As the most popular social network of the moment, with an impressive growth in the last year, Facebook has become lately the scene of complex social engineering attacks, aggressive spam, and massive malware distribution. This paper presents an overview of phishing, spam, and other social engineering attacks against Facebook identified over the last year. In addition, it is explained how the users' private data are exposed as a result of social gaming. In the last part of the paper, we conduct an experiment which illustrates how carelessly users rush to add unknown friends to their profiles, join unknown groups or become fans of hazardous pages.
According to statistics presented on their site (http://www.facebook.com/press/info.php?statistics), Facebook have more then 350 millions worldwide active users on January 2010, exceeding United States population and representing 5.14% of the worldwide population and 20.18% of the worldwide internet users(http://www.internetworldstats.com/stats.htm). Also, more than 700000 businesses have a page on Facebook. With such a large number of users representing both segments: private users and businesses, we can certainly say Facebook is the ideal location for an attacker to plan a social engineering scheme.
Our workshop on spam at Spam Conference focused on analysing threats associated with social networks at the time when it was difficult to identify dangerous attacks within the Facebook network and even find samples of simple attacks. Today we can easily identify spam campaigns, malware with multiple variants targeting Facebook users (KoobFace), phishing campaigns for collecting Facebook accounts or fake donations for disasters like Haiti earthquake.