Social media is a prime platform for scammers of all kinds. A compromised actor in a social network becomes an attack vector to all of those around them. Personalized sites like Facebook are especially tricky to spot scams on, since a lot of the people that you are Friends with are, well, your friends. This built-in credibility can sometimes be used to weaken the defenses that you have for spam messages in your corporate email inbox, for example.

A Shift in Strategy?

Recently, the campaigns of scammers have moved to a more familiar tone: text messages that say something that a good friend would or a direct message from an old friend. These are strategies to simply get you engaged with the attacker, so that they can direct you to divulge some information or do something for them down the line. Usually, a scam is going to try to get you quickly, but sometimes the initial scam is just a set up for a later attack.

What could be more familiar than a message from an old friend? It’s a pretty direct way of getting you to engage with a scammer. It’s a common scam on Facebook and other social media platforms, so it looks a little different than email scams. it sometimes involves that old friend having already been scammed out of their account credentials. Since the account is compromised, an attacker impersonates them to their already established, real friends, giving them more than enough credibility to engage you in a conversation. If it’s an old friend from long ago, you might not be familiar with how they write or what their profile should look like, so you might not be able to tell the difference.

Three Ways to Spot a Social Media Attack

Sometimes, though, scammers don’t even bother with an initial attack and just start a new account to impersonate someone. Recently, one of the Crown Computers team members had a Friend add him on Facebook. He knew that it was fishy from the start because it was someone who he already was Friends with, but a new profile with pictures of the same person. Phishing emails often use lookalike domains (misspelled or with foreign characters), but on social media, someone can simply start a profile with the same name as a friend of yours.

If you think that you’re already Friends with someone, it’s a good idea to do a quick search of your Friends before adding them again.

1. The best way to avoid these social media-based attacks is to be diligent about verifying friends that you message with and exercise caution with everyone.

1
2
3 1

The conversation with the initial profile gets off to a pretty quick start after some small talk. Notice that the attacker goes straight to talking about some program with a vaguely bureaucratic name. It seems like it’s a Covid relief program. A quick Google search for this program will (if properly searched for an exact result, with quotation marks) produce no meaningful results, but is likely engineered to bring back many results from official government websites. The attacker may have purposefully strung together the right words to bring back state government web pages when searched.

2. When discussing specific programs, benefits, or sensitive information with an acquaintance, do a search to make sure that it’s real.

4 1
5

The attacker then mentions a specific person to talk to about the program. This kind of redirection should be a clear sign that something strange is going on. Instead of a link to an official (governmental) page, or even a news story about the program, this attacker suggests messaging a specific person on his personal page. It looks official, but that’s because the image is stolen; I did a search on Google Lens and found out that this photo is actually of someone who works for the American Embassy in Nigeria, and not named “Eric Smith.”

3. Make sure that any links to “free money” or similar opportunities are through official governmental channels and websites.

It would, of course, be best to simply not click any links in direct messages at all, just like in emails. With the use of link shorteners and redirects, an attacker can send you to a legitimate looking site that will encourage you to compromise your personal information or credentials.

We’re not sure of what kind of information “Eric Smith” would have been after, but it could be anything from social media account credentials to credit card information. Following these three tips can help make sure that you never find out either.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team