As social network accounts are under heavy scam fire these days, it might be useful (if not utterly fascinating, for some of us) to have a closer look at this phenomenon and identify the tiny wheels that make it work. So, what’s the deal with malicious apps designed to trick social network members?
Simply put, most such apps will automatically post messages on the victim’s wall and on his/her friends’ walls in order to trick as many people as possible into clicking (and inadvertently spreading it on). Attention grabbing messages (the baits) combined with platform specific actions that have turned into genuine online socialites’ reflexes (from a mere click, to a tag and, more recently, the creation of an event) make for the perfect scam.
Now let’s take a look at a high profile trick that’s back into the spotlight: “See who viewed your profile”. As expected, the bait is very strong: “your own spy on duty 24/7”. Curiosity kicks in, especially as each of the countless variants of this scam brings up an extra statistics twist (false though it is, because the social network platform does not allow computing such data):
Fig 1. Scam variants playing the statistics game.
When no figures are pushed forward, the message is carefully crafted to work the right emotional triggers:
Fig. 2 Social engineering at its best
With one click, users will see their accounts flooded by fake automated posts:
Fig 3. “Secret admirer” variant of “See who viewed your profile” hard at work
Will bad apps want more than a click from you? Sure they will. Ever heard of likejacking? Simply put, this means that your “like” is stolen. According to the typical scenario, after clicking a link to view shocking/scandalous video content, you will discover that a message is automatically posted on your Wall, in your name, saying that you LIKED that link.
Fig 4. LikeJacking post
Fig. 5 Ho to remove Likejacking posts
Next in line, tagjacking. As illustrated by its very name, this scam spreading technique relies on the illicit use of the tag option provided by the social network platform. After being lured into clicking a link to some video content, the victim will discover that a photo has been added to his/her gallery and that all of his/her friends were tagged in it. Notice the classic, by now, bait: “see who your top stalkers are”.
Fig. 6 Tagjacking step 1
Fig 7. Tagjacking step 2
Is this the end of it? Not quite. Let’s not forget about eventjacking, which practically means creating a fake event in order to trick users into clicking and spreading a bad app. In this case, you are invited to attend the alleged launch of the OFFICIAL “see who viewed your profile” app.
Fig 8. Post announcing the fake event
Fig 9. Fake event page
Don’t forget that BitDefender safego, with its newly added tagjacking and eventjacking detection features, is there to keep your social network account safe from harm. As always, beware of links allegedly leading to shocking content and check your profiles regularly for any automatic posts, likes that you don’t remember having expressed, tags that you did not place on your photos or events that you did not create, but appear as having been initiated by you. You might also want to keep in mind our advice on how to tell a good app from a bad one.
Happy sharing, everyone!
This article is based on the technical information provided courtesy of George Petre, BitDefender Threat Intelligence Team Leader
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.