Menu
Blog

The Year of the Clickbait Facebook Scam

The Year of the Clickbait Facebook Scam

Social media has been around for a little over a decade, more than enough time for scammers and cyber criminals to perfect their craft. Facebook, due to its sheer size, has emerged in recent years as attackers’ main hubs of internet scams; Cisco recently revealed it was the most common way for an attacker to breach a network. Everyone has seen a Facebook scam: a post by a friend that looks too good to be true or sensational. Rule of thumb: don’t click.

For the cyber scammer, Facebook offers a couple of huge benefits. The first is virality: if enough people click a malicious link, perhaps one that hijacks your account and reposts itself, the Facebook scam can self-propagate ad nauseum with zero maintenance. This snowball effect spreads like wildfire, sweeping through the entire Facebook community (some billion and a half monthly users). Talk about bang for your buck.

The second is trust: if a friend’s account is breached and posts a malicious link, there’s very little way to tell if it’s a legitimate post. Does my friend really want me to watch this video? Is this a genuine Facebook privacy update? Unlike email, which people have been conditioned to be skeptical of, social media is an inherently trusted platform.

The key to exploiting both of these advantages is clickbait. Clickbait is any link or headline that plays on an unsuspecting user’s propensity to check out an interesting topic, image or video. Clickbait tactics are used by both legitimate and malicious users (think Upworthy and Buzzfeed). If the post is malicious, there are a variety of possible consequences, including malware downloads, phishing pages and scams.

Unfortunately for Facebook users, cyber criminals have upped their game in the past year. Let's take a look into some of the most viral clickbait Facebook scams of 2015.

January 2015 - The “Hottest Leaked Snapchats”

This Facebook scam was the second most popular one to date following the “Check your Top Profile Visitors” scam that was seen in 2014. The latest scam involving SnapChat sends users to malicious website like TrendingUSA, ViralDips, ViralTruck and Funchoke, which have all been blacklisted due to their spammy nature. Victims are typically prompted to money-making surveys, and later redirected to electronics or high-end diet pills. These ultimately lead to some form of identity fraud.

February 2015 - A “Copyright Violation”

A message from the “Facebook Support Team” warns users of possible copyright violations that they have posted. The message asks users to verify their account by clicking a link to a confirmation page. If the user does not comply within 48 hours, their account will be suspended. After clicking the link, the user is brought to a fake Facebook login form, complete with credentials, email and phone number. They even go as far to send you a confirmation email to verify that you have completed the process. Once the credentials are harvested, your account can be hijacked or the credentials sold to other malicious actors.

March 2015 - Beware of the Facebook Worm

This link was spread across multiple social networks with the promise of pornographic content. The worm hits users by installing a malicious extension to the Google Chrome browser. The worm hijacks the user’s social account and posts the same clickbait link on the walls of the user’s friends and groups in hopes of spreading throughout the network.

April 2015 - “Your Account Will Be Disabled” Phishing Facebook Scam

Users receive a warning message in their inbox from “Facebook Safety” claiming their account will be disabled due to a violation of Facebook’s terms and conditions. After following the instructions in the message, the user is prompted to fill in their Facebook credentials, followed by credit card number and PayPal account login details. After a successfully harvesting this information, the cyber criminal will spread the attack from the compromised account.

April 2015 - “Your Facebook Login is Removed” Malware Email

Potential victims of this email are prompted to establish a secure connection with Facebook by opening an attachment. This attachment is an .exe file with an exploit kit.

April 2015 - “Guy Removes Blackhead” Facebook Post

This is a popular one that has been infecting users with a malicious Facebook app, followed by a prompt to “like” a page. User are subsequently brought to a video player which says that the video needs a new plug-in installation to be played. This plug-in contains a malicious file that, once downloaded, takes over your browser and tries to extract personal information via malicious surveys.

May 2015 - “What Happens to this Pregnant Lady” Video Facebook Scam

After the user clicks the video, they are prompted to share the link with their friends before the video can load. In the last phase of the attack, the victim is  brought to a form, resulting in a series of fake scamming phone calls and emails.

June 2015 - Porn Malware Attack

A virus that belonged to the Kilim malware family was detected after violent and graphic pornographic images took over users newsfeeds and sent direct messages to their contacts. Each time a Facebook user clicked on the link, their entire timeline and inbox was spammed with pornographic content.

June 2015 - Phishing Facebook Scam Message Titled “Here’s the Link HeHe”

By the title of it, I hope that the crowd reading this knows where this is going. Once again, the link is in fact a phishing scam which redirects the user  to a Facebook sign in page. The scam hijacks the account and propagates itself to the user’s friends.

June 2015 - “Forbidden Content” Facebook Scam: According to the scammer, “forbidden content” and “mistrustful activities” have been identified on the user’s Facebook account. In their message, they warn the user that their account is at risk of being banned. This is another attempt to gathering credit card and personal identifiable information. Once an account takeover has occurred the scammers will send messages to your friends after changing your name to “Facebook Admin,” “Content Reviewer” or something similar.

August 2015 - Facebook Phishing Scam, “17 Dead in a Roller Coaster Accident

This sensationalized title spread like wildfire across many of the social networks. The link prompted users to authorize a malicious app before the video could be played.

September 2015 - Drowned Syrian Boy picture is used by Spammers

This scam attempt was a new low, even for cyber criminals. It included an image of a drowned Syrian boy as he hoped to reach Greece following the violence in his homeland. The scammer called on users to like their page, a tactic called “like-farming,” in order to “flip” the account and sell it to seedy marketers for a profit. ” Another similar scam on Facebook is the “1 share = 1 prayer” tactic that relies on the “Facebook will donate for every like” ploy that has been circulating for the past couple of years.

September 2015 - Scammers exploit Facebook Users with Dislike Button

After Mark Zuckerberg’s announcement  that Facebook would be implementing a “Dislike” button, scammers jumped at the opportunity to trick eagerly awaiting users of the new feature.

October 2015 - “Shocking Videos” used as Facebook scam

This scamming attempt is another “shocking” video that claims, “Girl is in critical condition after being forced to do this.” To “view” the video you have to confirm your email, phone number and bio data so they know you are not underage. Although the link leads to a phishing page, it references a real video in which a female robber was stripped of her clothing for stealing from a Nigerian market.

December 2015 - Facebook Phishing Scam Targets Page Admins

Admins hold the keys to the castle when it comes to company’s social media accounts. Alarming messages, such as “You contacted Facebook: Suspected Page Forgery,” target digital marketing managers or social media managers, who likely have admin privileges on their company’s pages. The link in the message sends you to a Terms of Services page, followed by a form for credentials to be filled out by the admin. Once the page is hijacked, the page is converted into an engine for spam links, sent in mass to hard earned followers. Follower counts drop by the thousands in a matter of minutes.

Conclusion

With over 1.4 billion active users, Facebook’s popularity is the main reason behind so many cyber scams being launched on its network. Scams spread fast. Very fast. So what can you do to avoid being tricked?

ZeroFox best practices:

  • Always hover over links before you click them.
  • Be very skeptical of pages claiming you have been logged out or “timed-out.”
  • Do not authorize Facebook apps you do not recognize.
  • Do not install plugins you do not recognize.
  • A Facebook scam can seriously damage your reputation, be cautious.
  • Never disclose personal information on a page that you did not knowingly find or search.
  • Do not trust anyone, even your friends (not advocating for outright paranoia -- feel free to trust them in real life). Their accounts could possibly be compromised. If they insist you click a link or claim to need urgent help, contact them on a different channel to confirm the veracity of the message.
  • Don’t panic if you get a message from a “Facebook admin” or “Facebook support” claiming you will be suspended or banned. It’s a trap!
  • If you are the admin of a company Facebook page, enable two-factor authentication and be extremely skeptical of direct messages.
  • Facebook NEVER asks for your credit card information; do not disclose it.
  • Use a URL lengthener (like longurl.org) to check shortened links.
  • Be wary of homoglyph attacks, in which a character in a URL has been replaced by a similar looking character (amazon.com vs. amaz0n.com).
  • Scrutinize any commentary accompanying the link -- is this how your friend actually writes? Does it look like a canned message?
  • Keep your eyes peeled for clickbait titles: if it looks too incredible to be true, it likely is.

See ZeroFox in action