Defending Yourself Against Rogue Apps & Social Media Malware
Protect your accounts from all the schemes proliferating on the Internet today.
Social media, especially Facebook and Twitter, have pitfalls for the inexperienced, the naive, and those who are too trusting. You can click one link in a message and get locked out of your own account, while a hacker spams all your friends with messages that look like they're coming from you. In the worst-case scenario, you can end up a victim of identity theft.
Let me share a recent episode in my ongoing campaign to expose internet fraud and criminal online behavior.
What a Mess!
A friend of mine, Shel Israel, is the co-author of a pioneering book on business blogging entitled Naked Conversations, with the famous technology evangelist, Robert Scoble. Just a few days ago, Shel's Facebook account was hijacked by a rogue app, which began setting up Facebook groups in his name and spamming his friends to lure them into clicking on the rogue app. He was able to withdraw the rogue app's access to his account, but still had to spend hours manually removing individuals from these spurious groups. Because most of Shel’s Facebook friends thought he had personally invited them to join these groups, their Facebook profiles got hacked too.
This problem inspired Shel to devote his next Forbes article to a description of the nightmare. Entitled “How Did I Get Hacked and Why Didn't Facebook Help?,” he narrates all the gory details, and the headaches, frustration and bewilderment he felt. “They [his Facebook friends] received a message from a person they trust, on a topic where he is said to have influence. So more than 50 of the 1500 joined the groups. They were not a collection of newbies who just got off the static site boat. They included members of the press, executives and managers in tech companies, a book publisher, an intellectual property lawyer and several senior technologists. What a mess.”
In his article, Shel mentions that a Facebook employee said the cause of his problem actually began on Google. His Gmail account had been hacked and was requesting that Facebook allow the spambot to change the password to his Facebook account. Shel's not sure what to think, but he advises everyone to activate Google’s two-step verification process. Under this technique, hackers would not only have to get your password and username, they’d also have to get your phone, as Google sends you a code via text or voice message upon signing in.
Researching Suspicious Messages
You've seen it yourself, I'm sure. It happens all the time:
- “OMG I can't believe who's been stalking my profile. Click here to see who's been stalking yours.”
- “Disable Timeline on your Facebook page.”
- “Turn your Facebook profile PINK.”
New scams appear every day. Enticements to click “Like” and “Share” on photos of badly burned children. Direct Twitter messages that tell you to “check out this rumor people are sharing about you,” along with a link that hijacks your Twitter account through a phishing trick, such as a fake login page that asks you to re-enter your password, thereby stealing it from you.
How do you quickly research a rumor, app invitation or suspicious announcement that appears on the Internet?
- Type the keywords into Google, along with "scam" or "hoax," and see what you get. For example, "Facebook child burn victim scam" or "turn Facebook pink scam."
- Copy the first significant sentence of the message and paste it into Google’s search box. For example, "PRIVACY NOTICE: Warning—any person and/or institution and/or Agent and/or Agency of any governmental structure." Copy that entire fragment, paste it into Google, and search. You'll see articles exposing these hoaxes from Snopes, Facecrooks, That's Nonsense, Hoax-Slayer, Gizmodo, USA Today, WebProNews, CBS News, Slate, etc.
Don't think, "I'll post it just in case it really is true," because you actually create more dangers for your Facebook friends by perpetuating the hoax. That false information may contain a link to a malicious website; your friends might get phished for identity theft, or get a virus or Trojan horse that destroys their computer.
New & Evolving Scams
Facebook chat spam has been popping up lately. Do not click on a link in a private Facebook message like this: “______ explained to me that website [URL deleted] is giving away an ipad three to people that are in fb for nothing... almost all they want is your thoughts and opinions about it and you can keep it forever. however you need to hurry up just before they shut it.”
Another attack vector I want to bring to your attention is the “YouTube Property Rights Predator.” A well-regarded local musician, Paul Adams, has been a victim of this scheme, and I myself have been plagued by it a few times. This is where a greedy music company claims that it owns the copyright to sounds or music contained in a video you uploaded to YouTube.
A scary notice will appear beside your video, along with a link to respond to the notice. Today, as I am writing this article, I got the following announcement on a video of a local band doing the public domain song “Silent Night”: “Your video may include the following copyrighted content: ‘Silent Night,’ musical composition administered by: One or more music publishing rights collecting societies: CD Baby.”
Here, CD Baby is outrageously claiming copyright to the song "Silent Night." This may be ridiculous, but I've read of cases in which music companies claim they own property rights to field recordings of bird songs or the sound of motorcycle engines recorded by their owners. These fraudulent claims are propagated by companies with teams of highly-paid attorneys, and they seek to intimidate innocent people and maybe even generate some ill-gotten monetary gain.
I disputed the claim by clicking on the link. I was taken to a page that listed the following options:
“I believe this copyright claim is not valid because:
___ I own the CD/DVD or bought the song online.
___ I'm not selling the video or making any money from it.
___ I gave credit in the video.
___ The video is my original content and I own all of the rights to it.
___ I have a license or written permission from the proper right holder to use this material.
___ My use of the content meets the legal requirements for fair use or fair dealing under applicable copyright laws.
___ The content is in the public domain or is not eligible for copyright protection.
I understand that filing fraudulent disputes may result in termination of my YouTube account.”
I am typically willing to fight for my rights, but in this case, I simply deleted the video, because I have other client videos on YouTube, and if YouTube terminates my account, it would negatively impact the paid work I do for clients.
Another con artist technique involves spoofing email senders. You get an email from someone you actually know, generally a Facebook friend with whom you interact often. The sender name is a known and trusted individual, but the address is something like “brandishly99452XRU@yahoo.com.” You know your pal does not have an email with that weird address. The message is “Hey [your first name] check out this video” with a link to click. Do not click it. Delete the email.
Tips for Battling Rogue Apps
When I was helping my friend Shel Israel, at one point he asked how I had gotten so savvy regarding these issues. I told him I followed the reports at a variety of watchdog sites: Facecrooks, Sophos Naked Security, Hoax-Slayer, The Bulldog Estate and Snopes. By reading their status updates or visiting their websites regularly, you can quickly get up to speed on the social media malware scene. By diligently staying tuned into these sites, you can become a reliable source of answers and solutions when your friends experience trouble in this realm. Here are some more tips:
- Never click on “Like” or “Share” or respond in any other manner to something that sounds too good to be true, or even seems benevolent and safe, without first doing a few minutes of online research. Google the keywords and see what you get in the search results. You can add the words “scam,” “hoax” or “danger” to refine your search.
- Stay safe by educating yourself and exercising restraint. Resist the urge to be “click-happy” when you see a post or message urging you to respond to something that tugs at your heart strings or appeals to your beliefs.
- Do some online research on the following: social engineering (manipulating people into performing reckless actions or sharing sensitive information), secure passwords, online identity theft, phishing, smishing, malware, cross-site scripting, drive-by browser exploits, trojans, spoofing, rootkits, backdoors, botnets, executable email attachments, and grayware (things that are not technically malicious, but tend to slow your computer, burden the operating system or let spammers invade—like toolbars, joke programs, video chat widgets and remote access tools).
Don't feel stupid if you fall for a rogue app, reverse trolls, pseudo-property rights predators or other online tricks and scams. They continue to proliferate, morphing into new and clever manifestations that fool even experienced tech specialists. It's not easy to keep up with all the new twists and seductive schemes. But if you keep these tips and anecdotes in mind, do a little of your own research, and consult the watchdog sites, you'll increase your chances of remaining unharmed by rogue apps and social media malware. iBi
- December: Women of Influence
Eight area women reflect on their accomplishments and lessons learned.
Ad deadline: November 10
- January: Healthcare
From cutting-edge technologies to demographic trends and beyond...
Ad deadline: December 10
- February: History
From historic buildings to long-standing organizations, Greater Peoria is full of amazing tales.
Ad deadline: January 12