS, select ADS and MANAGE THE PREFERENCES WE USE TO SHOW YOU ADS. You can remove any topic on which you don’t want to see ads. In fact, you can remove all the preferences. Keep in mind that while this will eliminate all targeted ads, it won’t eliminate ads altogether. Those ads just won’t be selected to match your Facebook activities.