Despite an increasingly severe crackdown by the ubiquitous social network, malicious activity and spam on Facebook are still both widespread and profitable, according to Barracuda research scientist Daniel Peck.
MORE SOCIAL SKULLDUGGERY: US-CERT: Social engineers target utilities with fake Microsoft support calls
Speaking at SOURCE Boston this week, Peck said that malicious users leverage old and new techniques to spread malware or spam questionable links to unsuspecting users.
For example, some rogue antivirus ads targeting Facebook are beginning to show their age.
"It's funny, they're still using [Windows] XP logos in the rogue AV malware," he told the audience. "But I guess if you're still falling for rogue AV malware, maybe you're still on XP."
Some older techniques, however, never go out of style. Peck said that titillating images are still a go-to for many malware pushers and spammers. One common trick is to "tag" as many people as possible in a sexually suggestive image to draw large numbers of clicks on a "check out this website I model at" link.
The photo-tagging trick, according to Peck, is particularly effective because of the follow-on effects. Such a picture shows up not only in the news feeds of the people tagged, but in the news feeds of many of their friends -- creating a broader potential slate of victims.
"All the little Facebook 'Like this' or 'share this' buttons that are on websites these days -- that's just a link. You can make anything point to that," Peck said. Unscrupulous users, he noted, frequently conceal a "like" button beneath a link to a racy video or something similar in order to drive up their number of "likes" on Facebook.
Affiliate campaigns too, are "huge" among Facebook spammers, the Barracuda research scientist told the SOURCE audience. "Affiliate campaigns are almost like pump-and-dump websites, [in] how quick they come up and go down," Peck said. Bogus promotions, promising prizes in exchange for shares or "likes," often attract large numbers of clicks. Despite lasting mere days, skillfully run campaigns can get a brand in front of up to 600,000 users.
This, in turn, makes this type of scam profitable for its creators. "Running a credit card affiliate scam is going to get you anywhere from $5 to $20 for each person you get to sign up for a credit card," according to Peck.
Combining social media savvy with old-school phishing, rogue Facebook apps attempt to trick users into revealing personal data. One of the most common, according to Peck, is an attack that warns users that their Facebook account will be shut down unless they "verify" their information using the app. A version of this appears roughly once a month, he said, and it snags hundreds of thousands of victims each time.
Rogue apps, Peck said, often have permissions settings that "go a little too far." An app that asks for permission to "manage my pages" should be regarded with suspicion, he noted.
"If [malware pushers] happen to con someone into installing this app that manages a large and popular page, that's a malware free-for-all," he told the crowd.
Bogus user profiles are both part of many other scams -- serving as phony "developers" for the aforementioned rogue apps -- and a threat in and of themselves, Peck said. From simply friending people and stealing their information to spamming shady ads to becoming part of the "trusted friends" access recovery system and directly hijacking accounts, fake users pose a serious risk to Facebook.
Email Jon Gold at firstname.lastname@example.org and follow him on Twitter at @NWWJonGold.
Read more about wide area network in Network World's Wide Area Network section.