Sophos | Social Media Blog

Jun
8

Facebook changes privacy settings for millions of users – facial recognition is enabled

Category: Social, Technology Tags: Click (2006 film), Disability, facebook, Facial recognition system, Photograph, Privacy, privacy settings, Public relations, Sophos 2 Comments

Image representing Facebook as depicted in Cru...

Image via CrunchBase

When Facebook revealed last year it was introducing facial recognition technology to help users tag their friends in photographs, they gave the functionality to North American users only.

Most of the rest of us found the option in our privacy settings was “not yet available”, which meant we could neither enable or disable it. We simply had to wait until Facebook decided to roll it out to our account.

Well, now might be a good time to check your Facebook privacy settings as many Facebook users are reporting that the site has enabled the option in the last few days without giving users any notice.

There are billions of photographs on Facebook’s servers. As your Facebook friends upload their albums, Facebook will try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.

The tagging is still done by your friends, not by Facebook, but rather creepily Facebook is now pushing your friends to go ahead and tag you.

Remember, Facebook does not give you any right to pre-approve tags. Instead the onus is on you to untag yourself in any photo a friend has tagged you in. After the fact.

If this is something you’re uncomfortable with, disable “Suggest photos of me to friends” now.

Here’s how you do it.

* Go to your Facebook account’s privacy settings.

* Click on “Customise settings”.

* Under “Things others share” you should see an option titled “Suggest photos of me to friends. When photos look like me, suggest my name”.

* Unfortunately at this point you can’t tell whether Facebook has enabled the setting or not, you have to dig deeper..

* Click on “Edit settings”.

* If Facebook has enabled auto-suggestion of photo tags you will find the option says “Enabled”.

* Change it to “Disabled” if you don’t want Facebook to work that way.

* Press “OK”.

Earlier this year, Sophos wrote an open letter to Facebook. Amongst other things, we asked for “privacy by default” – meaning that there should be no more sharing of information without users’ express agreement (OPT-IN).

Unfortunately, once again, Facebook seems to be sharing personal information by default. Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission.

Most Facebook users still don’t know how to set their privacy options safely, finding the whole system confusing. It’s even harder though to keep control when Facebook changes the settings without your knowledge.

The onus should not be on Facebook users having to “opt-out” of the facial recognition feature, but instead on users having to “opt-in”.

Yet again, it feels like Facebook is eroding the online privacy of its users by stealth.

You should also take some time to read our step-by-step advice on how best to configure your Facebook privacy settings.

Source :- http://nakedsecurity.sophos.com

Facebook changes privacy settings for millions of users – facial recognition is enabled (nakedsecurity.sophos.com)
Facebook Unveils Facial Recognition To the World, Remains Opt-Out (readwriteweb.com)
Facebook rolls out facial-recognition tool (news.cnet.com)
Facebook quietly switches on facial recognition tech by default (go.theregister.com)
Security Firm Issues Alert on Facebook Facial Recognition (pcworld.com)
Facebook Party Gets Out Of Control After German Girl Forgets Privacy Setting (blogoholic.in)
Hypocritical Facebook scores PR own-goal with sleazy attack on Google privacy (pratyushkp.wordpress.com)

Jun
7

By pratyushkp

Free Tube Hub hot sexy girls links spread virally on Facebook

Category: Social, Technology Tags: Breaking Dawn, Confidence trick, CrunchBase, facebook, Film, Justin Bieber, Osama BinLaden, social network, Sophos, Videotelephony, Webcam, youtube Leave a Comment

Image via CrunchBase

Beware the back booty!

There’s a huge trend right now for scams to spread across Facebook, using various alluring topics to get you to click.

Ask yourself this. Would you be in the market for a website which offers daily updated awesome movies of the hottest sexy girls?

If so, you’re a prime candidate to fall for the latest scam spreading rapidly across Facebook using an image of a woman with a large bottom and a minuscule bikini.

Damn, just found new tube site - a lot of awesome movies there!

Free Tube Hub - Your Daily Source of Updated Tube Movies!
[LINK]

Fine tube hub is the awesome collection of best tube videos, free movies and streaming Clips. Our hub brings free full length videos with most hottest sexy girls

Don’t make the mistake of clicking before you think, or you could be helping this one spread across the social network.

This attack is spreading very rapidly right now – so think with your brains, not with the contents of your trousers.

And if you did fall for the attack, make sure to clean it off your wall before you pass it onto your other Facebook friends. Use this as a lesson for the future.

Source :- http://nakedsecurity.sophos.com

Free Tube Hub hot sexy girls links spread virally on Facebook (nakedsecurity.sophos.com)
Hottest & Funniest Golf Course Video scam spreads virally on Facebook – beware! (blogoholic.in)
World funniest condom commercial? Facebook hit by viral likejacking attack (blogoholic.in)
Why are you tagged in this video? It’s a viral Facebook scam , Please Avoid (pratyushkp.wordpress.com)
Profile Stalkers on Facebook? Check out the viral scam that’s spreading (blogoholic.in)
Dad catches daughters on webcam: Beware viral Facebook video link (pratyushkp.wordpress.com)
Dad catches daughters on webcam: Beware viral Facebook video link (blogoholic.in)
Osama bin Laden leaked video scam rises again on Facebook (blogoholic.in)
Facebook comment-jacking? OMG! I Can’t believe JUSTIN Bieber did THIS to a girl (pratyushkp.wordpress.com)
Twilight Breaking Dawn FB Scam Spreads Virally (pratyushkp.wordpress.com)

Jun
4

By pratyushkp

Facebook phishing: Can you spot the difference?

Category: Social, Technology Tags: Barack Obama, facebook, gmail, google, Graham Cluley, LinkedIn, Login, Phish, Sophos, Uniform Resource Locator 4 Comments

Image via CrunchBase

Original Post From Sophos . Author -Graham Cluley

We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.

Here’s a typical message:

hello have you seen this recent video on the president? What is he doing in it?! LOL

What's the president doing in this video. OMG LOL!

Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.

And what sort of name is hzjqorbbmdnf anyway?

Regardless of the dodgy-looking nature of the link – what happens if you click on it?

Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.

Here’s the fake login page:

And here’s Facebook’s genuine login page:

Did you spot all the differences?

Here’s the ones I found – well done if you spotted even more!

Starting at the very top -

1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.

2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.

3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.

4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.

5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.

There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.

If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.

How to stop your Gmail account being hacked (blogoholic.in)
Phishing: just the FAQs (guardian.co.uk)
LinkedIn Phish – So Easy to Avoid (eset.com)
One Phish, Two Phish, Classic Phish, SPEAR Phish?! (symantec.com)
Here’s The Fake Gmail Site Chinese Hackers Used To Steal U.S., Activist Data (blogs.forbes.com)
Avoiding Facebook phishing (commtouch.com)
Phishing Attempt Targets Google Accounts of U.S. Officials | Search Engine Journal (seome.me)

Jun
3

By pratyushkp

How to stop your Gmail account being hacked

Category: Social, Technology Tags: Email address, Federal government of the United States, gmail, google, Graham Cluley, how to, HTML e-mail, Mobile phone, SMS, Sophos, User (computing) 5 Comments

Image via CrunchBase

Original Post from Sophos. Author – Graham Cluley

As has been widely reported, high profile users of Gmail – including US government officials, reporters and political activists – have had their email accounts hacked.

This wasn’t a sophisticated attack against Google’s systems, but rather a cleverly-crafted HTML email which pointed to a Gmail phishing page.

Victims would believe that they had been sent an attachment, click on the link, and be greeted by what appeared to be Gmail’s login screen. Before you knew it, your Gmail username and password could be in the hands of unauthorised parties.

So, what steps should you take to reduce the chances of your Gmail account being hacked?

Set up Two step verification
Check if your Gmail messages are being forwarded without your permission
Where is your Gmail account being accessed from?
Choose a unique, hard-to-crack password
Secure your computer
Why are you using Gmail anyway?

1. Set up Two step verification

The hackers who broke into high profile Gmail accounts grabbed usernames and passwords. So, an obvious thing to do would be to make Gmail require an extra piece of information before allowing anybody to access your account.

Google provides a facility called “two step verification” to Gmail users, which provides that extra layer of security. It requires you to be able to access your mobile phone when you sign into your email account – as they will be sending you a magic “verification” number via SMS.

The advantage of this approach – which is similar to that done by many online banks – is that even if cybercriminals manage to steal your username and password, they won’t know what your magic number is because they don’t have your phone.

Google has made two step verification easy to set up.

Once you’re set up, the next time you try to log into Gmail you’ll be asked for your magic number after entering your username and password. Your mobile phone should receive an SMS text message from Google containing your verification number.

Let’s just hope the bad guys don’t have access to your mobile phone too..

Here’s a video from Google where they explain two step verification in greater detail:

You can also learn more about two step verification on Google’s website.

By the way, note that two step verification doesn’t mean that your Gmail can’t ever be snooped on by remote hackers. They could, for instance, install spyware onto your computer which could monitor everything that appears on your screen. But it’s certainly a good additional level of security for your Gmail account, and one which will make life much more difficult for any cybercriminal who might be targeting you.

2. Check if your Gmail messages are being forwarded without your permission

Gmail gives you the ability to forward your emails to another email address. There are situations where this might be handy, of course, but it can also be used by hackers to secretly read the messages you receive.

Go into your Gmail account settings, and select the “Forwarding and POP/IMAP” tab.

If your emails are being forwarded to another address, then you will see something like the following:

That’s fine if you authorised for your emails to be forwarded to that email address, but a bad thing if you didn’t.

If your messages are not being forwarded you will see a screen more like this:

Hackers want to break into your account not just to see what email you’ve received up until their break-in. Ideally, they would like to have ongoing access to your email, even if you change your password or enable two step verification. That’s why it’s so important to check that no-one has sneakily asked for all of your email to be forwarded to them.

3. Where is your Gmail account being accessed from?

At the bottom of each webpage on Gmail, you’ll see some small print which describes your last account activity. This is available to help you spy if someone has been accessing your account at unusual times of day (for instance, when you haven’t been using your computer) or from a different location.

Clicking on the “Details” option will take you to a webpage describing the type of access and the IP address of the computer which logged your email account. Although some of this data may appear nerdy, it can be a helpful heads-up – especially if you spot a computer from another country has been accessing your email.

4. Choose a unique, hard-to-crack password

As we’ve explained before, you should never use the same username and password on multiple websites. It’s like having a skeleton key which opens every door – if they grab your password in one place they can try it in many other places.

Also, you should ensure that your password is not a dictionary word, and is suitably complex that it’s hard to break with a dictionary attack.

Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Don’t delay, be sensible and make your passwords more secure today

And once you’ve chosen a safer password – keep it safe! That means, don’t share it with anyone else and be very careful that you’re typing it into the real Gmail login screen, not a phishing site.

5. Secure your computer

It should go without saying, but this list would be unfinished without it. You need to properly secure your computer with up-to-date anti-virus software, security patches and so forth. If you don’t, you’re risking hackers planting malicious code on your computer which could spy upon you and, of course, your email.

You always want to be certain that your computer is in a decent state of health before you log into a sensitive online account, such as your email or bank account. That’s one of the reasons why I would always be very nervous about using a computer in a cybercafe or hotel lobby. You simply don’t know what state the computer is in, and who might have been using it before.

6. Why are you using Gmail anyway?

Okay, I don’t really mean that. But I do mean, why are you storing sensitive information in your Gmail account?

The news headlines claim that senior US political and military officials were being targeted by the hackers. Surely if they had confidential or sensitive data they shouldn’t have that in their webmail account? Shouldn’t that be on secure government and military systems instead?

Always think about the data you might be putting on your web email account – because if it’s only protected by a username and password that may actually be less security than your regular work email system provides.

How to stop your Gmail account being hacked (nakedsecurity.sophos.com)
The Truth Behind Gmail “Hack” (fastcompany.com)
Even Gmail Can Get Hacked (webpagefx.com)
Chinese Gmail Attack Targets ‘Senior’ U.S. Officials (techland.time.com)
Top 10 Things You Can Do to Protect Your Gmail Account (blogs.wsj.com)
Google: Gmail Attack from China Affects ‘Senior U.S. Government Officials’ (techland.time.com)

Jun
2

By pratyushkp

TimeSpentHere rogue app spreads virally on Twitter

Category: Social, Technology Tags: Confidence trick, Email address, facebook, Graham Cluley, Imaginary number, Sophos, twitter, World of Warcraft Leave a Comment

Original Post from Sophos . Author – Graham Cluley

Some Twitter users have fallen for yet another rogue application, tricking them into believing that they will discover how many hours they have spent tweeting their little hearts out.

A typical message reads:

WOW --> I have spent 38.1 hours on Twitter! See how much you have: [LINK]

If you are curious enough to click on the link, which – of course – you might do, seeing as it will appear as if one of your Twitter friends has posted it, then you will be asked to authorise a third party app’s request to access your Twitter account.

The app is called TimeSpentHere, and it can only cause a problem for you if you grant it permission to access your Twitter account. If you do, then it will be able to read your Tweets, post in your name, and even change your profile. I’m sure you can imagine the potential for abuse there.

Of course, the very first thing it will do is post a tweet in your name, encouraging your Twitter followers to also click on the link:

Not that you’ll necessary notice that, of course, as it posts the message silently, taking your browser to a webpage of the bad guys’ own creation.

When I tested the scam on a test account, the webpage was reluctant to tell me how many hours I had spent on Twitter (as you can see in the following graphic) but had no qualms in dreaming up an imaginary number to tweet in the hope that it could tempt unsuspecting onlookers.

You’ll notice, however, that they do ask if I wouldn’t mind entering my email address “as a security precaution”. Well, I certainly do mind! And so should you.

Possibly this is an attempt to harvest email addresses, which could be used later for a phishing campaign or malware attack.

It could – of course – be weeks or months before the scammers use any information they grab for criminal purposes, but if you want to find out more follow me on Twitter, and I’ll let you know if there are any developments.

Rogue applications are popping up more and more on Twitter, whereas previously they were mostly seen only by Facebook users.

If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Applications (it used to be called Settings/Connections but it seems that Twitter has changed it) and revoking the offending app’s rights.

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

Update: Del Harvey of Twitter’s security team has told me (in her own inimitable style) that the TimeSpentHere rogue application has now been killed off.

@gcluley
Graham Cluley

@delbius Details of another “Time spent on Twitter” rogue app: http://bit.ly/mdeNmL

about 15 hours ago via Echofon ReplyRetweetFavorite

@delbius
Del Harvey

@gcluley d-e-d dead.

about 15 hours ago via Twitter for Mac ReplyRetweetFavorite

I wonder how long until the next rogue app pops up on Twitter though..

TimeSpentHere rogue app spreads virally on Twitter (nakedsecurity.sophos.com)
Beware the bogus ‘TimeSpentHere’ Twitter app (news.cnet.com)
Unfollowed Me rogue application spreads virally on Twitter (pratyushkp.wordpress.com)
Lord Gaga video banned? Twitter rogue app spread by scammers (pratyushkp.wordpress.com)
Banned Lady Gaga video attack spreads on Twitter via rogue app (pratyushkp.wordpress.com)
Twilight Breaking Dawn FB Scam Spreads Virally (pratyushkp.wordpress.com)

Jun
2

By pratyushkp

Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook

Category: Social, Technology Tags: facebook, Getty Images, Hayden Panettiere, Heroes (TV series), Macintosh, Malware, Mark Sanchez, New York Jets, Rihanna, Sophos Leave a Comment

LOS ANGELES, CA - JUNE 02: Actress Hayden Pan...

Image by Getty Images via @daylife

Hot on the heels of an earlier Mac malware attack spreading via Facebook links, we are seeing another attempt to infect Mac users on the social network – with what claims to be a sex video of celebrities Rihanna and Hayden Panettiere.

If you see messages like the following on Facebook, please do not click on the links.

one more stolen home porn video Rihanna and Hayden Panettiere

Hot Lesbian Video - Rihanna And Hayden Panettiere!!
[LINK]

Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna!

For those who don’t follow such things, Hayden Panettiere played the part of the cheerleader in the sci-fi TV show “Heroes“, and Rihanna is a pop star famous for her umbrella-ella-ella.

Not that you’ll get to see much evidence of that if you click on the link as – on Apple Macs at least – you may find yourself ending up on a webpage which tries to infect you with malware in the form of a fake anti-virus attack.

Has a private lesbian hot sex tape really been stolen from the home archive of Rihanna? Personally I think it’s unlikely, but it’s surprising what people will believe these days (and indeed, what celebrities will get up to) so it’s no wonder that some folks might click on the link.

SophosLabs is adding detection for the various components of this Mac malware attack as OSX/FakeAV-DWK, OSX/FakeAV-DWN, OSX/FakeAvDl-A and OSX/FakeAVZp-C. Users of Sophos products, including the free Mac anti-virus for home users, will be automatically updated.

Source :- http://nakedsecurity.sophos.com

Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook (nakedsecurity.sophos.com)
Hayden Panettiere’s Having Midget Sex With Mark Sanchez Now (thesuperficial.com)
Facebook Video Scam Puts Malware on Mac and Windows (pcworld.com)
Are Hayden Panettiere and Mark Sanchez dating — or just fast-food junkies? (latimesblogs.latimes.com)
Are Hayden Panettiere And Mark Sanchez An Item? (socialitelife.com)
New Couple Alert: Hayden Panettiere and Mark Sanchez (thehollywoodgossip.com)
So True? So False? Hayden Panettiere and Mark Sanchez a Couple?! (eonline.com)
IMF boss rape video? Mac malware spreads via Facebook links (blogoholic.in)

Social Media Blog

Subscribe to Blog via Email

Recent Posts

Meta

Facebook changes privacy settings for millions of users – facial recognition is enabled

Related articles

Free Tube Hub hot sexy girls links spread virally on Facebook

Related articles

Facebook phishing: Can you spot the difference?

Related articles

How to stop your Gmail account being hacked

Related articles

TimeSpentHere rogue app spreads virally on Twitter

Related articles

Rihanna and Hayden Panettiere sex video spreads Mac malware on Facebook

Related articles

Subscribe to Blog via Email

Recent Posts

Tags

Meta