When Kamesh D (name changed) received a phone call from a friend asking him if he was in trouble, he was mildly surprised. The surprise turned to alarm as he learnt that his friend had received a message on Facebook, saying that he had been robbed of his mobile and money while holidaying in Paris and updating Facebook courtesy of a stranger, and asking for money to be sent to a strange account.
Kamesh was lucky. He was able to logon to Facebook, change his password and update his status, asking his friends to ignore any requests for money. Kamesh had become, for a brief period of time, a victim of the 419 scam – updated for the Facebook age.
In 1995, there were 16 million users of the internet. It took another 10 years for the number of users to hit 900 million. Facebook had a million users, in 2004, its year of incorporation. In 2006, it had 16 million users. As of April this year, the social networking site had hit 901 million users around the world, doing in six years what had taken the entire Internet a decade.
Where there are crowds, there are criminals. And it’s not surprising that Facebook attracts a whole new breed of scamsters. Their objectives remain the same — it’s either money, personal information or redirection to shady schemes or page hits.
In 2009, a woman named Leanne Saylor took a Facebook quiz. You know the type “Which Star Wars character are you most like?” or “Which celebrity are you?” There are thousands of these on Facebook. Saylor took an online IQ test. On completion, she was asked to enter her mobile phone number to receive the results on her phone. She got the results – and she also got subscribed to three mobile text messaging services that ended up with an additional $44 (Rs. 2,434) on her mobile bill.
Anyone active on Facebook is bound to have seen posts like this “COOL!! i cant believe its real and official we can now see who’s viewing our profile, Check Who’s Viewing Your Profile here” or an image list of a user’s friends with the caption “Your profile visitors in the last 12 hours”. The links that accompany these posts invariably lead to one scam or the other.
The problem lies with the nature of Facebook applications. When you launch a Facebook application, you first get past a permissions page. For example, the popular “MyCalendar” app requires information to “Your basic info”, which includes your name, your profile picture, your gender, your networks, your user id, your friend list and any other information you made public.
Angry Birds Friends, one of the most popular Facebook games, requires all the above information and your email id. It will also make posts on your behalf on your timeline. When a user signs up for an app, all this valuable information is made available to the app developer – and the use of this information is entirely dependent on the app developer’s benevolence.
David Hall, regional consumer product marketing manager for Symantec Asia Pacific says that the most common ways scamsters benefit from Facebook attacks are through redirection to scammy product pages, premium subscription services and more dangerously, the so-called “Drive By Downloads”.
A Drive By Download happens when a user either dowloads a piece of software – a browser plug-in, an ActiveX control or any other piece of executable software without fully understanding what it does – or a piece of software downloads itself on to the user’s computer without the user’s knowledge or consent.
Ultimately, not being taken in depends on being careful. If one of your friends has uncharacteristically watched a video titled “OMG, Look at what this girl wore to the beach”, ignore it. If you see a post about a tool that allows you to remove the Facebook timeline, ignore it. Facebook also doesn’t allow anyone to track who’s seen your profile . And use Facebook’s security options.
Facebook’s security page allows you to enforce secure browsing. You can also choose to be notified by email or text when someone accesses your account from a strange device or machine.
You can also use the security page to set up app passwords, meaning you have different passwords for apps and your Facebook account. Finally, you can review the active Sessions settings to see the locations and operating systems from which your account has been accessed.