For National Cyber Security Awareness Month (NCSAM) last year,
The State of Security published an
article offering advice on how users can securely navigate the world of social networking. Among other things, our experts cited users sharing too much information and posting revealing photos as dangerous behaviors that could potentially invite attackers to profile their accounts.
These malicious actors could then launch attacks in an attempt to phish for users' credentials and compromise their pages. To address this type of exploit, we recommended that users limit the amount of information they post on social media.
Not all attacks on social networking sites are that personal, however. On the contrary, spammers and scammers oftentimes exploit the common wants of social networking users, such as the desire to make more connections or to visit their friends' pages, as means to seize control of their accounts, their money and/or their identities.
Anyone can, therefore, fall victim to a social media scam if they are not careful. To prevent this from happening, it is important to understand what the most common types of social media scams consist of and what platforms they tend to target. We begin with a guide on five common Twitter scams.
Scam #1: Money-Based Schemes
Source: Andrew R H Girwood
The first common Twitter scam entices users with opportunities to make money from home by tweeting about other people's products. Those who fall for the scam pay a small sign-up fee to get a "Twitter Cash Starter Kit,"
writes Joan Goodchild of
CSO Online.
"The end user ends up forking out money to do this work and they pay money to some rogue company," explains Ryan Barnett, principal security researcher on Akamai's threat research team. "But once you've paid for the CD, they now have your credit card number, and they can just keep charging that card each month."
That is exactly what they do. Many victims report that after having purchased the starter kit, they were charged a hidden membership fee of $50 USD or more every month thereafter. In most cases, the victims had no choice but to cancel their credit cards.
Scam #2: Bot Spam
Source: Janne's Security Blog
Attackers do not always need to involve themselves directly in a scam. Oftentimes they can use a bot to mimic a human being and interact with potential targets.
Security expert and blogger
Graham Cluley provides us with an example that has been modified from a common email scam dating back to at least 2009. In this particular spam campaign, users are tweeted a picture of a scantily clad woman. The image contains an embedded message that reads, "Ur Cute. Msg me on [Insert IM platform here]."
"You can see they (spammers) are going to further and further lengths to drive you to their Web site," said Cluley.
If a Twitter user decides to chat with the "woman", the bot follows a script and offers the user a "free pass" to an adult webcam site. Upon visiting the site, users are prompted to enter in their contact information and credit card details. Handing over their data could ultimately leave users vulnerable to identity theft and credit card fraud.
Not all bots send image-based spam, nor do all of these campaigns lead to adult websites. Bot spam is much more diverse than that. Indeed, with an estimated 23 million bots
identified by Twitter in 2014, the possibilities for bot spam are nearly endless.
Scam #3: Pay-for-Follower Ploys
Source: WordStream
Some bots are in the pay-for-follower business, which accounts for another Twitter scam entirely.
We have all seen profiles that are dedicated to delivering thousands of Twitter followers for a fee. Some services claim that they can do this by identifying other Twitter accounts that automatically follow back,
reports Scambusters. Others state they provide followers based upon interests that are shared by the purchaser.
Regardless of whether they have those capabilities, however, most pay-for-follower providers are identical to people who sell email addresses to advertisers.
If you engage with one of these services, you could be accused of helping to distribute spam on the networking platform, which could result in Twitter banning you from its site altogether.
Scam #4: Illegitimate DMs
Source: ZDNet
Scammers like to target every facet of a user's Twitter profile, including their inbox. In one variant
explained by Michael Krigsman of
ZDNet, scammers use a hijacked account to send out direct messages that appear to be legitimate. These messages in essence send users to fake login pages that phish for Twitter users' credentials.
Once a scammer has compromised a user's Twitter account, they can use that profile for any number of purposes, as explained
here.
But phishing pages are not the only illegitimate DMs sent by Twitter scammers. This past fall, researchers observed 419 scams targeting users via their inboxes. (Apparently, Nigerian princes have Twitter accounts, too!)
Jerome Segura, a senior security researcher at Malwarebytes, does not recall of ever hearing about 419 scams on Twitter. However, he does have a solution for the social networking site.
“I think Twitter could tackle some of the spam issues, whether it is via DMs or fake accounts, by looking into the account creation process and how to detect fraudulent sign ups,” he told Motherboard in an interview. “Contrary to other social networking sites, it is trivial to create a Twitter account in a few seconds with a throwaway email address and start spamming right away.”
Scam #5: Worms
Source: PCWorld
While comparatively less common than the other types of scams explained above, worms still pose a serious threat to Twitter users.
In one of the most familiar cases, the
Mikeyy worm used JavaScript to instantly infect users' accounts when they visited the profiles of infected friends, colleagues, or other people in their networks. At that point in time, anyone who visited that user's profile would become infected.
The user also would have begun tweeting out messages containing a shortened link that, if clicked, would have redirected users to a site where they would become infected.
The Mikeyy worm was a serious problem back in 2009. Since then, Twitter worms have been few and far between, though an XSS-based attack worm did
succeed in infecting tens of thousands of users back in 2014.
Conclusion
A familiarity of the most common types of scams can hopefully make for a more secure experience for Twitter users. But as we all know, Twitter is not the only social networking platform. Stay tuned for our next article, in which we cover some of the most common scams observed on Facebook.
Title image courtesy of ShutterStock