This is crazy. Hacking groups are out in full force on Facebook. And with the willing participation of millions upon millions of naïve users, chances are high that you have either seen or participated in one of the biggest global online threats today. Can you guess what the Facebook scam is?
For weeks if not months now, hacker groups have launched data aggregating campaigns disguised as innocent polls and fun personal trivia confessions. Facebook pages that appear to be radio stations or so-called lifestyle enthusiasts post silly questions like “What is your stripper name? Comment with the model of your first car and the city you were born in!” or “Don’t you think old fashioned names are charming? What was your grandmother’s first name?”
Comments on these posts are skyrocketing and the data miners are eating up the endless opportunity. What is shocking is that while a lot of users are increasingly savvy to this Facebook scam, many are willingly participating, even when they know the threat.
The charming grandma post, that has garnered more than 1.5 million responses, also included the following exchange in the comments:
FB Commenter 1: Great. Now the hackers that run this Facebook scam know your grandma’s first name. Times a million. What a great database for the bad guys.
FB Commenter 2: Who cares? It’s fun and if you use your grandma’s name as a password then you are not very smart and that’s your bad.
But the threat doesn’t really pertain to whether you use your grandmother’s name as a password. That’s not how hackers use the information.
Well if it is not about stealing passwords, then what are they after?
As you know, many websites ask users to establish answers to Security Questions when creating their online account. These questions are posed to users in various scenarios. They might be triggered when requesting to change your password or if the website senses you are logging in from a new browser or if you are locked out due to too many incorrect password attempts. Many sites essentially use Security Questions to authenticate that you are who you say you are. Thus they ask you to answer a question that only you would know. Like um say your grandmother’s first name, the name of your kindergarten or the model of your first car.
So these “just for fun” Facebook posts, like the ones mentioned above, provide data aggregators and bad actors from around the world (Yep! Russian, Nigerian, Chinese, and even homegrown cybercriminals) the information they need to circumvent your password protection and wreak havoc on your accounts. So, yes, we aren’t talking about passwords; it’s all the other information that is used today to verify that you are who you say you are when you log in with a user ID and password.
Once those masquerading Facebook posters know your Nana’s name was Beatrice, they store the information in a humongous database. Believe it or not, they likely did their homework long before they ever posted that fun-loving question, so they already know exactly which sites include the security question “What was your grandmother’s first name?” It is only a matter of time before your account gets hacked. And once they break into one, they are better equipped to hack into your other accounts.
Now multiply that threat by the 1.5 million Facebook users who willingly answered that “silly” question.
It is hard for many folks outside the cybersecurity field to grasp the very real threat these seemingly innocuous Facebook scam posts pose to a very wide swath of social media users. Suffice to say, the threat is very-very real, and the fallout at some point will likely send shockwaves throughout the U.S. and abroad. In fact, the entire dynamic, including the general public’s complicity, are poised to permanently change the face of online security in one way or another.
Hacking is a massive and sophisticated global business. Let’s repeat that. Hacking is a business. And until legislation is passed that governs how social media platforms address the issue of predatory data luring, companies like Facebook will likely continue to turn a blind eye to the issue.
It is time to wake up and face a pretty scary reality. Once you have given away identifying information about yourself (like maybe your social security number, fingerprints, retinal scan, and that fun personal trivia) what will be left to verify that you are who you say you are?
Let’s be clear. Every technology professional on the planet surely suspects these posts are created by hacking groups. But in response to a fraud report submitted to Facebook regarding the Grandma post, the social media giant replied with the following arguably obtuse response:
“Thanks for letting us know about this. The post was reviewed, and though it doesn’t go against one of our specific Community Standards, you did the right thing by letting us know about it. We understand that it may still be offensive or distasteful to you, so we want to help you see less of things like it in the future.
From the list above, you can block ******** directly, or you may be able to unfriend or unfollow them. We also recommend visiting the Help Center to learn more about how to control what you see in your News Feed. If you find that a person, group or Page consistently posts things you don’t want to see, you may want to limit how often you see their posts or remove them from your Facebook experience.
We know these options may not apply to every situation, so please let us know if you see something else you think we should review.”
Yep. It’s a dangerous world out there.
Each year, global hackers threaten the safety and security of countless victims, particularly targeting vulnerable aging adults. In 2020 alone, senior citizens were collectively scammed out of more than $1 billion. While Ravdal Inc. specializes in B2B enterprise level cybersecurity, we care deeply about protecting the elderly from cybercriminals. We recently launched a community service campaign we call “Please Tell Your Grandma” that will provide families with awareness tips, tools, and protocols to help protect their elderly loved ones from online threats. Stay tuned.