Avoiding Social Spam Hackers on Facebook and Twitter

, ,

The post appears like it’s coming from a known friend. It’s enticing (“check out what our old high school friend does for a living now!”), feeds on your curiosity and good nature, begs you to click. A quick peek at the video, a chance to win a FREE iPad or to download a coupon, and presto, you’ve just infected your computer with malware (all the bad stuff that sends your private information to criminals and marketers). Sound like the spam email of days gone by? You’re right – spam has officially moved into the world of social media, and it’s like winning the lottery for cyber thugs.

What is Social Spam?

Nothing more than junk posts on your social media sites luring you to click on links that download malicious software onto your computer or mobile device.

Social media (especially Facebook and Twitter) are under assault by social spam. Even Facebook cautions that the social spam volume is growing more rapidly than their user base. The spam-fighting teams at both Facebook and Twitter are growing rapidly. The previous handful of special engineers has seen the inclusion of lawyers, user-operations managers, risk analysts, spam-science programmers and account-abuse specialists. Spammers are following the growing market share, exploiting our web of social relationships. Most of us are ill-prepared to defend against such spam attacks. Here’s how social spam tends to work:

  1. Malware infects your friend’s computer, smartphone or tablet, allowing the spammer to access their Facebook or Twitter account exactly as if the spammer were your friend.
  2. The spammer posts a message on your friend’s Facebook or Twitter page offering a free iPad, amazing coupons or a video you can’t ignore.
  3. You click on the link, photo, Like button (see Like-jacking below) or video and are taken to a website that requires you to click a second time to receive the coupon, video, etc. It’s this second click that kills you, as this is when you authorize the rogue site to download malware onto your computer (not a coupon or video).
  4. The malware infects your computer just like it has your friend’s and starts the process all over again using your contacts, your wall and your profile to continue the fraud.
  5. Eventually, the spammer has collected a massive database of information including email addresses, login information and valuable social relationship data that they can exploit in many ways. In the process, the malware may have given them access to other data on your computer like bank logins, personal information or sensitive files. In a highly disturbing growth of criminal activity, social malware can actually impersonate users, initiating one-on-one Facebook chat sessions without your consent.

“Like-jacking” involves convincing Facebook users to click on an image or a link that looks as if a friend has clicked the “Like” button, thereby recommending that you follow suit. If our friends Like it, why shouldn’t we. So we click and download in an almost automated response. The key is to interrupt this automatic reflex before we get stung.

Fighting social spam requires immense investments of time, which can mean lost productivity (and money). Gratefully, various company site-integrity teams watch trends in user activity to spot spam. Every day, Facebook says it blocks 200 million malicious actions, such as messages linking to malware. The company can’t prevent spam, but it’s diligently working to make it harder to create and use fake profiles.

But never count on someone else to protect what is yours. You must Own Up to your responsibility. Follow these 5 Steps to Minimize the Risks of Social Spam:

  1. If the offer in the post is too enticing, too good to be true or too bad to be real, Don’t Click.
  2. If you do click and aren’t taken directly to what you expected, make sure you Don’t Click a 2nd Time. This gives the spammer the ability to download malware to your system.
  3. Don’t let hackers gain access to your account in the first place – use strong alpha-numberic-upper-lower case passwords that are different for every site and that you change frequently.
  4. Remember, in a world where your friend’s accounts are pretty easily taken over, not all friends are who they say they are. Be judicious. If something they post is out of character, it might not be them writing the post. Call them and verify.
  5. Don’t befriend strangers. Your ego wins, but you loose.
  6. Make sure you have updated computer security: operating system patches, robust passwords, file encryption, security software, firewall and protected Wi-Fi connection.

John Sileo is an award-winning author and international speaker on the dark art of deception (identity theft, data privacy, social media manipulation) and it’s polar opposite, the powerful use of trust, to achieve success. He is CEO of The Sileo Group, which advises teams on how to multiply performance by building a culture of deep trust. His clients include the Department of Defense, Pfizer, the FDIC, and Homeland Security. Sample his Keynote Presentation (he shares how he lost $300,000, 2 years and his business to data breach) or watch him on Anderson Cooper, 60 Minutes or Fox Business. 1.800.258.8076.

Stock Plummets as Epsilon Breach Rears Ugly Head


When will corporations learn? I received 6 data breach emails yesterday because of the Epsilon’s lack of security.

Have you been inundated with more spam and phishing emails recently? If so, it may be due to one of the largest email and data breaches in Internet history. Epsilon is one of the world’s largest providers of marketing-email services and they handle more than 40 billion emails annually and more than 2,200 global brands.

Epsilon issued the following statement: “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only.”

The following companies have already sent out warnings (like those below) to their companies: Best Buy, Capital One, JPMorgan, Citibank, Kroger, Barclays Bank of Delware, Visa, American Express, US Bank, TiVo Inc. and Walgreen Co, Robert Half, Kraft, Home Shopping Network, QFC, Marriott Rewards, Ritz-Carlton Rewards, Ameriprise Financial, LL Bean Visa Card, Brookstone, Dillons, the College Board, McKinsey & Company, New York & Company, Disney Vacations, Staples, TIAA-CREF, Verizon, Borders, Smith Brands, Abe Books, Lacoste.

While the statement above says that only names and emails were compromised, experts are saying that both Marriott Rewards and Ritz-Carlton Rewards had member rewards points disclosed, along with names and e-mail addresses. This could give scammers more leverage when they attempt a targeted campaign. The Epsilon data breach not only exposed names, information and e-mails of its clients’ customers, but sent its stock down nearly 7 percent before the news was even hours old.

The stolen information will allow scammers to send authentic-looking email messages that appear to come from a bank or other business with whom the user has an existing relationship. The emails will try to trick people into parting with information such as their usernames and passwords for bank accounts or other online accounts, or they could try to trick people into downloading malware on to their systems. People who don’t fall for such scams should be fine. (ComputerWorld)

So how do you know if you have been affected by this massive breach? Watch out for emails (like the ones I received for being a customer of the institutions below) alerting you to the breach. But observe the following precautions:

  • Be on the lookout for sophisticated phishing emails that seem to be sent from your bank or other financial institution. Now that the bad guys have your name AND email address, they can make them very authentic and already know that you bank with that particular institution.
  • Keep software protection updated.
  • Don’t click on any links within the breach emails you receive, as scammers will undoubtedly send phishing versions in the name of data security to extract even more data out of you. Always retype the known website address ( into the toolbar. You can also move the mouse over the link to see if the domain name matches the company.
  • Make sure that all websites you visit start with https (which signals that it is a secure connection – not a perfect indicator, but better than nothing).
  • Don’t give out any sensitive information out via email and be wary about giving it out over the phone.
  • If you are ever unsure call the number listed on the company website.

These companies will start to lose customers because of the Epsilon breach, and Epsilon will begin to lose stock value and reputation within the industry. Can you imagin a corporation trusting them with their private data again?

John Sileo speaks and consults to clients about information leadership, including identity theft, social media exposure and reputation management. His clients include the Department of Defense, Pfizer, Blue Cross and Homeland Security. Learn more about bringing John to your organization at