Twitter & Facebook Security Issues
July 17, 2009 at 2:22 pm #75982
From CSO online:
5 Facebook, Twitter Scams to Avoid
From phishing scams that play to your curiosity, to criminals posing as friends to steal your money, here are the latest ways scam artists are using social networks to con you
by Joan Goodchild, Senior Editor, CSO
July 13, 2009
According to research recently conducted by security firm Webroot, approximately three in ten social network users have experienced some form of a security attack, such as a virus infection or a phishing scam, on a social network in the last year. As the popularity of these social networks explodes, and more organizations ease restrictions among employees (See: Security Pros Warm to Web 2.0 Acess), they become more attractive for criminals seeking access to private information that can be used for profit. CSO asked two social network security experts for some of the latest scams found on Facebook and Twitter, and how to recognize and avoid them (For more tips to stay safe see: Seven Deadly Sins of Social Networking).
Secret details about Michael Jackson’s death!
Celebrity news will always be used in criminal ploys because scammers know that many people love gossip. The recent death of Michael Jackson is already spawning bad emails that contain malware in their attachments, according to several security firms, including Sophos. Graham Cluley, senior technology consultant with Sophos, predicted immediately following Jackson’s death that cyber criminals would soon start to take advantage of the news to pull off scams.
Typically, malicious Facebook and Twitter messages relating to celebrity news contain links that claim to have “secret” information. In the case of Jackson, Cluley said he has heard some of the lures include promises of songs by the King of Pop that have never been heard before or new details and pictures of Jackson’s death. However, the link to the information then typically prompts the user to download an update of Adobe Flash. Of course, instead of an update, users end up with a bot Trojan or other piece of malware installed secretly on their computer.
“Perhaps one of the most famous of these is Koobface,” said Cluley. “There have been many iterations of that designed to steal information from your computer. Once they have compromised your computer, they can use it to send spam, install spyware, steal your identity, or launch a denial of service attack.”
The Jackson death is only one example, said Cluley. Past celebrity scams that have used this ploy included one that had the headline “Paris Hilton tosses dwarf on street.”
I’m trapped in Paris! Please send money.
CSO reported details of this scam, often called a 419 scheme, several months ago (See: 9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines). But it continues to make the rounds on Facebook, according to Cluley, and fools unsuspecting users.
It goes like this: You are on Facebook, when a “friend” uses the Facebook chat feature to send you an instant message. Sometimes it might be a message in your inbox. Either way, the “friend” informs you that they are trapped in some foreign country and have been robbed or have lost their wallet through some other unfortunate incident. They need you to wire money quickly to help them get home. However, on the other end is a person posing as your “friend” that has hacked into your actual friend’s account.
This scam is really just a new version of the old email trick that informs a recipient they have “inherited millions,” according to Cluley.
“The emails often say something like ‘Just give us your bank account details and we will deposit the money,” he said.
But in this particular Facebook ruse, the idea is to get you to assume it is someone you know and trust on the other end of the IM so you will wire money quickly to help them out.
“People tend to be more relaxed about communications with friends on social networks,” noted Cluley. “Also, the scammer can use other information from your profile, such as your wife’s name or your children’s names, to make it seem more legitimate.”
Cluley recently blogged about a friend who was contacted by a scammer looking for money with this tactic. Fortunately, Cluley’s friend was clever enough to recognize the scam and managed to trick the criminal into visiting a personal web site he maintains and ultimately captured his IP address. It turns out, as predicted, the person on the other end was at a computer in Nigeria, not Paris.
Sean Sullivan, a security advisor in the F-Secure Corp. security labs, said most of these attacks are the result of a compromised username and password. Sullivan recently criticized Facebook for their security questions protocol, which he thinks use out-dated questions such as mother’s maiden name, and said he thinks they should consider having users choose their own security questions.
“Perhaps when the college kids that created Facebook designed it, they never thought any one would be able to guess their father’s name,” said Sullivan. “But I actually have my father in my network. It wouldn’t be too hard to figure that out.”
OMG! Did you see this picture of you?
Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user’s interest and then directs them to a fake login screen. Typically, the user receives a message, such as “Did you see this picture?” with a link also included. The user clicks the link, and it prompts them to enter log-in credentials on a fake log in screen.
On Facebook, for example, members might receive a message in their inbox, or a message on their wall, that directs them to another site which looks identical to the Facebook log-in page. Just last week, Twitter users recently began receiving tweets that asked “OMG! Is it true what they said about you in this blog?” The link directed the user to a screen that looked just like the Twitter log-in page, but was instead a phishing site. Of course, once you’ve entered your user name and password into one of these fake sites, the criminals engineering the con have easy access to your account. Sullivan said another recent version of this scheme included messages requesting users update account information, which then took them to fake log-in screens.
This is a classic phishing ploy, according to Cluley. Hackers may be looking for your account information in order to send spam, or pose as you in order to pull off a 419 scam like the one mentioned above. In order to avoid having this happen, make sure you check the url before entering your log-in information. If your browser bar says anything other than Facebook.com or Twitter.com, leave the site immediately.
The other potential in this scam is spyware infection, said Cluley. The tiny url function makes this even easier for scammers because you can’t see the link you are clicking.
“You click on a link that is infected with spyware, and it can steal credentials, bank information, all kinds of useful information about the different accounts you may have,” he said.
Bottom line: If a link or a message seems suspicious; click at your own risk.
Test your IQ
Facebook members who recently decided to use an application that offered an IQ test were unpleasantly surprised to learn they had unwittingly also subscribed to a text messaging service that cost approximately $30 a month.
The IQ test looked like most other Facebook applications. But once the test had been completed, users were asked for their cell phone number in order to receive results. However, by handing over their number, they were also enrolled in the text messaging service. The terms of the service were in fine print that many claimed was nearly impossible to notice.
This is just one of many examples of scams that take advantage of the “applications” feature on Facebook, said Sullivan, who advises users to be weary of all of the applications on Facebook and says he rarely uses them himself. In order to use a Facebook application, which often include fun quizzes such as “Test your 1980’s trivia,” you must allow the application to have access to information in your profile. The privacy issue is just one risk, said Sullivan. In some cases, the applications download malware onto your computer.
“There was application that was going around that was spamming people internally,” said Sullivan. “In other instances, malware authors are looking for banking passwords, any kind of password.”
Join State University’s Class of 2013 Facebook group
A college guide book publisher called College Prowler was recently criticized for creating Facebook communities for students in the class of 2013 that appeared to be organized by their college or university. A recruiter with the admissions department at Butler University uncovered the ruse when he found a Class of 2013 page for Butler University on the site, but no one at Butler knew who had created it.
The recruiter, Brad Ward, blogged about the find and said pages had been created for many major universities around the country, including the University of Michigan, Cornell University, Duke University and Northwestern University. According to Ward, none appeared to have been created by any one with legitimate ties to the class of 2013 at any of the schools.
Invites to Facebook groups run the gamut from alumni groups to groups with common interests in sports or hobbies. But if you don’t know the person inviting you, it may be best to ignore it. Other instances of fake groups have included invitations that prompt users to install certain applications in order to “chat” with other members, but instead install malware. In some instances, unwanted products, such as toolbars, have been installed onto the user’s computer after the person joined a group.
July 17, 2009 at 3:04 pm #75984
Funny you should post, because interestingly I find GovLoop to have its own security concerns for me. Namely that anyone can join and there is no protection (to my knowledge) on seeing the friend/connection lists on the site. Although in some respects GovLoop “Friends” are a bit like twitter – more “followers” perhaps than true connections, it still seems like a bit of a concern from a social engineering/hacking perspective.
It would not be difficult for someone to take a picture off another site (twitter, facebook, etc) and create a GovLoop account of someone and “friend” people and use that fake profile to gain information.
Not saying it will happen, just that the security isn’t in place in GovLoop to prevent it from happening. As a ‘Good Contractor” I would hate to see the site shut off to contractors, but on the otherhand perhaps govloop should consider restrictions to .gov, .mil, and such. Or facebook-style restrictions to see friends lists?
I think to some extent Twitter is “more secure” because its all public and people are not likely to share non-public info on it (well, in theory) and Facebook at least has some validation of your friends through email and some security/privacy settings.
You must be logged in to reply to this topic.