Whether you're a social media manager who handles many accounts or just a business owner managing your own, threats are everywhere. On Twitter, you get spam replies or direct messages saying you're in a photo. On Facebook, you see a friend post something, click the link and now your account is compromised spreading the same crap.
Whatever it is, the goal is simple: Get access to your account in order to get access to even more accounts. While most of us think we're secure, it takes just one lapse in attention to give up access. From celebrities to average Joes, it can happen to anybody.
I'm a big fan of Reddit and while browsing one night because I couldn't sleep, came across a very interesting story. Someone posted an image of some stupid picture that was posted to a Facebook page. Here's the image:
Yeah, pretty pathetic attempt to boost up Edgerank. A person by the username of FateAV responded in the comments about this method and how hijackers compromise Facebook pages and then sell them off for thousands of dollars. I tried reaching out to FateAV to get more of his/her's story, but to no avail.
I'm an admin on a few large [300k+] pages. Generally the way it works is like this. First an annoying teenager who's popular makes a facebook page. Somewhere between 50-100k likes, the owner almost invariable has their page hijacked from them by either social engineering or in more rare cases phishing or keyloggers. Next up the new admin posts the same shit as the old one. If the admin has been doing this for a while, they usually post more of this sappy like+Share, etc stuff because facebook's edgeRank calculates the reach of a post based on previous interactions by users with your page's posts, so the like+share stuff is actually PERFECT to grow a page very rapidly. It has absolutely nothing to do with attention whoring or popularity, it's just a way of gaming the edgerank system to raise the actual reach of posts and the "talking about" statistic on the page [which is a major factor in page pricing] Alternatively, if the page has more identity, such as the larger "community" pages, the page's character can be monetised through T-shirts, related websites, Youtube videos, blog adsense revenue, or a few other means. These admins also tend to sell advertisements to smaller pages on a per-post basis, usually by sharing a picture from the smaller page and casually tagging them in the description. More often, however, the page ends up in the hands of one of the hijacker guilds on facebook, who hijack pages, rapidly grow them to a couple of million likes, and then sell them for a few tens of thousands of dollars to marketing firms. The marketing firms in turn hire young, attractive teenagers to pose in "casual" pictures with their products in the background for easy product placement delivery to millions of people via facebook, or the more amateur ones start spamming websites and other facebook pages on them. As of right now, there's no way for a page owner to profit from their page directly via facebook, so all of the money is third party. Usually at the end of the line most [90%] of pages that get over 100k likes will end up in either an indian facebook page guild, American hijacking guilds [which are usually just a bunch of 13-25 year olds hijacking pages to fuck with people and turn a buck] or corporate marketing firms. Why resort to letters from dead kids? because some people, like a friend of mine in california, were living on one meal a day in a shitty apartment, and if selling a one million like page can net them thirty grand from a millionaire in dubai, by jove they will do what they can to get their hands on the money.
This is something that happens on a daily basis and a commenter by the username of iflscience helped to back up Fate's statement:
As the owner of a page with 2.3 million fans, I can absolutely say that you are completely and utterly 100% right. I get attempts to phish and hack us every single day. Some are as subtle as a battering ram, some are quite clever. We get messages in the inbox from "facebook security" telling us we've been reported for breaking t&cs and the only way to not lose our page is to "verify" the page using an app, I get messages from "Mark Zuckerberg" saying the same thing. I once got a message saying "I've noticed you get lots of requests to change your name - you probably think you can't, but you can! Check out this website!" I had a look - they asked for my email address, page URL, and Facebook PASSWORD. Sadly, people are actually dumb enough to fall for this shit.
Now, if you have a smaller account or Facebook page, chances are hijackers aren't trying to get access to it in order to grow it and eventually sell it off. However, someone may be connected to you who does have a large account and so now it's all about compromising many of your connections.
Keeping your social media accounts secure is a pretty easy task. Unfortunately, most people suck at it.
Here are some tips to keep your social media accounts from ever getting hacked
When it comes to Facebook and Twitter, the first tip is quite simple: Don't click anything that looks suspicious. Links in @ replies, direct messages, Facebook messages, in your news feed, and so on. Also, don't connect to any apps that you're not sure about. There are many rogue apps out there and connecting to the wrong app can give it a wealth of information and ability to do a number of things with your account.
Secondly, use a very strong password. In this day and age there is absolutely no reason to not be using a different password for each social network. Thanks to awesome (and free!) tools like LastPass, you don't ever have to worry about remembering passwords again. I highly recommend LastPass which encrypts all your passwords for safe keeping and allows you to autofill or automatically login to sites without having to type anything.
While LastPass generates strong passwords, I like to take it to the next level by using this free tool. It automatically generates a number of highly secure passwords each time you load the page. Scroll down to "63 printable ASCII characters hashed down to 256 binary bits" and you've got one badass password.
Thirdly, always use an HTTPS secure connection, especially on public WiFi. Fortunately, a secure connection is standard on most social networks so this isn't too much of a worry.
Fourth, take advantage of two factor authentication if possible. Two factor authentication makes it so it's pretty much impossible for anyone other than yourself to access an account. For example, when you login from a new location, you not only have to enter your username and password like you normally would, but also have to enter a code that's sent to your smartphone.
Google has two factor authentication which you can learn more about here and Facebook has the awesome feature as well. Twitter definitely needs it and they're working on it, although there's no ETA on when it'll be rolling out.
Lastly, if you see someone's account compromised, be a good samaritan. Nobody ever wants this kind of thing to happen, but it often does. Send them a message, an email or if you have their phone number, give them a call or shoot a text so they can fix the problem right away.