Nobody needs ‘friends’ like these

Facebook users’ contacts make good phishing for scammers

By Erin Ailworth
Globe Staff / May 29, 2011

E-mail this article

Invalid E-mail address
Invalid E-mail address

Sending your article

Your article has been sent.

Text size +

Sometimes it pays to be wary of your friends, especially if they are posting Facebook messages about must-see videos, free iPads, and Osama bin Laden death photos.

As more people turn to Facebook and Twitter for much of their online communicating, Internet scammers and spammers are trying to cash in by hijacking the names and images of users’ “friends’’ and “followers.’’ They use the stolen identities to place fake come-ons and shady pitches alongside all the funny pictures and snide remarks posted by people legitimately granted access to online accounts.

The goal is to trick users into buying products, volunteering credit card numbers and other personal information, or unknowingly installing malicious software that can damage computers. Too often, the tactics work, according to computer security specialists, in part because of our faith in people we know.

“When someone posts a link, they say, ‘Oh, that’s from my friend, I trust that link,’ ’’ said Maxim Weinstein, executive director of StopBadware Inc., a Cambridge nonprofit that helps Internet users guard against computer viruses and spyware.

Security specialists say calculating the annual cost of social website e-crime is difficult, but they peg it at millions of dollars. Last year, two-thirds of social network users reported spamming, compared with 57 percent in 2009, according to a survey conducted by network security firm Sophos Inc., which has its North American headquarters in Burlington.

About 43 percent reported more phishing scams (attempts to get people to disclose personal data), up from 30 percent the year before, the company reported.

The increasing flow of spam can also make social networkers feel distinctly unsocial. When Jennifer Cardoza’s Facebook profile got hacked last month, more than a dozen of her friends received an instant message — purportedly from Cardoza — that read, “Hey, what’s up?’’ and led to an online IQ test.

“It was awkward,’’ said Cardoza, 33, who isn’t sure how she was targeted. “I might have clicked on a link of some sort, who knows?’’

Most of those who received the phony message figured it must be a scam and posted warnings on Cardoza’s Facebook wall, urging the Somerville resident to change her account password.

Typically, IQ test spam messages ask users to provide a cellphone number to review test results. Those that offer the information can find themselves on the hook for expensive phone services.

Weinstein said the brevity of online messages works in the favor of criminals seeking to lure victims. Facebook status updates and wall postings are limited to 420 characters and Twitter caps its tweets at just 140.

“There’s not much expectation that there’s going to be much more context than, ‘Hey, check this out!’ ’’ he said.

And unlike an e-mail that purports to be from a distressed prince trying to transfer millions of dollars from a faraway country, traps on Facebook and other social media sites often appear benign.

For instance, “like’’ buttons can be “clickjacked,’’ security specialists say, so that when a user clicks on them an invisible code or software script is activated. Sometimes they are directed to websites peddling malware disguised as antivirus software. Once the stealth software is inadvertently downloaded, it can damage a computer, network, or program, sometimes by unleashing a virus.

Not so long ago, it was relatively easy to avoid Internet scams if you refrained from doing “dodgy things on the Net,’’ said Chester Wisniewski, a senior adviser with Sophos. Today’s security challenges are more formidable, he said, because “so many legitimate things are infected.’’

Sheer numbers also make Facebook and Twitter especially attractive to thieves. Facebook has more than 500 million active users, and Twitter boasts about 200 million registered accounts.

“As long as they’re the easiest places to get a message out,’’ Wisnieswki said, “we’re not going to see these things go away.’’

Facebook officials say they are watchful for criminals who appropriate the identities of “friends.’’ To keep them at bay, the company provides users with several security options to protect their accounts, including one-time passwords that can be sent by text message if someone is worried about using an unsecured network while traveling, and automated messages whenever a new or unknown device is used to log into an account.

Facebook recently added a “report as spam’’ option that users can click to flag dubious wall posts. They can also simply delete unwanted posts from their pages.

“We’ve been shutting down scammy pages that are the source of this spam as soon as we detect them or they’re reported to us,’’ said Frederic Wolens, a Facebook spokesman.

Lexington resident Gretchen Mather said she has noticed an increase in the number of spam messages plastered on her Facebook wall lately.

“One was pretty crude,’’ Mather, 33, said of a post that reappeared in her newsfeed several times recently, even after she deleted it — an indication that several friends’ accounts had been compromised. The online litter could “become a problem and possibly prevent me from using Facebook,’’ she said, but “right now I just keep quiet and delete them. And of course, I make sure not to click on them.’’

Michael Kaiser, executive director of the National Cyber Security Alliance, a nonprofit that promotes Internet safety and security, said computer users should train themselves to resist the urge to immediately click on message links, even when they appear to be legitimate. Lack of restraint is something e-crooks count on, he said.

“The first decision is, ‘Did this come from a trusted source?’ ’’ Kaiser said. “That’s where we have to build up our defenses a little bit more.’’

But vetting online friends and their messages can be difficult, he admitted. Some people are turning to companies that verify user names and accounts, including, a Cambridge start-up. “If someone is friend-requesting you and you want some hard verification that there’s a human behind the account, that’s what does,’’ chief executive David Gordon said. To do that, the company mines public databases.

But no matter what precautions are taken, human nature sometimes still wins out, say computer security specialists. Even scary-looking pop-up messages warning against suspect links don’t deter some people.

“When you’ve been tricked into thinking that you want to do something,’’ said Sophos’s Wisniewski, “you’ll usually bypass any security.’’

Erin Ailworth can be reached at