Post 2: Facebook Scam & Spam
Here’s the next installment of our social networking rescue kit – it’s important to look out for some of the less obvious techniques being used to get access to your personal information. Here are a few that you might not already know about, but can be just as destructive as those scams we listed in our first article on this topic.
Self-XSS Copy/Paste Attacks
What it is: The attacker tricks user into copying and pasting a malicious code into the address bar of their browser and then executing. It can appear as text that the user has to select, copy and paste; or a button that will copy hidden script to the clipboard, a flash movie that copies script to the clipboard when played, a step-by-step video on YouTube that tells you how to copy this malicious script, or a similar ruse.
What it does: This malicious java script code, once executed, leads to spam being unwittingly posted on behalf of the account owner.
What’s the point? The attacker wants to post bait messages on the user’s timeline or post comments to other status updates on the user’s timeline, send chat messages and event invites to user’s friends.
How Facebook is protecting users: Facebook imposed a restriction on the number of actions that can be taken by a single account during a specified period of time to limit the effect of this type of attack. The company has also added back-end detection of automated messages that – when detected – lead to the user being automatically logged out of their account. The next time the user logs in, a help window pops up, alerting the user to the prohibited activity.
Recommendations: Never copy and paste unknown scripts into the address bar of your browser even if the message comes from a friend. If you know the web site you want to visit, type the URL in yourself – it won’t take long and it’ll save you hassle in the long run.
What it is: Someone uploads an advertisement or photo and then tags a bunch of people at random.
What it does: If users’ settings allow for notifications when they’re tagged, they’ll receive an email which will prompt them to take a look at the image. The people who are tagged and their friends then click on the tag and are directed to the spammy message.
What’s the point?: The advertiser gets their message heard, potentially earning cash from clicks on a destination website.
How Facebook is protecting users: Education. Education. Education.
Recommendation: Review your tag settings and make sure only your friends can tag you. If you repeatedly receive spammy tags, block the user.
What it is: A fake message that tells you you’re Facebook account is suspended, or that you have a friend request pending. When you click on the link, it takes you to a fake login page where you enter your account information. Attackers might also set up fake Facebook subpages or send you videos from “friends” that require you to submit your login information before you are given access to the content.
What it does: The fake login page records your user ID and password and then uses it to gain unlimited access to your account.
What’s the point? Unlimited access to your account and possible insight into your passwords for other online activity like banking. You may be astonished to realize how many people use the same passwords for various social networking, email and banking websites – so if the bad guys get hold of one password that fits all, you’ve basically given them the keys to your house.
How Facebook is protecting users: Facebook is increasing its communications around potential dangers on the site, and working hard to make sure users know to be wary of emails claiming to be from Facebook. They’ve set up a Facebook myths page to remind users that a Facebook app or message will never ask you to login or provide personal information.
Recommendation: Always be careful when clicking on links received in messages, especially if the message has a sensational tone to it. You should only enter your account information on the official login page, only accept friend requests on the appropriate page when you’re already logged in – and never provide personal details if these are requested as a consequence of you liking a status update or installing an app. Check the Facebook myths page at https://www.facebook.com/help/myths for more details
What it is: A fake message passed around Facebook meant to alienate users or instill fear. The stories are generally exaggerated rumors and users are asked to forward these messages to their friends.
What it does: Attackers use these fake messages to generate traffic for a spam site, or simply to troll other users.
What’s the point? Aside from earning cash from traffic that is drawn to their spam site, it’s possible the attacker simply takes pleasure in irritating other users and creating hysteria around their version of fiction.
How Facebook is protecting users: The Facebook myths page provides some help on how to spot these hoaxes, and to reaffirm what is and isn’t legitimate when it comes to apps, status updates and messages.
Recommendation: Look at each message you receive with skepticism and refrain from reposting them to your profile unless you can find proof the concerns raised are legitimate. It’s also worth taking a look at www.facebook.com/help/myths to make sure you understand what to look out for.
Be Your Own Security
Facebook is working hard to combat cybercriminals at every turn, but that doesn’t mean everyone should forget their senses. Users need to take responsibility to protect their information. Luckily, you don’t have to write code or be a first-rate detective, you just need a little information and common sense.
If you’ve been the victim of one of these scams, remove the offending material or uninstall the application, change your passwords, and alert Facebook to your misfortune. – there’s a “Report” button for a reason!
To protect yourself from future attacks, make sure your settings protect as much of your privacy as possible. Don’t rely on Facebook’s default settings, you will have to access each feature through the Menu and manually change each one to make sure you’re not sharing more than you want. With regards to pictures, posts, tagging, and other interactions, you should restrict viewing and tagging to Friends. You can use the “Custom” option if you want more granular control over which friends can see what.
“How you connect” controls who can search for you and who can send you messages, and the “Applications and Websites” feature controls what the applications your friends install can see about you. To maintain tight security on your information and to protect your account on open networks such as wifi hotspots, Symantec recommends that you disable the “shared” feature.
You will also want to turn on “Secure Browsing” (it’s off by default) and consider the login approvals and notifications that Facebook offers. A login notification sends you an email if your user ID is ever accessed on an unrecognized computer, and the login approval sends you a text message if the same occurs. The only difference is that if you enable the login approval, you will need to use the confirmation code in the text message to gain access to your account.
Our last piece of advice for preventing future attacks is to use strong passwords that include capitalization, alphanumeric characters and punctuation, and refrain from using them across multiple platforms. If you enable a security question as part of your login process, record an answer that has nothing to do with the question. And then make sure you remember it.
Facebook and other social networking sites can be great fun – and they’re rapidly becoming powerful and important tools in modern communications, but it’s up to the user to make sure they’re used appropriately.