Twitter users are reporting receiving direct messages (DMs) from other members of the network, cheekily asking if it is them who is pictured in a photo, video or mentioned in a blog post.
Sharing Knowledge & Information
Posts Tagged ‘Login’
The President is finally taking charge? No, a Facebook phishing attack
A warning to all the Facebook users out there – the scammers are after your login details again, this time by spreading a link which purports to be a video of Barack Obama.
The president is finally taking charge!!
[LINK]
Is this really for real?.
The image used in the message looks like a YouTube video thumbnail, but if you click on the link you are redirected, via a cross-scripting vulnerability on an MIT webpage and then Reddit, to a phoney Facebook login page.
It may look like Facebook, but it’s not the real Facebook. It’s designed to phish your username and password from you.
Incidentally, the page is hosted on an almost identically-named domain to one we’ve previously seen used in a Facebook phishing campaign.
Facebook usernames and passwords are an increasingly valuable commodity for cybercriminals – once they have those, they’ll be able to log into your account, post messages in your name, spread spam and malware and perhaps raid your profile for personal information that they might be able to use for identity theft.
Worst of all, perhaps, they can pose as you and cause tremendous problems for your friends and family.
So, if you think you might have fallen for a scam like this, change your Facebook password immediately and scan your computer with an up-to-date anti-virus product.
Source :- http://nakedsecurity.sophos.com
Related articles
- The President is finally taking charge? No, a Facebook phishing attack (nakedsecurity.sophos.com)
- Facebook phishing: Can you spot the difference? (blogoholic.in)
- PREVENTING SPAM scam on Facebook does exactly the opposite (pratyushkp.wordpress.com)
- If Phishing Goes Mobile… (paulsparrows.wordpress.com)
- Anti-Phishing Day (eset.com)
- Avoiding Facebook phishing (commtouch.com)
Facebook phishing: Can you spot the difference?
Image via CrunchBase
Original Post From Sophos . Author -Graham Cluley
We’ve seen some messages being spread on Facebook in the last day or so, claiming to link to a video of Barack Obama. Most of them appear to have been cleaned up by now (presumably by Facebook Security) but there are still some remnants lying around.
Here’s a typical message:
hello have you seen this recent video on the president? What is he doing in it?! LOL
or
What's the president doing in this video. OMG LOL!
Some versions of the message give away that the link will ultimately take you to a website ending with .co.cc. Almost all of the links we see in SophosLabs which end with “.co.cc” contain “bad stuff”. Perhaps it would be simplest if everyone simply avoided .co.cc links (and close cousins such as .cz.cc) as they are tainted by association.
And what sort of name is hzjqorbbmdnf anyway?
Regardless of the dodgy-looking nature of the link – what happens if you click on it?
Well, you will be redirected to what appears on first glance to be a Facebook login page. However, in reality, it’s a phishing page designed to steal email addresses and passwords from users who are so keen to see a video of their president that they’ll type in their credentials without thinking.
Here’s the fake login page:
And here’s Facebook’s genuine login page:
Did you spot all the differences?
Here’s the ones I found – well done if you spotted even more!
Starting at the very top -
1. The genuine login page calls itself “Log in” in its title bar. Amusingly, the real Facebook is inconsistent as to whether you “Log in” or “Login” to Facebook as later in the page it refers to “Facebook Login”. It’s odd to see a phishing page be more professional than the real thing.
2. That’s clearly not Facebook’s genuine URL. Interestingly, other pages on the domain contain clickjacking scams.
3. The real page gives me more language options – including UK English and Welsh which aren’t available on the phishing page. It’s possible that the real Facebook is doing some GEO-IP lookups and determined that I’m visiting from the UK – maybe users in other countries don’t see those options.
4. The phishers have the copyright date incorrect, believing it to be 2010 rather than 2011.
5. There are many more link options made available to me in the footer of the real login page, including “Badges”, “Mobile”, “People”, etc.
There’s bound to be more differences than the ones I spotted though. So, leave a comment below if you find any more.
If you’re on Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.
Update: Wow! I can always rely on the eagle-eyed Naked Security readers who spotted some other differences.
Related articles
- How to stop your Gmail account being hacked (blogoholic.in)
- Phishing: just the FAQs (guardian.co.uk)
- LinkedIn Phish – So Easy to Avoid (eset.com)
- One Phish, Two Phish, Classic Phish, SPEAR Phish?! (symantec.com)
- Here’s The Fake Gmail Site Chinese Hackers Used To Steal U.S., Activist Data (blogs.forbes.com)
- Avoiding Facebook phishing (commtouch.com)
- Phishing Attempt Targets Google Accounts of U.S. Officials | Search Engine Journal (seome.me)
Facebook announces new security features
Image via CrunchBase
Facebook has just published an article entitled Keeping You Safe from Scams and Spam. It’s all about improving security on its network.
In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.
After all, Facebook’s revenue doesn’t come from protecting you, the user. It comes from the traffic you generate whilst using the site.
So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let’s hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.
But do Facebook’s new security features go far enough? Let’s look them over.
* Partnership with Web of Trust (WOT)
WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.
Community block lists aren’t a new idea – they’ve been used against both email-borne spam and dodgy websites for years – and they aren’t perfect. Here’s what I said about them at the VB2006 conference in Montreal:
[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)
But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.
Another problem with a block list based on “crowd wisdom” is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.
False positives, in fact, have already been a problem for Facebook’s own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.
In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It’s a step forward by Facebook. However, Facebook’s own bad-link detector could do with improvement.
* Clickjacking protection
Facebook introduced some anti-clickjacking measures a while ago. It’s a good idea. If you’re trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won’t blindly accept the click. You’ll have to re-confirm it.
Again, I approve of this. But in my opinion, it’s not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the “blind Likes” triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)
That’s not going to happen. Facebook wants Liking to be easy – really easy – as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn’t get past Facebook’s business development managers. Not yet, at any rate. But if we all keep asking, perhaps they’ll see the value?
* Self-XSS
This is a geeky way of saying “Pasting JavaScript into your own address bar.”
We’ve already reported on the potential danger of doing this. When you put JavaScript in your address bar, you implicitly give it permission to run as if it were part of the page you just visited. That’s always a risky proposition. Facebook is adding protection against this behaviour.
Facebook also says it’s working with browser makers on this problem. That’s good.
Perhaps all browsers should simply disallow Javascript in the address bar by default? It’s a useful feature, but the sort of user who might need it would surely be technically savvy enough to turn it on when needed.
* Login approvals
Facebook’s final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from “a new or unrecognised device”. (Facebook doesn’t say how it defines “new”, or how it recognises devices.)
This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook’s “login from new or unrecognised device” warning next time you used the site, by which time it might have been too late.
The new feature means that you’ll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won’t be able to login because they won’t have the magic code in the SMS which is needed to proceed.
It’s a pity Facebook isn’t offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they’d be welcome to charge a reasonable amount for the token) for the more security-conscious user.
A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook – something they might be unwilling to do after Facebook’s controversial flirtation, earlier this year, with letting app developers get at your address and phone number.
Source :- http://nakedsecurity.sophos.com
Related articles
- Facebook announces new security features – but do they go far enough? (nakedsecurity.sophos.com)
- Facebook Partners with Security Startup, Protects Users From Scammer’s Links (readwriteweb.com)
- Facebook Security Features Crack Down on Scams and Spam (webpronews.com)
- Facebook to Tighten Security to Prevent Spamming (sharepress.org)
- Facebook Blocks Malicious Links Via Web Of Trust (allfacebook.com)
- Facebook’s Newest Wall (technologyreview.com)
- Facebook adds new user security features (news.cnet.com)
- Q&A: Fighting a Clickjack Attack (gadgetwise.blogs.nytimes.com)
- Facebook adds new user security features (news.cnet.com)
- Facebook adopted a warning service (robbiz1978.blogspot.com)
- Facebook adds new protection against dubious web links with WOT (venturebeat.com)
