Be Extra Vigilant Of Social Media Spam
Friday, 16th December 2011
Unwanted communication is really annoying. Whether it is a genuine business trying to get you to buy double-glazing, or a complete con-artist pretending to be "representative of Windows" trying to scam you or an email "from your bank" - it is all annoying.
But is this all just unwanted noise, or can it be more sinister? Here is a non-technical guide to the dangers that you may not know exist behind the annoyance.
The John Culshaw Attack
This is commonly known as "phishing", and is where someone pretends to be your bank, or some other website that you might use. The end-game is to try and convince you to follow a link to the fake website, where you will be tricked into logging in. Because you are logging into the fake website, you are accidentally handing over your user-name and password for the real website, which the imposter will then use to gain access to your account.
Here are some of the reasons people want to trick you...
- Your bank
They will pretend to be your bank, because they want your money. This is a very direct attack
If they can log-in to your Ebay account, they can list stuff on your account and hopefully get hold of someone else's money. This is typically done with big-ticket items that people pay for by cash.
- Facebook / Twitter / Social Networks
If an imposter can log-in to your social network, they can post links that trick your friends and family into falling into the same trap that you have. They may also be able to gain access to private information that might help them to perform other scams - like your date-of-birth, middle name, mother's maiden name and so on.
- Gmail / Hotmail / Email
Once someone manages to sign-in to your email account, they can reset your password on any website you might have signed up to. The reset email is sent to your email address and they are logged-in waiting for it to arrive. They can then access these accounts and perform all of the nastiness listed above.
You can normally spot the imposters by looking out for these signs:
- Dear sir / madam / other
If the real website knows your real name, they would address you personally. The imposters are less likely to know your real name, so expect some other form of address, such as "dear esteemed gentleman"
- Check the links
When you hover over a link in the email, you should see a description of where it is pointing. If you get an email from your bank, but the links point at yourbank.strange.com it could be scam. Expect plenty of creativity in this area, so if you bank at www.lloyds.com, watch out for subtle differences, like www.loyds.com, www.lloyds.ly and lloyds.banksite.com
- Your account has been suspended
Because the fraudsters really want you to click on their links, they will normally be adamant that you must do it. Tag-lines such as "your account has been suspended" are intended to panic you into clicking on the links.
You can avoid this kind of scam really easily. If you get an email from someone about your account, don't follow any of the links - just log-in as you normally would - for example using a bookmark or favourite in your browsers, or by carefully typing in the web address manually.
The Derren Brown Attack
This attack, which is technically called "cross-site request forgery" is as clever as Derren Brown. What makes Derren Brown so convincing is that he sets up the situation that makes the unwitting subject do exactly what he wants, without having to get his hands dirty.
The way this attach works is that the fraudster tricks you into following a link that goes to a genuine website, which you are hopefully already logged-in to. As far as the real website is concerned, you are trying to perform the requested action, but you didn't realise you were going to do it.
For example, you are logged into Facebook and you get a spam message containing a link. You mistakenly follow the link and suddenly there is a message posted to your wall that you didn't write.
So how did this work? Because you are logged into the website, you are able to post a message if you like. The link supplied in the spam email asks the site to post the message. If you click that link, you are essentially giving permission for the message to appear, cue Derren Brown to "de-program you".
The only way to avoid this kind of scam is to avoid links from people you don't know and to be suspicious of links from people that you do know but that sound out of character. If you have a friend who is always sharing "forward this to 10 friends" style messages, beware of anything you get from them as these are the perfect home for scams.
The Phonejacker Attack
This is an hilarious attack and quite frankly, if you fall for it don't come crying to me about it. Someone phones you up after having had just enough English lessons to say "I'm calling from Windows and I need to perform some checks against your computer" and you follow their instructions and ruin your life. Let's have a think about it people... Windows isn't a company. It's a product sold by Microsoft. It's like some calling you from a company called "iPhone". And think about it - why would the try and phone all of their millions of users to perform this manual check. When I called them out on this, they told me my computer would stop working in thirty minutes if I didn't do what they said.
I mention this attack only to remind everyone that it isn't just The Web that suffers from attacks. You get them all the time on the phone, by post, every time someone tries to sell you an extended warranty that costs as much as the product you are buying and whenever a supermarket tells you that they are saving you money.
Be wise to anything that sounds too good to be true, don't blindly follow instructions that sound suspect and be careful where you click.
Especially don't click on any of the following:
- YOU HAVE A VIRUS, CLICK HERE TO FIX IT - come on, you're going to download a bit of software you know nothing about... you're going to have a virus soon!
- Click here to check out Steve Fenton naked - if it sounds too good to be true, it probably is. The promise of skin is a great way to make sensible people take a stupid risk. Free stuff and naked stuff is almost always a scam.
- YOU GOTTA CHECK THIS OUT - if you like a bit of gossip, this one is aimed straight at you!