Avoiding Social Spam on Facebook and Twitter

By | January 30th, 2012|Uncategorized|

By John Sileo, CSID consumer security expert

The post appears like it’s coming from a known friend. It’s enticing (“check out what our old high school friend does for a living now!”), feeds on your curiosity and good nature, begs you to click. A quick peek at the video, a chance to win a FREE iPad or to download a coupon, and presto, you’ve just infected your computer with malware (all the bad stuff that sends your private information to criminals and marketers). Sound like the spam email of days gone by? You’re right – spam has officially moved into the world of social media, and it’s like winning the lottery for cyber thugs.

What is Social Spam? Nothing more than junk posts on your social media sites luring you to click on links that download malicious software onto your computer or mobile device.

Social media (especially Facebook and Twitter) are under assault by social spam. Even Facebook cautions that the social spam volume is growing more rapidly than their user base. The spam-fighting teams at both Facebook and Twitter are growing rapidly. The previous handful of special engineers has seen the inclusion of lawyers, user-operations managers, risk analysts, spam-science programmers and account-abuse specialists. Spammers are following the growing market share, exploiting our web of social relationships. Most of us are ill-prepared to defend against such spam attacks. Here’s how social spam tends to work:

1. Malware infects your friend’s computer, smartphone or tablet, allowing the spammer to access their Facebook or Twitter account exactly as if the spammer were your friend.

2. The spammer posts a message on your friend’s Facebook or Twitter page offering a free iPad, amazing coupons or a video you can’t ignore.

3. You click on the link, photo, Like button (see Like-jacking below) or video and are taken to a website that requires you to click a second time to receive the coupon, video, etc. It’s this second click that kills you, as this is when you authorize the rogue site to download malware onto your computer (not a coupon or video).

4. The malware infects your computer just like it has your friend’s and starts the process all over again using your contacts, your wall and your profile to continue the fraud.

5. Eventually, the spammer has collected a massive database of information including email addresses, login information and valuable social relationship data that they can exploit in many ways. In the process, the malware may have given them access to other data on your computer like bank logins, personal information or sensitive files. In a highly disturbing growth of criminal activity, social malware can actually impersonate users, initiating one-on-one Facebook chat sessions without your consent.

“Like-jacking” involves convincing Facebook users to click on an image or a link that looks as if a friend has clicked the “Like” button, thereby recommending that you follow suit. If our friends Like it, why shouldn’t we. So we click and download in an almost automated response. The key is to interrupt this automatic reflex before we get stung.

Fighting social spam requires immense investments of time, which can mean lost productivity (and money). Gratefully, various company site-integrity teams watch trends in user activity to spot spam. Every day, Facebook says it blocks 200 million malicious actions, such as messages linking to malware. The company can’t prevent spam, but it’s diligently working to make it harder to create and use fake profiles.

But never count on someone else to protect what is yours. You must own up to your responsibility. Follow these 6 Steps to Minimize the Risks of Social Spam:

1. If the offer in the post is too enticing, too good to be true or too bad to be real, don’t click.

2. If you do click and aren’t taken directly to what you expected, make sure you don’t click a second time. This gives the spammer the ability to download malware to your system.

3. Don’t let hackers gain access to your account in the first place – use strong alpha-numberic-upper-lower case passwords that are different for every site and that you change frequently.

4. Remember, in a world where your friend’s accounts are pretty easily taken over, not all friends are who they say they are. Be judicious. If something they post is out of character, it might not be them writing the post. Call them and verify.

5. Don’t befriend strangers. Your ego wins, but you loose.

6. Make sure you have updated computer security: operating system patches, robust passwords, file encryption, security software, firewall and protected Wi-Fi connection.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach), or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

The Changing Landscape of Spam

By | October 19th, 2011|Uncategorized|

PC Mag recently published an infographic that visualizes a study by Commtouch about “The State of Hacked Accounts.” Commtouch collected data from email users who have had their email accounts hacked to draw conclusions about email security and the motives of email hackers.


The study found that two-thirds of hacked email accounts are used to send spam or scams to email addresses listed in the account’s address book, full of family and friends. Many of these messages are focused on obtaining money from the recipients. They utilize angles such as “stuck in a foreign country, please send money,” and recipients see that someone close to them is asking for financial help.

Traditionally, email spam has been focused on marketing (generally unwanted) products through huge email blasts. Email and security providers quickly caught on, however, and now automatic spam folders work their magic on a regular basis and botnets can now be taken down instantly.  What does this mean for spam?

A Changing Landscape:

The spam landscape has changed. Hackers have realized that, with the onset of spam filters and the decline of botnets, they have to switch tactics. They have been finding success in compromising existing email accounts for spam and scams because (1) these accounts exist within whitelisted IP address ranges like Hotmail, Yahoo and Gmail, thus bypassing spam filters and (2) recipients are more likely to open emails from a familiar addresses than unknown senders, and are therefore more likely to follow through in providing personal information.

 eWeek’s Fahmida Rashid wrote an article describing the modern inner workings of the hacker community: “Hackers are often perceived as isolated, alienated individuals, working alone or in small groups. In reality, hackers are quite social, frequenting online forums and chat rooms to brag about their exploits, exchange tips and share knowledge, according to a recent analysis of hacker activity.”

The Future:

So what does this mean? We can likely expect an increase of such personalized scams, in email as well as social media outlets. To combat these intelligent, organized and widespread hacker communities, we have to do our best to predict next moves and be a step ahead. Then again, that’s why the U.S. government is hiring hackers left and right, but that’s for another blog post.

In the meantime, be smart. See the prevention tips in at the bottom of the infographic, and check out identity protection tips from our consumer identity theft expert, John Sileo, in earlier blog posts.

Load More Posts