Social media scammers are exploiting the release of the new Apple iPhone in an attempt to steal users' personal information and spread malware, a security firm has found.
Alpha Team, a division of ZeroFox, said this week that it had observed a spike in malicious content involving the iPhone X and iPhone 8 models actively spreading across websites including Facebook, Instagram and YouTube. It identified 532 accounts circulating scams.
The majority of the scams were spotted posing as "giveaway" offers for one of the new Apple handsets – set up in order to help boost "likes", steal the personal information of unwitting victims or to spread booby-trapped links to computer viruses and malware.
The concept is known as "newsjacking" – when a fraudster uses trends as a basis for their illicit schemes. It's not new, but continues to plague social media.
"Attackers [tailor] their attacks to whatever is trending online and in the media, be it a holiday, the latest gaming fad, a new product or internet trend," the team wrote.
"Social media is abused by scammers to spread these attacks to the broadest possible audience, all while tailoring their group of targets using hashtags or abusing the publicly available follower list of popular brands, celebrities and other accounts.
"Scammers can rapidly segment their victim population, customise the attack, build fake accounts and launch their scam campaign at scale."
So what would the attacks do if clicked? Boosting "likes" – also known as "fame farming" - is a method of rapidly gaining large numbers of followers on social channels.
Once a huge audience has been assembled, the fraudsters exploit the trust to push larger scams.
Information harvesting, meanwhile, can steal users' names, addresses and even credit card numbers. Such data is of immense value to an attacker and can be used to infiltrate other accounts, tailor social engineering attacks or – in the worst cases – commit identity theft.
"Dozens of these [scam] sites had similar redirect chains: first directing a user to a blog site, then redirecting to a fake survey which prompts users to enter personal details in order to claim their 'free iPhone,'" the ZeroFox experts explained in a blog post (11 October).
Lastly, the social media schemes can be used to spread malware to infect computers and steal personal information.
These scams are on the rise, but there are a number of ways to identify them and stay safe:
- Any account offering an iPhone giveaway may be fraudulent. Do not trust these accounts or the links they promote. Hover over URLs to get a preview and look closely for impersonator URLs with characters meant to look like others.
- Beware of brand impersonations. Unless it has the blue verified checkmark, do not click anything that accounts posts as it is likely an impersonation of the real profile.
- If the site doesn't have an SSL/TLS web site certificate and is not encrypting your information, it's probably not safe to trust that site.
- Ensure two-factor authentication is enabled on your social media accounts when available. This provides yet another barrier of protection.
- Curate who you follow. Following suspicious accounts increases your chances of being exposed to scams, and even benign accounts can be hijacked by or sold to scammers. Above all be careful what you click on social media! If it looks suspicious, it may very well be.