Facebook Hit By Video Calling Scam

Sophos has discovered a scam hitting the Video Calling feature added to Facebook last week. Chester Wisniewski, senior security advisor at Sophos Canada, details the ploy on the company’s Naked Security blog.

Rather than taking advantage of a loophole in the application, the scammers have preyed on Facebook’s failure to call the system Video Chat, which is certainly overused and possibly someone’s copyright.

Permission To Scam And Spam

The trick works by sending Facebook users an offer to join “Video Chat and Phone”, which many people have taken to be the official Skype-driven service. Because they think it is an official application, the victims happily click on a dialog box that asks for permission to access their posts, friends and other personal details, and to write messages to their walls.

In the rush to get involved with the video revolution, the users fail to ask a simple question – why would Facebook ask for permission when it already has access to all this information. It is not in Facebook’s nature to ask permission.

Wisniewski points out that the permission requested is for anytime access: “Strange, if it were a video calling app it would presumably only need to access my data when I am using it, right?” he wrote.

“Fortunately, aside from being a better social engineering trick than many Facebook scams,” he said, “this one simply spams your friends and leads you to the ubiquitous surveys to fill out and generate referral fees for the criminals.”

Wisniewski advises that any wall post from a friend saying “Enable video calls” should be ignored. The recipient should also contact the sender to say that they have been scammed and to shut off the Video Chat app.

Sophos is watching the video facility with caution and Paul Ducklin, Sophos’s head of technology for Asia Pacific, has also warned of possible scams in a separate blog.

Wisniewski concludes: “I am sure this won’t be the last scam targeting folks who wish to use Facebook’s new service. Never download executables or other content proclaiming to enable the service.”