Coca-Cola Scam on Facebook: what the heck is a ‘Coca-Cola Scam’?

Here’s the latest scam to make its home on Facebook.

A link shows up in one of your friends’ status that says, “I am part of the 98.3% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video.”

When you click the link, you are given the runaround (the video doesn’t exist at all) until finally you are taken to a poll that asks you to reveal personal information.

It’s almost as if the crooks have figured out how to make money off Facebook before Facebook did (Facebook has attracted billions from venture capitalists, but from what I’ve heard, they’ve yet to actually stumble upon a working business model).

When you’re on Facebook, you simply cannot implicitly trust links, even when posted by a friend. That goes double for links to ‘scandalous’ videos or images, such as the example here. Your friend’s account may have been compromised, or they might be posting links in an attempt to receive some form of payout or reward.

If you’re looking at a shortened URL (such as bit.ly), use a site like LongURL to preview it before you go. However, the URL might not necessarily be shortened (as in this case), although you can still use LongURL to preview most sites.

Another way to check is to google a phrase from the link, to see if news of a scam or phishing attack pops up. Again, though, if it’s brand new, the word might not have gotten out yet (and it takes time for things to appear in a Google search anyway).

Whatever you do, exercise caution at all times, and never enter personal information or passwords on any site that you arrived at via Facebook or Twitter. Once you’re logged in, there is no reason to log in again, and there is exactly zero reason to reveal nonpublic personal information.

Don’t fall for the stranded friend scam

According to the latest Intelligence Note from the IC3, people continue to lose thousands of dollars to a common social networking scam.

Here’s how it works:

  1. Somebody hacks your friend’s Facebook account.
  2. They send messages to all their friends that boil down to “Help, I’m in London and somebody stole all my money and cards and I need you to wire me money. I’ll pay you back later.”
  3. You wire several hundred dollars to London.
  4. You find out your friend has been at home the entire time and, “Oh yeah, by the way, somebody hacked my Facebook account…”

Maybe there are cases where people have actually gotten cleaned out in some foreign city and used Facebook or Twitter to contact their friends and have them wire money to them, but I’ve never heard of it happening.

If you get a message like this from a Facebook friend, don’t just respond immediately by wiring cash. There are some questions you need to ask first:

  1. Is your friend actually in London?

Actually, that one question alone will usually tell you everything you need to know. Pick up the telephone and call your friend. You know that mobile Internet device you’re always using to find sushi restaurants? You can call people on those. If your friend is sitting at home watching the Leif Garrett episode of Behind the Music for the hundredth time, you know that message was a scam. Also, “Oh yeah, by the way, dude, somebody hacked your Facebook account.”

Then again, if you get that message at all, you should already be about 99.9% sure it’s fake. Even now, whose first reaction upon getting robbed would be to run to Facebook? There are police in London, you know, and I’m sure they have procedures.

Plus, you should never wire money to anyone without being able to verify, beyond a reasonable doubt, who you’re sending it to, where you’re sending it, and why you’re sending it.

So Facebook is finally doing something about privacy concerns, probably.

I’m not posting any links to news stories here; this topic is all over the Internet. Check your favorite news website for details. There’s an article there somewhere, I promise.

Also, I don’t normally write a lot about privacy, but this is a hot issue, and I do believe that privacy and fraud prevention concerns are related.

A lot of people have been concerned about the privacy of their personal information on Facebook. It seems that, as the website has grown, more and more of your private details are available for viewing by other people, third party vendors and everyone else in the universe.

Of course, most people seem to be logging on to Facebook to complain about this, which is probably ironic, but still—it seems they might actually be listening, at long last. All those people threatening to quit the site (when you know as well as I do they have no intention of doing so) can relax a little bit.

The privacy settings on Facebook are famously complex. There are over a hundred options, I believe. Supposedly, the new setup with make it a lot easier to manage—I’ve heard of a single click to turn off access by third parties, which is good. I don’t care so much if friends of friends see a photo of me, but I care a lot about companies believing they should have unfettered access to my personal details.

Of course, the acid test will be whether or not these new features turn out to be a real change on the molecular level, or just lip service to privacy concerns. Facebook CEO Mark Zuckerberg has been pretty cocky about this. Apparently, he believes that everyone wants everyone else in the world to be able to access information about them. I happen to believe that’s not true, and simply wanting to use a social networking site does not implicitly mean that a user wants some shady ringtone retailer (or Walmart, BP or Monsanto) to be able to mine their data.

A lot of us only want to connect with certain people and share our lives with them, and by “certain people” we do not mean “corporations” or “complete strangers.” Time will tell if these changes are the genuine article, or just more, “Facebook really cares about your privacy; that’s why we’ve allowed Cash4Gold to look at your entire profile and all your status updates.”

Gift card scams and Facebook

It seems that gift card scams are the latest thing to make Facebook completely unenjoyable.

As if all the dumb games and virtual gifts weren’t accomplishing that well enough on their own. I’m just sayin’.

Basically, the gift card setup involves fake pages promising $1,000 gift cards to places like Ikea, Best Buy or other large retailers. These “fan pages” take you to other websites that harvest personal information, sometimes including account numbers. I think you can guess what happens next.

The scams are advertised through spam, compromised Facebook accounts, and by legitimate friends who think they’re helping you get hip to a great deal.

This whole scheme is just another appearance of that old Internet myth that companies just give millions of dollars away online. Folks, it just ain’t true. By the time Facebook’s admins found the Ikea gift card scam page and took it down, there were over 70,000 “fans.”

If the offer were real, than means Ikea would have had to send out $70 million worth of free gift cards. I’m not sure how much you know about capitalism, but in a profit-driven business environment, one of the things you don’t do is give people $70 million just for clicking “Join This Group.” In fact, what you’re shooting for is for people to give you their money in exchange for a product or service (preferably more than said product or service cost you in the first place). Okay, “Econ 101” is dismissed.

I’m not saying you shouldn’t use Facebook at all (give me another three months and I may change my tune). However, this is what I recommend you do:

  • Use it to connect with current friends or people you lost track of.
  • Keep your privacy setting pretty strict (unless you’re a public figure, in which case you should create an “Other Public Figure” fan page; save your personal page for your inner, inner circle).
  • No farm or aquarium or other games (these give outsiders access to your profile, and they’re a massive waste of time).
  • Um, leave your exes alone. There’s a reason your paths diverged. This tip isn’t about fraud prevention. This is just “How to Not be Demented and Sad.”
  • When I say “connect,” I mean “use Facebook as a communication tool.” I’ve been known to post videos, but it’s more fun to actually discuss things. Sending each other virtual donuts just seems like a waste of life.
  • Avoid fan pages. Do you really need to be a fan of a quote from a movie? Why not just work that quote into what you type? Only join fan pages for entities you actually want updates from or communities you wish to be a part of.
  • Avoid anything that includes clicking a button that says “Allow Access” or something similar. Clicking those buttons gives third parties access to your profile information.
  • Any person or page on Facebook offering free gift cards from major retailers is setting you up for a scam. Remember that. Double-check all legitimate-sounding offers with official company websites (usually “[nameofcompany].com”).
  • Assume everything you post can be viewed by everyone in the Universe. Don’t trust those privacy settings. I’ve still got some questions about those.

Overall, I think Facebook is heading the same direction as MySpace: it starts out fun, becomes excruciatingly bad almost overnight, people (the ones over age 25, anyway) get annoyed and start abandoning the site.

Criswell Predicts: one year from now, people will be sick of Facebook and it will have fallen sharply from its #2 worldwide traffic ranking. Interacting with people in person may even become a trend!

You’re not getting a free iPad. Nobody is getting a free iPad.

Facebook and Twitter are, once again, just lousy with a new scam. This time it involves Apple’s latest device, the iPad.

The iPad is…well, I guess it’s sort of like a giant iPhone, except you can’t make phone calls on it. It’s one of a new category of devices called “tablet computers.”

Personally, I think they’re sort of dumb. They might be good if you’re solely a consumer of content, but they seem limited if you’re actually creating content (video, music, writing, etc.).

I’m sure it will be a big hit anyway; there is a very large, dedicated population that answer “Strongly Agree” to the survey question, “I will always buy any new product Apple releases.” Maybe I’m just not hip enough to get it. I don’t look anything like the people in Apple commercials.

However, since this object has a huge buzz surrounding it, there are already a thousand “Free iPad” scams popping up, many on Facebook and Twitter. In fact, I just did a search on “Free iPad” on Twitter, and there are several new scam messages being posted every minute.

The thing is, this whole scenario seems really familiar. In fact, it’s just one letter away from the “Free iPod” scams that were all over the Internet seven or eight years ago. The only difference is that Facebook and Twitter didn’t even exist back then. The opportunity for scammers to spread their message has grown exponentially—in 2002, they mostly relied on popup advertisements and spam email.

Oh, you say the link took you to a Facebook fan page with thousands of comments from people who claim to have received a free iPad?

Those are fake. It is so extremely easy to create fake positive comments from fake users. You have to just ignore this garbage, no matter how realistic the offer may seem.

For one thing, the iPad hasn’t even been released yet. So there’s no way all these people on Twitter posting “Just playing with Ashley’s new ipad. It was free just for giving an email address at this website” are telling the truth. I’m guessing a lot of these are hacked accounts, but many of them have usernames that follow a specific pattern, which means the accounts were created solely for running a scam. The thing is, even if you know an Ashley and someone you know and follow on Twitter posts this message, ignore it. Tell your friend they’ve been hacked, though.

I’m not sure what happens if you follow the links in these messages. According to what I’ve read, many ask you for a cellular phone number, and then sign you up for a $40/month “service.”

The service? Taking $40/month away from you. I’m sure there are others that take you to infected sites that load your computer up with malware.

The bottom line here is this: nobody is giving away free iPads. Apple doesn’t send thousands of free anything to random people for evaluation. There’s still this lingering myth that the Internet is full of offers like that (“Git on the Innernet n’ you get all kindsa free stuff!”), and I’m not sure where it comes from. It’s not true and it never has been. I’ve been using the Internet since around 1994 and I’ve never once seen a legitimate offer.

Apple is a company that has a singular vision; they already know what their audience wants. Testing is done in-house, not by sending out millions of dollars worth of product for free. By the time it’s at the booth at the Consumer Electronics Show, it’s been tested a million times by people the company knows.

Want one? Cough up.

Online security: teach your children well.

I don’t have any kids yet, but I know a few people who do.

Okay, so I know more than a few. I know many, and almost all of them have something in common: their computers are constantly being infected with viruses, trojans and other types of malware. I’m not talking about the occasional adware popup or tracking cookie—these machines are usually just crawling with malicious software.

There’s sort of an old myth that your twelve year old is always going to know more about the computer than you. Perhaps this is true when it comes to first-person shooters and making goofy videos, but kids don’t know everything about computers, and security is one of those areas where they generally seem to lack the fundamentals.

Of course, they’re invincible, too. There’s always that. Ask them sometime; “Is it even possible that you might run into a virus on the Internet?” They’ll probably look at you like you’re an idiot. Again.

But it happens, and it seems to happen a lot. You’ve got to educate your kids about malicious software, because a keylogger doesn’t care who downloads itself; it’s going to send login and password information, whether it’s to a Facebook profile (bad news) or your financial accounts (worse).

First, if you’ve got kids using the Internet, try to keep an eye on them at least some of the time. Since this is impossible, though, make sure you’re using Firefox with the NoScript plug-in. No Internet Explorer! There are more holes in that browser than a hunk of Swiss.

Secondly, learn about the various dangers yourself, and make sure you warn your kids. No kid is going to be able to resist “lol is this you?” or “lol funny video” followed by a shortened URL, unless someone tells him that such links lead only to malware.

Thirdly, obtain the burliest antivirus and firewall software you can afford, and pay the money to keep it updated. This is vital anyway, but if you’ve got kids clicking a mile a minute on Facebook and Twitter, you really need to take maximum precautions.

I suppose you could try to limit your kids’ access to the Internet, but you could also try to wrestle a grizzly bear while you’re at it. Good luck with that one.

Finally, consider getting your own computer or laptop that the kids aren’t allowed to even touch, and use that one for business and banking. At least your accounts will be safe(r), assuming you’re taking the necessary precautions on this computer as well.

Okay, does this post officially put me in the “old person complaining about young people” camp? It does sort of have that “I tell ya, the kids today, with their Facebooks and their Twitters,” flavor doesn’t it?

I don’t know, but I know it’s important to get your kids hip to the dangers of malware as soon as you can. Your own financial security may depend on it.

Remember that Facebook phishing email? There’s a MySpace version, too.

We all knew it was coming. Below is the full text:

From: Manager Stephan Goldman
To: [incorrect email address] 
Date: Thursday, January 07, 2010 9:02:10 AM 
Subject: MySpace Password Reset Confirmation!

Hey [incorrect username] ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your MySpace.

Attached was a file called “MySpace_document_49792.zip” that recipients would be advised to not touch with a thirty-nine-and-a-half-foot pole. Whatever’s in that ZIP file, you don’t want it. Trust me on this.

Once again, social networking sites are never going to email you a new password, and in general aren’t going to email you files at all.

Who the heck is “Manager Stephan Goldman?”

Anyway, delete this garbage if you receive it, okay?

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Hey,
Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.

Thanks

The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at Facebook.com, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.

Facebook IQ Tests: Yes, they’re a rip-off

I did a couple presentations to some eighth graders this past Monday on the topic of common email scams like lottery and mystery shopper schemes, as well as having their parents check their credit reports to make sure nothing shows up.

I was surprised at how many of them had already encountered these emails, and I hope my message got through.

Another topic came up, however, during the Q&A portion of the presentations: those IQ tests that always show up on Facebook.

This isn’t the “Which Variety of Traditional German Sausage Are You?” tests. (Knackwurst, by the way, in case you’re wondering.) I’m talking about the IQ tests that appear as banner ads, with a few of your friends’ photos and the “score” they allegedly received, challenging you to beat them.

My quick advice is: don’t even click on those links. End of story.

The longer answer is this: if you click the link, it will take you to a website (not affiliated with Facebook) that asks you for your cell phone number, allegedly to give you your score. What it’s actually doing (if you read the fine print) is signing you up for a “service” with a monthly fee of $29.99. Then you take an idiotic IQ test, which is not even a little bit official, and wait until the charges show up.

I guess it’s not technically a scam, since you’re told (in very tiny text) that it will charge you, and I guess you’re signing up for something (though I’m not sure what). However, it’s sort of a dirty trick, if you ask me. These ads are aimed at teenagers, most of whom aren’t going to read the fine print.

This was the only real disconnect I had during the presentations. Some of the kids apparently believed that their parents wouldn’t mind paying an extra $360 per year for their kids’ cell phones. “It’s only a dollar a day,” one protested. Tough crowd. “Is this thing on?”

Yeah, it’s only a dollar a day. For a one-time IQ test that is in no way official and is not administered by a professional. I tried to emphasize that just because it’s on Facebook doesn’t mean you should trust it, and that these tests are essentially idiotic, but in the end had to admit to them, “Hey; it doesn’t matter to me if you want to get ripped off to take an idiotic test. If you think your parents will be thrilled to pay an extra $30 per month in this economy just so you can get your fake IQ score, then have at it.”

I think that might have woke them up a little. There was a short “I’m still processing what you just said, and realizing that you’re probably right” silence. I took that as a good sign.

All in all, a successful presentation, I think.