Social networking provides rich hunting grounds for online criminals simply because of the inherent trust that we place in our friends. As economist Dr Baines says: "It's not what you do, it's what people think of you."
You might not fall for a scam presented to you directly via a phishing email or other source, but if information comes from someone you know, you'll be more likely to trust it. The problem is, your friend might not be as informed as you. Worse still, their account may have been hacked, and the bad guys might be tweeting out links to a trojan or dodgy sites.
This attack vector might sound familiar. If you were around during the early days of email, it was very common to receive messages from concerned friends who wanted to warn you about the latest virus threat.
These detailed hoax malware that did impossible things such as physically breaking your CPU. The aspects of human nature exploited by these hoaxes (trust and fear) are alive and well, and ready to spread real malware today.
Be wary of apps
In the race for revenue, many social-networking sites allow users to install web apps and to pass the time playing embedded games. However, the proliferation of apps is such that it's difficult to keep up with new ones, even for the site's dedicated security staff.
Because of this, there's a real danger that you could accidentally install malware. Without proper antivirus protection, you could then see your Facebook or MySpace account hijacked and used to send spam and malware, or your credit card details being sold and abused.
Search for any app that you want to install to see if it's been reported as dodgy – and ensure you're running decent antivirus software too. Hackers who specialise in malware for social-networking sites know that good lies can travel around the world faster than they can be exposed. A good example is the rise in cons that rely on worried friends passing on supposed advice about how to avoid the latest threat.
A flurry of wall posts on Facebook that include a link to a malicious web page can lend a level of credibility to a phishing site that can't be achieved easily in any other way. There's a good chance that many people will repost the link for their pool of friends to read without even checking the site to see if it's legitimate first.
When you receive such a link from a friend, the first thing you should do is to search for it to see if it's been flagged as a scam. If it has, the responsible thing to do is to warn others by posting the news. It may embarrass your friend, but you'll be saving their bacon in the long run, as well as that of their other friends. Just be careful how you word the update – you don't want it to appear as if you've been hacked too!
The friend in trouble
A growing problem for social networking sites with chat facilities is the 'friend in trouble' scam. After hijacking an account, the con man starts a chat with somebody. He exchanges hellos and then says he has a problem. He's on holiday in a dodgy part of the world and, unsurprisingly, has been robbed. Can you help him out by wiring him the money he needs to get home? Why wouldn't you want to help out a friend you know in real life?
That's the central mechanism that makes this con work. Your job is to try to decide whether you're about to ignore a real plea for help. The easiest way of telling if the person is really your friend is to ask several questions only the real friend would know the answer to. Remember that the scammer has access to the information in your profile, the profile of the account he's hijacked and those of your mutual friends.
Because of this, be sure to ask about unique events that may have happened decades ago, and which neither of you has spoken about for years. It's surprising just how quickly a scammer will make his excuses and leave, whereupon you must contact the account's real owner and tell him what happened.
"Is this you?"
This scam hints at the power inherent in the trust people put in their friends online. Earlier this year, Twitter users began to receive direct messages, discretely warning them that they should delete a photo they'd uploaded to another site.
These messages were from a friend's account that had been hacked, and the victims had no knowledge of the other site and had never uploaded such a photo, but deliberately vague wording worried many people into clicking on the link and becoming infected with malware on the landing page.
What's clever about this scam is that the warning from a friend and the seeming need for discretion means that we're more likely to risk clicking on the link. In such cases, you should verify that your friend sent you the message. Don't do this by replying directly – instead use a different communication method such as a phone call or email.
