Beware of Facebook frauds and Google goons

Social media and search engine scams are on the rise. Cyberthieves are finding new ways to slip onto your computer and into your pocket. Are you really sure you're safe?

More headlines today about the seething dark underbelly of the Web creeping up to slime you and your friends.

According to security company AVG, somebody pwned Facebook's CAPTCHA anti-bot mechanism yesterday, either by cracking the code or (more likely) hiring a team of human drones for a few pennies apiece to decode the squiggly letters. They then created false profiles and used them to share a "home video."

[ The Department of Homeland Security recently reported that the IT sector is resilient against serious cyberattacks, but InfoWorld's Roger Grimes says we're losing the war on cybercrime. | Learn how to secure your systems with Roger's Security Adviser blog and newsletter, both from InfoWorld. ]

Launching the alleged video installed an applet that popped up the usual message telling users their systems were infected by malware (which, in a way, they were) and offering a free system scan, followed by a pitch to buy a bogus $50 product.

Per The Register:

The fraudulent profiles display the same picture of a blond-haired, blue-eyed woman, but with slightly different names and birth dates, said Roger Thompson, chief of research at security firm AVG Technologies. Each invites visitors to click on what purports to be a video link that ultimately tries to trick viewers into installing rogue anti-virus software.

The lesson here: Beware of blue-eyed blondes. But you knew that already.

Yes, it's yet another variation on the scareware scam that infected the New York Times' online ad system a few weeks back.

There's something fiendishly ironic about the fact the biggest scam that malware malcontents are pulling these days is pretending to sell products that claim to protect you against malware malcontents. It's like your friendly neighborhood cat burglar announcing he's going into the home security business when it's really just an excuse to case the joint.

This is hardly the first scam using fake or hijacked profiles to hit Facebook recently. Just yesterday, the FBI issued a press release warning FB fans against the "friend in trouble overseas" scam. In this one, some con artist hijacks a legitimate Facebook account and sends desperate messages to that person's friends, pleading for them to wire a significant amount of cash to bail them out of a jam.

Apparently the feds missed the news story that hit a month ago about the poor schmuck who got taken for $4,000 with this scam. (Those guys really need to sign up for Google Alerts.)

I first heard about this one in August, when a friend told me she'd been approached on Facebook by someone she hadn't heard from in 20 years, saying he was in a spot of trouble in London and could she possibly wire him $900? Then she heard from other friends who'd gotten the same message. She said some were seriously considering sending the money. I told her that her friend's account had probably been hijacked and she was being targeted by a con artist.

The first scam used a pretty girl to lure people into doing something they probably shouldn't have. The second scam abused a trusted relationship and preyed on people's better natures. Tried-and-true techniques that have worked in the grifter racket for thousands of years are now available online.

Back in the early days of the commercial Net, you had to go looking for this kind of trouble by wandering through some bad neighborhoods. Now it comes to your house and rings your doorbell. Or it's brought to you fresh from the oven by Google.

As The Reg reports, researchers at the University of Alabama found millions of links on the search engine that send unsuspecting Netizens to infected Web sites. People searching for cheap (and/or pirated) software often end up on sites that perform drive-by installs of the ASProx botnet, in large part because such sites have gamed Google to land at the top of its search results. Some of these are legit sites that have been compromised, others are total fakes from the get-go. (And Bing is even worse, FYI.) Even if they don't end up infecting your system, they're likely to steal your identity and/or your credit card info.

So to summarize today's lessons: a) Beware of cute blonde strangers sharing videos; 2) your computer may well be infected with malware, but it's unlikely some Web site is going to tell you about it; iii) your friends are not stranded overseas, and even if they actually were you shouldn't wire them money because they got themselves into that mess and they can get themselves out of it; and Z) maybe it's just better to pay full freight for software and avoid the hassles, eh?

The DHS has declared October Cyber Security Awareness Month, so you'll be hearing a lot more about these kinds of things over the next few weeks.

As they used to say on "Hill Street Blues": Be careful out there.

Have you or your friends been taken by a cyberscam? Share your tales of woe below or e-mail me:

Take the InfoWorld news quiz

Copyright © 2009 IDG Communications, Inc.