Image via CrunchBase

Facebook said Wednesday that it has stopped most of the spam that has flooded many users’ pages with pictures showing graphic sex and violence.

The social-networking company urged its 800 million-plus users to remain vigilant to keep their accounts from being hijacked.

Social-networking sites are popular targets for spammers because people are more likely to trust and share content that comes from their “friends.” This makes spam, scams and viruses easier to spread.

Although the way the latest spam messages spread isn’t new, their content – jarring violence and graphic pornography rather than links to get a free iPod shuffle – might have upset users more than usual. In recent days, they have complained on Twitter and their own Facebook pages.

Facebook said no user data or accounts were compromised during the attack.

The latest attack tricked users into pasting and malicious links into the address bars in their Web browsers. This exploited a browser vulnerability that caused them to unknowingly share the graphic content with their Facebook friends.

The content spreads further when the friends then click on these links, thinking that it was posted by the user on purpose.

The company said users should never cut and paste unknown code into a browser’s address bar. They should always use an up-to-date browser and report any suspicious content on the site.

Facebook did not immediately say which browsers were affected. Facebook said it built enforcement mechanisms to quickly shut down the malicious pages and accounts that attempt to exploit the vulnerability.

“Our team responded quickly and we have eliminated most of the spam caused by this attack,” Facebook said in a statement. “We are now working to improve our systems to better defend against similar attacks in the future.”

Facebook already scans links against security databases and blocks those known to lead to spam. But the company says spammers can get around those protections by tricking users into pasting harmful links directly into Web browsers.

The company says fewer than 5 percent of its users experience spam on a given day, and less than 4 percent of content shared on Facebook is spam.

Source :- http://www.huffingtonpost.com

Related articles

• Facebook warns of recent wave of spam (ctv.ca)
• Porn spam attack hits Facebook (independent.co.uk)

If an unauthorised party has logged into your Facebook account, then you’re far from alone.

New official statistics revealed by the social networking giant reveal that 0.06% of the more than billion logins that they have each day are compromised.

Put another way, that’s more than 600,000 per day – or, if you really like to make your mind melt, one every 140 milliseconds. (By comparison, a blink of the eye takes 300-400 milliseconds)

The statistic was revealed in an infographic published alongside an official Facebook blog post trumpeting new security features introduced by the firm.

The new security features include Trusted friends (called “Guardian angels” in the infographic).

Facebook says that you will be able to nominate three to five “trusted” friends who can help you if you have a problem accessing your account – if, for instance, someone else has changed its password and locked you out of your email account. The idea is that if you need to login to Facebook but can’t access your email account, Facebook will send codes to your friends that they can pass on to you.

(BTW, nice middle names you’re using there, Facebook)

None of your friends on their own has enough information to access your account, as they are only sent a single code. But, of course, if your “trusted” friends turned out to be untrustworthy and banded together they would – between them – be able to access your account. So you best be sure that you keep a close eye on who your trusted friends are (especially if you’re prone to falling out, or they think practical jokes are amusing), and be pretty confident that they are taking their own computer security seriously.

Oh, and it might be an idea to remind yourself what the word “friend” actually means, as history has shown that many Facebook users have a very different idea of what a “friend” is from the rest of the world.

Another thought occurs to me – if a bad guy has taken over your Facebook and email account, isn’t it likely that he will also change who your trusted friends are at the same time? Wouldn’t that make the whole security measure kinda pointless?

Another new announcement is App Passwords - meaning that you will no longer have to log into Facebook apps with the same credentials that you use for your Facebook account. It’s certainly a good idea not to use your Facebook password with anybody other than Facebook – so it’s good to hear that Facebook will be offering this new privacy option.

However, it’s not hard to predict that the only people who might use such a feature might be those who are already very aware of privacy issues, rather than the great unwashed majority on Facebook.

Facebook’s infographic is too long and thin to properly embed on the Naked Security site, so here’s a link to where you can download a version for yourself.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks.

Source :- http://nakedsecurity.sophos.com

Related articles

• Facebook Says 600,000 Accounts Compromised Per Day (mashable.com)
• 600,000 + Facebook Accounts Get Hacked Daily (escapistmagazine.com)

The death of Libyan dictator Colonel Gaddafi has almost inevitably resulted in cybercriminals taking advantage of the news story, and the general public’s seeming interest in viewing ghoulish photos and videos of his last moments.

Malicious hackers have spammed out an attack posing as pictures of Gaddafi’s death, tricking users into believing that they came from the AFP news agency and are being forwarded by a fellow internet user.

A typical message looks like this:

Subject: Fw: AFP Photo News: Bloody Photos: Libya dictator Moammar Gadhafi's Death

Message body:

Libya dictator Moammar Gadhafi's Death

Libyan dictator Moammar Gadhafi, the most wanted man in the world, has been killed, the country's rebel government claimed Oct. 20. The flamboyant tyrant who terrorized his country and much of the world during his 42 years of despotic rule was cornered by insurgents in the town of Sirte, where Gadhafi had been born and a stronghold of his supporters.

Attached file: Bloody Photos_Gadhafi_Death.rar

Windows computer users who decompress the attached file are putting their PCs at risk of infection. The RAR archive file creates a malicious file called:

Bloody Photos_Gadhafi_DeathGadhafi?rar.scr

Sophos anti-virus products detect the malware proactively as Mal/Behav-103.

Although there has been much speculation in the media about the possibility of Gaddafi-related malware attacks and scams, this is the first one that I’ve seen since the death of Gaddafi made news headlines around the world yesterday.

Internet users would be wise to remember to be very careful about the links they click on, and to be suspicious of unsolicited attachments.

Source :- http://nakedsecurity.sophos.com

Related articles

• Moammar Gadhafi Dead: Libya Prime Minister Says Gadhafi Has Been Killed [Video] (inquisitr.com)
• Gaddafi’s Body On Display In A Morgue (buzzfeed.com)

Image via CrunchBase

Police in Thailand have arrested a university student who is said to have admitted hacking into the Prime Minister’s Twitter account and posting messages accusing her of incompetence.

22-year-old Aekawit Thongdeeworakul, a fourth year architecture student at Chulalongkorn University, could face up to two years in prison if found guilty of illegally accessing computer systems without authorisation.

Thailand’s Prime Minister, Yingluck Shinawatra, had her Twitter account hacked last weekend – and her followers saw a stream of messages criticising her leadership.

The hacker’s final tweet read:

"If she can't even protect her own Twitter account, how can she protect the country?"

In bizarre scenes, Thongdeeworakul appeared before reporters at a hastily convened news conference in Bangkok, alongside ICT Minister Anudith Nakornthap.

The minister told members of the press that the alleged hacker believed his actions were innocent “as he didn’t realise it would be a big deal.”

According to the ICT minister, Thai Prime Minister Yingluck Shinawatra had her Gmail account hacked on September 30th by unknown people, and her password was disseminated across the computer underground.

From the sound of things, Ms Shinawatra was not following my advice onhow to stop your Gmail account being hacked.

Thongdeeworakul is said to have subsequently used the information to gain access to the prime minister’s Twitter account. The IP address used to access the account ultimately lead investigators back to Thongdeeworakul.

The architecture student remained silent at the press conference, shrouded by a baseball cap and dark sunglasses.

Remember folks – just because you can access someone else’s email, Facebook or Twitter account without the owner’s persmission doesn’t ever mean it’s an acceptable thing to do. In fact, it’s breaking the law and could lead to you getting in a lot of trouble.

Related articles

• Thai student Aekawit Thongdeeworakul arrested over alleged hacking of prime minister’s Twitter account (100gf.wordpress.com)
• Thai prime minister Twitter hack suspect charged (go.theregister.com)
• Arrest in Thai PM Twitter hacking (bbc.co.uk)
• Student ‘confesses’ to hacking Thai PM’s Twitter account (tphnewsfromtheworld.wordpress.com)

One of the most effective techniques anti-spam products have to block spam messages from reaching your inbox is reputation filtering.

Yes, to a degree, anti-spam solutions may still look for v1@gr@and Mrs. Gaddafi offering you $40 million, but the biggest bang for your buck comes from reputation.

What do you do if you are a spammer? Figure out a way to get a legitimate mail provider to deliver your messages for you…

Here is an example. You can see I have received six emails, all from “Picasa Web Albums” offering me some very spammy subjects. How do they do this? They are simply creating bogus accounts on Google Picasa, uploading a photo of their product, then “sharing” this photo with a personalized spammy message.

Even worse is the abuse of Yahoo! Groups. It has been standard practice for many years that mailing lists require you to confirm you want to subscribe.

Yahoo! Groups seems to have a mechanism built for the convenience of spammers, the ability to add anyone to a group without their permission. Here is an example invitation from a spammer:

Upon receiving something like this you might think you could safely ignore it and not be subscribed. Instead when you read the fine print it explains you are already subscribed to this group and you have to opt-out to not receive messages.

Every time the spammer wants to reach you he can now depend on Yahoo! to send his message, digitally sign it with DKIM, have valid SPF records and successfully evade reputation-based spam filters.

I’m not sure what Yahoo! or Google were thinking when they created systems that allow people to arbitrarily use their email systems to spam people, without any confirmation that the recipient is interested in communicating with the sender.

You can opt-out of receiving these messages, but you shouldn’t have to. To test this I clicked the link Yahoo! says will allow me to prevent future spams. I clicked it and got to a page that read:

“Sorry, that link has expired. We do this to prevent abuse.” 

Huh? I am the victim and you are preventing me from opting out of your ill thought policy? I tried again on a newer spam and was successful in opting out.

Oddly they make me confirm my decision not to let them spam me, very strange workflow here. I expect that Google and Yahoo! should seek our permission before allowing third parties to abuse their systems for sending spam.

Source :- http://nakedsecurity.sophos.com

Related articles

• Attack of the Spam (educlaytion.com)
• Censorship, Email and Politics (circleid.com)
• Our anti-spam initiatives (share.skype.com)
• More on Spam Comments (graphiclineweb.wordpress.com)

Will Facebook start charging due to the new profile changes?

No.

But don’t let the truth get in the way of a good old-fashioned chain letter, spreading like billy-o across the social network.

IT IS OFFICIAL. IT WAS EVEN ON THE NEWS. FACEBOOK WILL START CHARGING DUE TO THE NEW PROFILE CHANGES. IF YOU COPY THIS ON YOUR WALL YOUR ICON WILL TURN BLUE AND FACEBOOK WILL BE FREE FOR YOU. PLEASE PASS THIS MESSAGE ON, IF NOT YOUR ACCOUNT WILL BE DELETED IF YOU DO NOT PAY

It’s poppycock of course. Facebook doesn’t need to charge you to use Facebook, it’s making plenty of money already by allowing advertisers to reach its 800 million users.

It’s far from the first time that Facebook users have been duped by hoaxes and chain letters. For example, earlier this year, messages were spreadingthat because the social network had become too slow the site was considering deleting inactive accounts. Again, totally bogus.

Source :- http://nakedsecurity.sophos.com

Related articles

• Facebook to start charging? It’s poppycock! (nakedsecurity.sophos.com)
• ‘Facebook Charging’ Chain Letter Spreads (huffingtonpost.com)
• Facebook To Start Charging This Summer (femaleimagination.wordpress.com)
• Facebook price grid? $9.99 for gold membership? The charging hoax continues to spread (nakedsecurity.sophos.com)
• Facebook rumor false . (caribnewsnow.wordpress.com)
• No, Facebook Will Not Make You Pay to Get the New Profiles (mashable.com)

A hoax is spreading like wildfire on Facebook, claiming that hackers are posting pornographic movies on users’ walls which are invisible to the owners of the wall but are visible to friends and family.

You can imagine how that would be pretty embarrassing if it were true. Fortunately, it’s nonsense.

Here’s what a typical message looks like, spread by a Facebook user who thinks they are warning their friends – but really perpetuating the hoax.

ATTENTION FRIENDS! HACKERS ARE DOING DAMAGE AGAIN ON FACEBOOK! PORNOGRAPHIC MOVIES ARE BEING POSTED ON OUR BEHALF ON THE WALLS OF OUR PROFILES! WE DO NOT SEE THEM, BUT OTHER PEOPLE DO, AS IF IT WERE OUR PUBLICATION! SOMETIME EVEN OUR SUPPOSED Comments APPEARS. IF YOU SEE SUCH A THING IN MY HOMEPAGE, ALERT ME AND DO NOT OPEN IT BECAUSE IT IS A VIRUS! ...COPY AND RE POST THIS MESSAGE

The message is, of course, nonsense and users should not repost the warning.

We have not seen any evidence that hackers are able to post content to a compromised Facebook wall that the owner of the account cannot see.

The fact that the bogus warning tells you that it’s invisible to your eyes just adds to the panic, of course.

Yes, scammers have often posted thumbnails of what appear to be pornographic videos to compromised Facebook users’ walls, but we have never seen any incidents where the post was *invisible* to the user.

Although a hoax is nothing like as bad as a piece of malware squirming its way between users and stealing information, it’s still a nuisance, clogging up communications, increasing the overall level of spam and perhaps leading people to make bad decisions.

There’s an important lesson here – don’t believe everything you read on the internet, and think twice before you pass a story on to your friends.

Source :- http://nakedsecurity.sophos.com

Related articles

• Pornographic movies are being posted on our profiles! (Facebook hoax) (zdnet.com)
• Pornographic movies posted on Facebook walls? Hoax spreads like wildfire (nakedsecurity.sophos.com)
• Facebook ‘Girls Must Be Watch Out Of Her mind’ photo-tagging scam – the lessons to learn (blogoholic.in)
• Lady Gaga Death Rumor: A Giant Hoax (blogoholic.in)
• ‘May God always bless..’ Facebook virus hoax spreads (blogoholic.in)
• Invitation Facebook warning spreads Olympic torch virus hoax (nakedsecurity.sophos.com)

This weekend we saw another spate of Facebook messages claiming to link to a BBC News report of the death of Lady Gaga.

Of course, the claims are untrue – and Lady Gaga is still alive.

But that isn’t stopping Facebook scammers from creating money-making websites that claim that the eccentric pop star has been found dead in her hotel room, and tricking Facebook users into sharing the links.

BREAKING: Lady Gaga Found Dead in Hotel Room mjide35w
[LINK]
This is the most awful day in US history

You would think that the scammers would show a little more imagination – rather than using the same disguises time and time again. But, hey, if the scam is working for them – why change it?

Clicking on the link will take you a third-party website, posing as a BBC News online report, which attempts to trick you into clicking on what appears to be a video thumbnail.

In the above screenshot you can see that Sophos Anti-Virus (in this case, ourfree anti-virus for Mac users) has correctly warned about the webpage and prevented you from being clickjacked.

We’ve seen scams very much like this, many times before.

Facebook could do a much better job, in my opinion, at helping users avoid falling for tricks like this and clean-up a lot of the mischievous pages and dangerous links on its network.

For instance, a quick search of “Lady Gaga dead” finds a number of Facebook pages attempting to spread the rumour of the artist’s demise.

Some of which have clearly been created with a scam in mind, like this following clickjacking example:

Watch out if you try to play the video as this is a clickjacking scam which attempts to silently say you “Like” the page when you click with your mouse.

If you’ve been hit by scams like this, remove the messages and likes from your Facebook page – and warn your friends not to click on the offending links. Clearly, Facebook needs to work much harder to prevent attacks like this from reoccurring and spreading so rapidly.

Source :- http://nakedsecurity.sophos.com

Related articles

• Lady Gaga is still not dead – stop falling for Facebook scams (nakedsecurity.sophos.com)
• BREAKING: Lady Gaga Found Dead in Hotel Room (Facebook scam) (zdnet.com)
• Facebook Scammers Post Links To Fake Story About Lady Gaga’s Death (lezgetreal.com)
• Lady Gaga found dead in hotel room? Beware Facebook clickjacking scam (nakedsecurity.sophos.com)
• ‘Breaking: Lady Gaga Found Dead in Hotel Room’ scam spreading on Facebook (zdnet.com)
• Lady Gaga (happynesstips.wordpress.com)

A shocking video of a man in a wheelchair falling down an elevator shaft? Is that really what you want to watch?

Well, if it is, then you’re just the kind of person that a newly-discovered Facebook scam is looking for.

Messages on the social network have been seen like the following:

Man in wheelchair falls down the elevator shaft *SHOCKING VIDEO*
[LINK]
This Video is really shocking. a man in a wheelchair is falling down the elevator shaft.

If you’re curious enough to click on the link you are taking to a Facebook page which looks like it is about to show you a video.

But think twice about clicking on the play button! The webpage will take your mouse click and silently use it to say that you “Like” the page and share it with your friends.

As far as your friends can tell, you’ve just shared a link to a shocking video of a man in a wheelchair falling down an elevator shaft.

Those people who are running addons like NoScript (on Firefox) will see a page intercepting the clickjacking.

The point of the scam is to draw traffic to online surveys – which earn the scammers commission and, in some cases, tricks users into signing up for premium rate mobile phone services.

If you are hit by a scam like this you should remove the page from the list of pages that your Facebook profile likes. Remember to remove any other pages you don’t remember liking at the same time.

The Pages that you like are shown at the bottom of the Info tab, under Activities and Interests. You may have to click on “Other pages you like”.

Also, remove it from your newsfeed, reporting it as spam to Facebook, so that you no longer share the offending link with your friends.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page - where more than 100,000 people regularly discuss the latest attacks.

Source :- http://nakedsecurity.sophos.com

Related articles

• Man in wheelchair falls down elevator shaft – Facebook clickjacking scam (nakedsecurity.sophos.com)
• ‘Boy reaction after his Ex girlfriend posted’ clickjacking Facebook scam (blogoholic.in)
• Lady Gaga found dead in hotel room? Beware Facebook clickjacking scam (nakedsecurity.sophos.com)
• Hurricane Irene clickjacking scam on Facebook (blogoholic.in)
• Red Arrow crashes during air show – a cold-hearted Facebook clickjacking scam (blogoholic.in)
• “Brother rapes sister video” scam: Why can’t Facebook stop this? (blogoholic.in)

You must be the luckiest person on the planet – You keep winning lotteries! Here’s the latest notification – straight from Aunty Beeb herself, the BBC.

Apparently the BBC is now deciding who has won the lottery based not upon who bought tickets, but instead simply by pulling email addresses out of a hat! That seems so much more efficient than the old way.

You may have thought that there had to be enough people putting a little bit of money *into* the lottery for a small number of people to get a lot *out* of it – but apparently not anymore! Maybe they’re just pleased I’ve been paying the TV license fee for the last twenty years or so.

Now, if you receive an email like this there are probably people out there who will try to convince you that it’s a scam, that it wouldn’t be a good idea to hand over your name, address, age, mobile number, date of birth (hang on – don’t they already have that?) to a complete stranger..

..especially to a complete stranger called “Mr Patetr Thomas” (# You say potato, I say Patetr #). And they may even try to warn you that Scottish screen lovely Jenni Falconer doesn’t actually present the Saturday lottery draw on BBC TV, that duty falling to chirpy cheeky chappy Nick Knowles instead.

And I must admit I find it hard to confuse the two of them, but I’m sure it’s just an administrative mix-up.

After all, Mr Patetr Thomas (# Let’s call the whole thing off.. #) is probably a very busy chap. After all, it looks like I’m not the only winner of the £1,000,000.

That’s right – there’s lots of us. Just look at the subject line:

*** BULK *** Dear E-Mail User

I would like to imagine that there are no Naked Security readers out there who would fall for a scam email like this – but we must recognise that there are people more vulnerable to these sort of con-tricks than ourselves.

Do your bit to make sure that the vulnerable members of your family aren’t fooled into believing they are going to win a fortune in a lottery – if they are duped into believing they will be receiving a windfall they might get themselves into an expensive and upsetting pickle.

Source :- http://nakedsecurity.sophos.com

Related articles

• BBC Lottery: Have you won too? (nakedsecurity.sophos.com)
• Lottery Scam Warning (ohiolottery.wordpress.com)
• French lottery player scoops second jackpot (guardian.co.uk)
• Lottery winners where are they now (wiki.answers.com)
• Ticket in Europe lottery pays $256 million (msnbc.msn.com)
• Hacking Lotteries (schneier.com)