Skip to content

The Next Step of Social Engineering: Social Media Hoaxes

The Next Step of Social Engineering: Social Media Hoaxes

From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made hoaxes and scams even more prevalent, evolving from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users are constantly falling for these forwarded posts and they’ve taken a turn for the malicious.

Facebook was one of the first social media platforms to have hoaxes and misinformation spread, with the most popular one stating that Facebook’s new algorithm would only allow you to see 25 of your friends’ posts in your news feed. The text reads:

“How to avoid hearing from the same 25 FB friends and nobody else: Here is a post explaining why we don’t see all the posts from our friends….

Newsfeed recently shows only posts from the same few people, about 25, repeatedly the same, because Facebook has a new algorithm.

Their system chooses the people to read Your post. However, I would like to choose for myself, Therefore, I ask you a favor: if you read this message leave me a quick comment, a “hello”, a sticker, whatever you want, so you will appear in my news feed.

Don’t just “Like”, Facebook requires a “Comment”. Even one word! Thanks!!!

Otherwise, Facebook chooses who to show me and instead I don’t need Facebook to choose my friends!

Do not hesitate to copy and paste on your wall so you can have more interaction with all your contacts and bypass the system. That’s why we don’t see all the posts from our friends!”

Facebook has repeatedly stated that these kinds of copy/paste posts are fake and even asserted that their constantly updated algorithms will increase interactions with friends, but users will keep falling for these kinds of posts. A malicious actor could potentially modify this kind of post with a link leading to a site that gathers usernames/passwords or installs malicious software and claims it will help to see all of their friends posts.

WhatsApp is the most used messaging application, even ahead of text messaging, in the world. Hoaxes, scams, and fake information spread like wildfire through the WhatsApp service. In India, mobs of angry people killed over 20 people in connection to messages being forwarded on WhatsApp falsely linking the victims to child abductions. There have also been malicious links being spread for a fake premium WhatsApp service called “WhatsApp Gold” that tricked users into downloading a modified version of the Android application which stole user information and installed additional malware.

Instagram has had quite a few hoaxes that large numbers of their users have fallen for. In 2017, an account claiming to be selling deeply discounted Ray Bans sunglasses said users could only get the promotion after clicking a link to connect their Instagram account to their storefront. The link was actually a phishing page designed to steal the user’s Instagram credentials and continue spreading itself via direct messages and public posts.

In December of 2018, users were tricked into sharing a post from an account claiming to recruit Lululemon ambassadors and tagging the profile. Lululemon has tweeted that the account was not related to their official page. The page, @lulurecruitment, has since been removed from Instagram, but not before hundreds of thousands of hopeful users had posted and tagged the account. At the time of its removal, the account had over 500,000 followers and only one post.

It is unclear what the goal behind the campaign was. There were no links being spread, no request for additional information, and no contact information besides a Gmail address. I think this was to start gathering information of “known-gullible” users to target in upcoming ad campaigns for a storefront with free or discounted Lululemon gear designed to steal payment information or gather usernames/passwords to spray against other services.

How do you protect yourself from these kinds of campaigns? Hoaxes and scams rely heavily on users sharing the information to increase the attack surface. The best way to protect yourself and others is to not participate in their spread. It starts by using common sense and asking yourself if the offer sounds too good to be true. I’ve had success with uncovering scams just by googling the account name or offer and the word “scam”. If you have friends that are sharing these, intentionally or if they’ve been breached, let them know immediately!

In an era of fake news and constant misinformation, Facebook/Instagram/WhatsApp hoaxes have become a prime vector for malicious actors to take information from users who are willingly handing it over in the hopes of gaining goods or services in return. Gone are the days of the Nigerian Prince emails, welcome to the new age of social engineering.

by Moez Janmohammad | Junior Adversarial Engineer, CyberOne
January 29, 2019