Guest Column | May 2, 2019

Protect Your Enterprise Against Social Media Hoaxes

By Moez Janmohammad, Critical Start

Protect SMBs From Cyberattack

Think the latest Facebook scam can’t impact your organization? Think again.

From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made social media a big part of our personal and professional lives. In business, social media has become an effective tool for marketing, customer engagement, and other initiatives. Yet it also has made enterprises more vulnerable to hoaxes and scams, leading to reputational damage or the theft of sensitive corporate information as cybercriminals target potential vulnerabilities in social media accounts. These hoaxes evolve from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users fall for these forwarded posts, which in some cases have taken a malicious turn.

Facebook was one of the first social media platforms to have hoaxes and misinformation spread, with the most popular one stating that Facebook’s new algorithm would only allow you to see 25 of your friends’ posts in your news feed. See if you recognize the following post:

How to avoid hearing from the same 25 FB friends and nobody else: Here is a post explaining why we don’t see all posts from our friends….

News feed recently shows only posts from the same few people, about 25, repeatedly the same, because Facebook has a new algorithm.

Their system chooses the people to read Your post. However, I would like to choose for myself, Therefore, I ask you a favor: if you read this message leave me a quick comment, a “hello”, a sticker, whatever you want, so you will appear in my news feed.

Don’t just “Like”, Facebook requires a “Comment”. Even one word! Thanks!!!

Otherwise Facebook chooses who to show me and instead I don’t need Facebook to choose my friends!

Do not hesitate to copy and paste on your wall so you can have more interaction with all your contacts and bypass the system. That’s why we don’t see all posts from our friends!

Facebook has repeatedly stated that these kinds of copy/paste posts are fake, and even asserted that their constantly updated algorithms will increase interactions with friends, but users  keep falling for these kinds of posts. A malicious actor could potentially modify this kind of post with a link leading to site that gathers usernames/passwords or installs malicious software and claim it will help to see all of their friends’ posts.

Enterprise organizations are not immune to social media hoaxes. In addition to Facebook, popular platforms like WhatsApp and Instagram and are routinely used to spread misinformation, creating organizational headaches. WhatsApp is the most used messaging application in the world, even ahead of text messaging. Hoaxes, scams, and fake information spread like wildfire through the WhatsApp service. Malicious links have been spread for a fake premium WhatsApp service called “WhatsApp Gold” that tricked users into downloading a modified version of the Android application, which stole user information and installed additional malware.

Ray Ban was the target of a scam on Instagram in 2017 when an account claiming to be selling deeply discounted Ray Bans sunglasses said users could only get the promotion after clicking a link to connect their Instagram account to their storefront. The link was actually a phishing page designed to steal the user’s Instagram credentials and continue spreading itself via direct messages and public posts.

In December 2018, users were tricked into sharing a post from an account claiming to recruit Lululemon ambassadors and tagging the profile. Lululemon tweeted that the account was not related to their official page, and the page has since been removed from Instagram, but not before hundreds of thousands of hopeful users had posted and tagged the account. At the time of its removal, the account had over 500,000 followers and only one post.

In the case of the Lululemon hoax, it is unclear what the goal behind the campaign was. There were no links being spread, no request for additional information, and no contact information besides a Gmail address. This may have been an attempt to gather the information of “known-gullible” users to target in upcoming ad campaigns for a storefront with free or discounted Lululemon gear designed to steal payment information or gather usernames/passwords to spray against other services.

Given the evolving sophistication of cybercriminals, how can you protect your organization?

  • Educate your employees. Create policies aimed at best practices on corporate social media accounts. Hoaxes and scams rely heavily on users sharing the information to increase the attack surface. The best way to protect your company and others is to not participate in their spread
  • Encourage your employees to use common sense. If something sounds too good to be true, it usually is.
  • Circulate information internally about the latest social media hoaxes so your team can practice vigilance.
  • You can uncover scams by conducting an online search of the account name or offer and entering the word “scam.” If you have friends or coworkers sharing these, intentionally or if they’ve been breached, let them know immediately!

In an era of fake news and constant misinformation, Facebook/Instagram/WhatsApp hoaxes have become a prime vector for malicious actors to take information from users who are willingly handing it over in the hopes of gaining goods or services in return. Gone are the days of the Nigerian Prince emails, welcome to the new age of social engineering.

About The Author

Moez Janmohammad is a cybersecurity engineer at Critical Start, a leading provider of cybersecurity solutions.