Why scammers find rich pickings on Facebook

People shed their normal caution on social networking sites, leaving the scammers and worm-writers to rub their hands with glee, says Mary Landesman
Written by Mary Landesman, Contributor

Social networks are teeming with potential victims for scammers and worm writers. That's because people suspend their normal standards of judgement online, says internet security expert Mary Landesman.

When otherwise sane and sensible people join social networks, something rather mysterious often happens — they become promiscuous frienders.

There are a couple of possible explanations: people who are seemingly in control in real life find they simply cannot say 'No' in the virtual world; alternatively, the public display of the number of contacts reinforces their competitive edge, causing them to choose quantity over quality.

It's not that social networking in itself is bad. On the contrary, social networks allow us to catalogue, engage and unleash the power of our connections. They exploit the virtual equivalent of six degrees of separation — the notion that we are each only six acquaintances removed from anyone else on the planet.

Social-engineering scams
Social networks can also provide a venue for everything from self-expression to business development. But on the flip side, social networks can leave us more susceptible to social-engineering scams, expose sensitive information, and potentially make us more vulnerable to malware attacks. That risk isn't really inherent in social networking per se, but rather in how well social networks are managed.

Just as keeping up with the Joneses has contributed greatly to the global economic crisis, keeping up with the rabid frienders has contributed to the success of social-networking worms such as Koobface. That isn't because Koobface was some technologically devious bit of malware, but rather because we rather stupidly assume everything we receive from a friend is somehow legitimate.

You can see this phenomenon of misplaced trust with one of the oldest online tricks in the book — the email hoax that claims Bill Gates and AOL have teamed up to give away his fortune. No matter how unbelievable the hoax may seem, it's been circulating widely for well over a decade.

The reason for its success lies in our belief that our friends would never forward such a thing if it were not true. But the reality is they forwarded it to us because a friend forwarded it to them because a friend forwarded it to them, and so on.

Everyone in the chain is acting on the assumption that the person before them is trustworthy. And judging by the many forwarded addresses included, it's no coincidence that...

...this particular hoax remains particularly viable among corporate and local government users.

After all, these are just the types of people we have most reason to trust. Among the college-aged crowd and younger groups, less reputational trust exists and such trivial hoaxes tend to die fast.

Worms such as Koobface exploit both our willingness to trust correspondence from friends and the handy cataloguing of those friends in one location. When a user on Facebook, or Bebo, or some other susceptible social network is infected, the Koobface worm sends a message to all of their contacts in that network.

The message is simple, usually consisting of nothing more than a one-liner to check out some video and a link to the site allegedly hosting that video. Those who click through will be instructed to install a Flash update, which in reality is just another copy of Koobface — thus the process repeats itself with each new victim.

Sensitive information
Social networking can also bring out the 'inner flasher' in some people, causing them to recite intimate details of their personal life, or detailed itineraries of their travel, or other potentially sensitive information that might best be left private.

Consider, for example, the risk of Twittering your travel plans, which can be matched up to recently added LinkedIn contacts, which in turn can be correlated to interests followed on NetVibes. Suddenly that big deal you were hoping to close or the job offer you were pursuing isn't as secret as you had hoped.

Inner flashers also leave themselves more open to targeted scams that gain credibility by personalising the message based on publicly scraped information. An inner flasher who is also a promiscuous friender thus faces a double-whammy of potential risk — both to themselves and to the company for which they work.

Used responsibly, social networking sites offer tremendous value — but as with anything else in life, moderation is the key. Don't blindly accept friend requests from people you don't know and with whom you don't have some legitimate need to stay in contact. It really is OK to say 'No'.

Be careful of the types of information you disclose — what you say on one site or network can be correlated with information found on other sites.

It pays to ego-surf occasionally to see what type of information the search engines have catalogued about you, so you'll be better prepared to question a targeted email scam. Above all, don't automatically trust any message just because it comes from someone you know.

BTW, Bill Gates will pay you $245 for every unique person you send this article to. Be sure to forward it to everyone you know.

Mary Landesman is the senior security researcher for ScanSafe.

Editorial standards