• United States



by Senior Editor

5 More Facebook, Twitter Scams to Avoid

Aug 31, 20097 mins
Application SecurityCybercrimeData and Information Security

From get-rich-quick schemes to pornographic robots, the latest social networking scams reveal just how much more sophisticated the crooks are getting

A recent survey released by AVG Technologies and the Chief Marketing Officers Council reveals that while most social network users are concerned about the security of the sites, the vast majority do not take the necessary precautions to protect themselves. Of the 250 users polled, 47 percent have been victims of malware infections and 55 percent have been subjected to phishing (See also: 9 Dirty Tricks: Social Engineers’ Favorite Pick Up Lines). However, despite those numbers, most users (64 percent) rarely or never change their passwords, 57 percent rarely or never adjust their privacy settings and 90 percent fail to report security issues to the social networks (Read about more security oversights in Seven Deadly Sins of Social Network Security)

With such daunting numbers, you want the users accessing these sites on your network to be informed, right? CSO recently outlined 5 common scams on Facebook and Twitter that users are seeing, and being taken by, when they are on these sites. But, like any savvy business person, the crooks are crafting new plans and updating their tactics each day. Here are five more dirty tricks to look out for.

Tweet for cash!

This scam takes many forms. “Make money on Twitter!” and “Tweet for profit” are two common come-ons security analysts say they’ve seen lately. The claim is that anyone can work from home and make large sums of money (Up to $10,000 a month!!) simply by “tweeting.” Sounds too good to be true, and, of course, it is. The age-old work-from-home email scam has now migrated to Twitter, according to Ryan Barnett, director of application security research at Breach Security, a Web application security firm.

Breach, which recently published its Web Hacking Incidents Database report, has seen an explosion in this scheme in recent months as the economy has forced cash-strapped folks to do whatever they can for some income. Those who fall for it are asked for their credit card number in order to pay a $1.95 shipping fee to get their ‘Twitter Cash Starter Kit.’

“The end user ends up forking out money to do this work and they pay money to some rogue company,” said Barnett. “But once you’ve paid for the CD, they now have your credit card number and they can just keep charging that card each month.”

Many who have been taken by this ruse claim they later find out the Starter Kit had a 7-day free trial, and the company then charged a monthly “fee,” typically around $50, unbeknownst to the victim, who often has to cancel the credit card in order to stop the fraudulent charges.

Ur Cute. Msg me on MSNkeeps a close eye on the latest lures cast out by spammers and recently has seen an upswing in Twitter “tweets” that feature scantily-clad women and include a message embedded into the image, rather than in the 140-character tweet itself. A typical example includes a message that says “Ur cute. Msg me on MSN,” which is embedded into the picture and is a ploy that ultimately leads the user to an adult site, said Cluley. Embedding the message into the picture is a way for spammers to get past Twitter’s anti-spam filters, he said.

The sexual solicitation is a tactic spammers have been trying for many years via email, said Graham Cluley, senior technology consultant with U.K.-based security firm Sophos. Cluley

“You can see they (spammers) are going to further and further lengths to drive you to their Web site,” said Cluley.

The ruse gets even more sophisticated if you decide to “chat” with one of these “ladies” on MSN, said Cluley. Instead of a person, it’s a bot pretending to be a human conducting the flirtatious conversation.

“They are trying to reduce their costs and it’s much easier to have computer programs do this for you,” said Cluley.

Cluley said the bot follows a script which offers the end user a “free pass” to their supposed adult webcam site. However, the site being linked to in the pass typically asks for credit card and other user information for age verification. Of course, handing over this kind of information makes you a prime target for identity theft, said Cluley.

Protect your family from swine fluthe shortened URL.

The bad guys will always take advantage of what is in the headlines, such as the world’s concern over swine flu, to snare unsuspecting users. Claims about celebrity deaths are another popular way to get attention. But these days it is even easier for a user to end up clicking on a bad link because of the prevalent use of

There are many URL-shortening services that allow users to truncate the length of a link in order to save space in a Twitter tweet or a Facebook status update. But it is impossible to see where the link will take you, which is exactly why criminals are increasingly using them to direct folks to bad sites. According to a recent Symantec MessageLabs Intelligence report, shortened-URL spam is also a popular technique for spammers seeking to sell drugs online.

“Spammers are taking advantage of the heightened interest in health-related issues such as swine flu and Obama’s healthcare reform, to distribute large shortened-URL spam runs using the powerful Donbot botnet,” MessageLabs officials said. In fact, abuse of the shortened URL actually resulted in the closure of several legitimate URL-shortening services, according to the report.

Some of the URL-shortening services have begun to attempt to filter out bad sites by checking URLs against known black lists, but the issue is far from resolved noted Cluley, particularly because despite increased efforts to block malicious links, Twitter and Facebook do not have a filtering mechanism for bad shortened URLs.

“They and the other social networks have a lot of maturing to do,” he said. “You cannot rely on them alone. You will need some defense on your computer.”

Mike Smith commented on your post!

Reading friends’ comments is one of the major features of Facebook. So it is unfortunate that Trend Micro researcher Rik Ferguson recently discovered a phishing scam taking place with several rogue Facebook applications. The malicious applications uncovered by Ferguson have names such as “Your Photos” and “Post” and begin with a notification that someone has “commented on your post.” However, once the user clicks on that notification, they are lead to a harvesting site called “” which looks like a Facebook log-in page and asks users to enter their log-in information in order to “enjoy the full functionality” of the application. It then steals that log-in information and then spams your friends.

Other applications had names like “Sex, sex and more sex” and “Birthday invitations.” While the apps Ferguson uncovered were removed, several more popped up only days later with names like “Friends,” and “Matching.” Ferguson noted users can avoid falling prey by following the simple rule of checking the URL displayed in the browser address of any site you visit to make sure you are actually on Facebook instead of a malicious site that only looks like Facebook.

Amber alert issued!!

This one is not so much as scam as it is a hoax. Perhaps you’ve seen it: A friend in your network updates their status to read “Amber Alert issued in Anytown, U.S.A. 3-year-old girl taken by a man driving a silver truck with plate# 72B 381. Post this in your status update. You could save a life! “

The details vary, some include names. But many of them are simply untrue and can often be quickly checked out on sites such as and even the urban-legend-debunking site While you may not be at risk for something serious like identity theft with this hoax, many law enforcement officials have come out against the fake Amber Alert joke because it desensitizes users to the severity of a real alert. If enough hoax Amber Alerts make the rounds, people are more likely to ignore a real one.