Social networks focus on building relationships/connections among people who share interests, information and activities. Attackers on phishing expeditions exploit these relationships through social engineering tricks. One ruse that Symantec has observed recently attempts to exploit the "groups" function of a social networking site. (For other recent attack trends on social networking sites, please see "Users of Social Networking Websites Face Malware and Phishing Attacks."
The issue with gaming the groups function is that some groups inappropriately compel users to invite their friends. Receiving these unwanted invites is unpleasant for both the group users and their friends. Some groups exhort the user with compelling remarks such as, “Don’t forget to invite your friends - without inviting it won’t work.” Such fear-mongering may impel inexperienced users to send out invitations to all of their friends, regardless of whether or not any of those friends would be interested in the group, as is shown in the example below.
For some groups, such forced invites are often associated with the promotion of fake offers. For example, in the following image, if users click on the link provided, they are redirected to a page that, in order to "ensure that the people on this site are real," prompts them to take an IQ survey. If users agree to take the survey, they are redirected to a page with the IQ test, which in turn will request that users provide a range of personal details.
In another case, in order to claim the incentive offered, along with inviting their friends, users must also click through to a sponsored site, as is shown in the image below:
Moreover, note the confusing range of instructions shown in the screenshot. For example, users can "GET A VILLA WORTH 1 000 000$ FOR EACH 20 INVITES" in four separate instances in top third of the page, yet in Instruction #2, they must "select at least 90.0% of (their) friends" or else they'll receive nothing because "it will not be recognized by the system" (whatever that means). Also note that, in order to claim the prize, users just need to "follow the four easy steps below," yet only two steps are shown...twice. It is also apparently remarkable that the office is in New York City, as indicated by the exclamation.
Inexperienced users may be unaware whether specific groups are reputable and safe to join. A valid website and contact information are indicators that users should look for to verily the validity of a group. In the case above, the website leads to a spam site (as noted in the image above) In the image shown below, the contact information provided is gibberish:
As with any activities on the Internet, users should follow best practices when joining groups on social networking sites. Here are some basic tips for avoiding spam messages and online scams:
- Avoid submitting any personal information whenever possible.
- Most social networking websites now allow applications, groups, etc. to be blocked and/or reported. Use these options to deny any other requests from the unwanted application.
- Make sure you read, understand and set your account and privacy settings. In some instances, by joining certain applications or groups, you automatically allow them to use your personal information unless you set your privacy settings otherwise.
- It is recommended that you protect your computer with a valid and up-to-date security program that can help protect you against malicious activity and warn you about potential online scams.
Note: Thanks to Anand Muralidharan for his content contribution.