According to the statistics of the Central Bank of Russia, in 2017, 317.7 thousand users lost 961 million rubles on the Internet due to the actions of fraudsters. At the same time, in 97% of cases, fraud victims did not contact law enforcement agencies. And we are talking about incidents that were reported to the bank.
Let's look at the common ways that attackers use to steal money on social networks. And so that you do not fall into the network of scammers, we will give advice on how to protect yourself from cybercriminals.
1. Account hack
Obtaining account login data allows fraudsters to seize confidential information and deceive the user's friends. To do this, scammers use a whole arsenal of tricks:
- infecting a computer or mobile gadget with a virus;
- hacking databases of other sites and matching passwords;
- brute force common passwords.
Virus infection occurs most often when receiving emails with attachments fromunknown recipients or downloading files from free file hosting. Viruses are aimed at scanning browser folders for unencrypted passwords, as well as monitoring what the user enters from the keyboard. For example, Android. BankBot.358.origin is aimed at Sberbank customers and steals login data for a mobile application. The TrickBot Trojan also searches for login data for bank accounts, as well as cryptocurrency exchanges. The Fauxpersky keylogger disguises itself as a product of Kaspersky Lab and collects everything that the user types on the keyboard.
The information collected by viruses is sent to attackers. Usually, the virus forms a text file and connects to the mail service specified in the settings. Then he attaches the file to the email and sends it to the address of the scammers.
Users use the same password for all sites (online stores, social networks, mail servers), so as not to keep in mind and not store unique passwords for each account on computers. Malefactors attack less protected sites: directories, online stores, forums. A whole team of IT professionals responsible for cybersecurity is working on social networks. And online stores and forums are run on CMS, in which fraudsters periodically find vulnerabilities to steal data.
Hackers copy the user database, which usually contains nicknames, email addresses and login passwords. Despitethat passwords are stored in encrypted form, they can be decrypted, since most sites use the 128-bit MD5 hashing algorithm. It is decrypted using desktop software or online services. For example, the MD5 Decrypt service contains a database of 6 billion decrypted words. After decryption, passwords are checked for the possibility of entering mail services and social networks. Using mail, you can recover your password on a social network if you could not pick it up.
Password brute force is becoming less and less relevant every year. Its essence lies in the methodical verification of common combinations of letters and numbers in passwords for entering a social network account. Fraudsters use proxy servers and VPNs that hide the computer's IP address so that they are not detected by the social network. However, social networks themselves protect users, for example, by introducing captcha.
How to protect yourself
To fight viruses, you must follow the basic rules of computer security:
- do not download files from unknown sources, as viruses can be disguised, for example, as a presentation file;
- don't open attachments in emails from unknown senders;
- install antivirus (Avast, NOD32, Kaspersky or Dr. Web);
- set two-factor authentication on sites that have this option;
- when accessing the service from someone else's device, check the corresponding box in the authorization field;
- do not use the browser's ability to remember passwords.
User should notuse the same password for social networks, mail services, online stores and bank accounts. You can diversify passwords by adding service designations to their end. For example, 12345mail is suitable for mail, 12345shop for shopping, 12345socialnet for social networks.
2. Extortion and blackmail
Attackers deliberately hack into social media accounts to obtain confidential data, then blackmail the victim and extort money. For example, when it comes to intimate photos sent to a partner.
There is nothing criminal in the photos themselves. Attackers blackmail the user by sending the received pictures to relatives and friends. During communication, psychological pressure and attempts to induce feelings of guilt are used in the expectation that the victim will send money.
Even if the victim sent the money, there is no guarantee that the perpetrators will not decide to "ransom" the photos again or just post pictures for fun.
How to protect yourself
Use services that allow you to send self-destructing or encrypted messages to Telegram or Snapchat. Or agree with your partner not to save the pictures, but to delete them immediately after viewing.
You should not go to mail and social networks from other people's devices. If you forget to leave them, then there is a risk that your correspondence will be in the wrong hands.
For those who like to save confidential data, it is recommended to encrypt folders using special software, for example, using Encrypting technologyFile System (EFS).
3. Prizes, legacies and free items
Scammers offer to get an expensive item for free, provided that you pay for shipping to your address or insurance for shipping. You may come across a similar offer, for example, in the "Free" group of your city. As a reason, they may indicate an urgent move or receiving the same thing as a gift. Quite often, expensive things are used as “bait”: iPhone, iPad, Xbox, and the like. To pay for shipping costs, scammers ask for an amount that the user is comfortable parting with - up to 10,000 rubles.
Scammers can not only offer free items, but also goods with a greatly reduced price tag, such as iPhone X for 5,000 rubles. Thus, they want to steal money or card data using a fake payment gateway form. Fraudsters disguise the card payment page as a page of a popular payment gateway.
Attackers can pretend to be employees of a bank or a notary agency, asking for help in cashing out funds from an account or money received by inheritance. To do this, they will be asked to transfer a small amount to establish a current account.
Also, a link leading to a phishing site can be sent to claim the prize.
How to protect yourself
Don't believe in free cheese. Simply ignore such requests or complain using the built-in social media tools. To do this, go to the account page, click on the "Complain about the user" button and write the reason for the appeal. Moderator Servicesocial network will review the information.
Do not click on unfamiliar links, especially if they are made using goo.gl, bit.ly and other link shortening services. However, you can decrypt the link using the UnTinyURL service.
Let's say you received a message on a social network about a profitable sale of a phone or tablet. Do not believe in luck and immediately pay for the purchase. If you went to the page with the payment gateway form, carefully check the correctness of the domain and the mention of the PCI DSS standard. You can check the correctness of the payment form at the technical support of the payment gateway. To do this, just contact her by e-mail. For example, on the websites of payment providers PayOnline and Fondy, email addresses of customer support services are listed.
4. "Throw a hundred"
Scammers use a hacked page to ask the victim's acquaintances and friends to transfer money to the account. Now not only requests for transfers are sent out, but also photographs of bank cards, on which, using a graphic editor, the name and surname of the owner of the hacked account are applied.
As a rule, attackers ask to transfer money urgently, as they are afraid of losing control over the account. Often requests contain elements of psychological pressure and a constant reminder that everything needs to be done urgently. Fraudsters can study the history of communication in advance and even use addresses known only to you by name or nicknames.
How to protect yourself
Call a friend and ask directly if they need money. So you make surethe veracity of the request and you can immediately warn about the hacking of the page.
If you know well the person whose account was hacked, pay attention to the manner of speech. The attacker, most likely, will not have time to completely copy his communication style and will use figures of speech unusual for him.
Pay attention to the photo of a bank card. You can calculate a fake by poor-quality processing in a graphic editor: letters will “jump”, initials will not be on the same line with the card’s validity date, and sometimes they will even overlap the card’s validity.
Survive social media
From December 2014 to December 2016, the number of attacks on users using social engineering increased 11 times. 37.6% of attacks were aimed at stealing personal data, including bank card information.
According to research by ZeroFOX, Facebook accounted for 41.2% of attacks, Google+ for 21.6%, and Twitter for 19.7%. The social network VKontakte was not included in the study.
Experts identify 7 popular social media scam tactics:
- Fake page verification. Fraudsters on behalf of the social network offer to get the coveted checkmark of a “verified” page. Victims are sent the address of a specially prepared page for data theft.
- Spreading a fake link using targeted ads. Attackers create an advertisement to attract users to the pages with low prices and sell counterfeit goods.
- Imitation of famous brand customer service. Attackers disguise themselves as technical support services of large brands and receive confidential information from their customers.
- Using old accounts. Attackers can use old accounts by changing their settings to bypass social media controls.
- Fake pages of online stores and brands. Attackers spoof community pages of online stores and lead users to phishing pages for authorization, stealing login data or selling counterfeit goods.
- Fake promotions. To participate in the action, attackers may ask for an email or photo allegedly for participation, which can later be used in illegal actions.
- Financial fraud. Attackers offer inflated income in a short period by simply stealing money from gullible users.
- Fake pages of HR companies. Some scammers imitate the official style of large companies and demand payment for considering a job application.
There is only one way to protect yourself from social engineering - knowledge. Therefore, you need to learn the rules of computer security well and not believe too generous offers.