Posts promising gruesome footage of a roller coaster accident at Universal Studios in Florida in which 16 people supposedly died are spreading fast on the social network – with victims fooled into spreading the scam to their friends.
Several versions of the roller coaster accident scam email are circulating, according to security expert Graham Cluley – and as ever with this form of scam, there has been no accident, there is no video, and victims are lured to pages outside Facebook where they are tricked into divulging passwords.
There are several variations of the text circulating via Facebook at present. One says, according to About.com “Fox Breaking News – 16 people are confirmed dead in a roller coaster accident that occurred at Universal Studios in Florida. The roller coaster appeared to have suffered a mechanical breakdown, causing it to veer off the tracks in mid-air, plummeting all 24 passengers into the ground. Currently there are 8 listed in critical condition in an Orlando hospital. CCTV Footage of the incident has been uploaded to the Fox News team. Watch footage of the accident here.”
Veteran security researcher and writer Graham Cluley describes several variations on the scam – a common trick on Facebook.
“Here’s what happens if you are tricked into clicking on one of the links, believing that you are about to see the video of what appears to be a horrific accident. Firstly, a rogue application requests permission to access your profile in order to scoop up information about you and your friends. In this particular example the app claims to be called “FOXS NEWS(Version 1.2)”, in a clear (albeit grammatically incorrect) attempt to deceive users into believing that it is somehow connected to a well-known media outlet.”
Cluley warns that if you grant the wrong permissions, the app will be able to post messages in your name. This is why such scams are effective – if someone sees that a message has come from a friend, they are more likely to open it, and thus fall victim themselves.
Such scams are common – usually with the goal of stealing Facebook logins, or other information for identity theft attacks. This month, a post promising a video of a plane landing on water was circulating on Facebook, with a title suggesting that it contained news footage showing the rescue of passengers on board the missing Malaysia Airlines flight MH370 – but the video is a ‘callous’ cyber scam, according to Hoax-Slayer, and in fact shows a plane landing on water in Bali in 2013.
IT Pro Portal reports that one variant of the scam is a ‘video’ titled, “Malaysia Plane MH370 Has Been Spotted Somewhere Near Bermuda Triangle. Shocking Videos Release Today”, and that the video is being used to spread malware. Other reports say that variants of the scam are used to direct users to spread the video via Facebook, and complete bogus surveys, used by cybercriminals to harvest personal details from their victims.
IT Pro Portal points out that the Bermuda Triangle is 10,000 miles from the last point of contact with the flight.
The Epoch Times reports that the images show a plane crash near Bali in Indonesia in 2013, where 100 passengers were rescued after a plane landed on water. In all reported variants of the scam, there is no video to click through to – just surveys designed to steal personal information, or bogus downloads which are in fact malware.
Scammers often target Facebook with copies of viral content – or entirely fake, sensational videos, such as ‘Giant Snake Swallows Zookeeper’, as reported by We Live Security this year.
ESET researcher Stephen Cobb offers a We Live Security Guide to spotting Facebook scams, “Can we trust our friends not to make questionable decisions on social media? Apparently not, because our friends might actually be scammers in disguise, or just not well-informed.”
In many cases, scam videos will install a ‘rogue’ Facebook app to spread rapidly via the network – but as reported by We Live Security here, such scams can, in the worst case scenario, lead to tainted sites which infect users with malware.
Author Rob Waugh, We Live Security