The Security Pub

Random Thoughts About Security

Category Archives: Social Networking

Facebook Scam – Facebook is Closing All Accounts Today

There is yet another viral scam being spread across Facebook by a rogue application, tricking users into believing that Facebook is closing all accounts today.

Many Facebook users have found that their profiles have been updated with a message which reads:

 

 

 

Facebook is closing all accounts today. They can’t handle so many accounts. Most of the old accounts are not active, so they are deleting everything. If you want your account alive please confirm your activity. This is the final notice! [LINK]

They may also see a message reading:

Final Notice – Confirm your activity today!
In order to keep your account alive you must verify your activity!
Your account will be permanently disabled if you don’t take this step.

The sad thing is that there are many Facebook users who can be fooled by a cunning piece of social engineering like this, as their addiction to the world’s most popular social network outweighs their skepticism about Facebook killing off accounts.

If you think you may have clicked on a link for a rouge application, check out my post on securing facebook profile.

Fake Facebook Application that Steals Login Information

Yet another fake application that is stealing Facebook users’ login credentials has recently been discovered by Symantec researchers.

This application lures in users with videos titled “Tornado Randomly Appears During Soccer Game” or “Video: This is the best April Fools’ prank ever!”, when the user clicks on the message an automatic download of a script that logs the user out of Facebook and then displays an Error message inviting him to log in in order to continue:

For more information regarding this “Fake” Facebook application click here.

Facebook Vulnerability

There is currently an unpatched XSS vulnerability in the mobile API version of Facebook that is currently being exploited to post messages to users’ Walls, which serves as a gateway to the specially crafted website exploiting the flaw.

The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.

It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript,” explains Symantec. “Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall.

No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook’s security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.

Secure Your Facebook Profile

Facebook is a terrific resource for networking, for catching up with old friends, and for staying in touch with the people you want to stay in touch with.  Maybe that’s why it has over 500 million active users from all over the world, with roughly half of them logging in every day.

The average Facebook user:

  • has 130 friends.
  • creates 90 pieces of content each month.
  • is connected to 80 community pages, groups and events.

As interesting as these stats might be, they trigger an even more interesting question:

Who has access to your information?

Sure, you want to tell your friends how your day was, but do you want to share those comments with your boss?

Does your college admissions councilor really need to see the pictures from last weekend’s party?

And does an application developer in Romania really need to know your home address?

If you’re going to maintain a Facebook profile, you should follow these four steps to secure your information.

Step 1: Edit Your Friends

Is there anyone in your friends list that you never interact with?  If so, then click the x on the far right to remove them.  You should do this at least twice a year to keep your friends list current.  (Don’t worry.  Facebook won’t post a status update that you’re no longer friends with anyone you remove.  It’ll be our little secret.)

If you’re like me, you probably have people in your Friends list that you network with for work or projects.  These are the people you want to stay connected with, but you don’t want to grant them the same access to your profile that your Friends have.  You can add these Friends to your Limited Profile list by using the Edit List function on this page.

Step 2: Update Your Security Information

Unless you’re using a password vault, there’s always the chance that you’ll forget your Facebook password.  And what if someone compromises your Facebook account and changes the password?  What will you do to take control of your account?

Facebook lets you add security information in case you ever lose access to your account.  I strongly recommend that you add two email addresses and a mobile number.

Step 3: Update Your Privacy Settings

Facebook has been in the news on multiple occasions for privacy concerns.  As a result, they continue to refine their privacy settings, granting users more and more control over their information.  The Privacy Settings page has four (4) key elements:

  1. Connecting on Facebook
  2. Sharing on Facebook
  3. Apps and Websites
  4. Block Lists

Below are my recommendations for updating your privacy settings.

The one point that I refuse to budge on: NEVER grant Everyone access to your Facebook information.  The risks far outweigh the benefits.

Connecting

  • Search for you on Facebook – Friends of Friends
  • Send you messages – Friends Only
  • See your Friends list – Friends Only
  • See your education and work – Friends Only
  • See your current city and hometown – Friends Only
  • See your likes, activities, and other connections – Friends Only

Sharing

  • Set everything to Friends Only

If you click on Customize Settings , you can lock down your information even further by listing specific Friends who you want to share information with.  Likewise, you can list specific Friends who are never permitted to see that information.

You might consider applying those settings to things like:

  • Your birthday
  • Permission to comment on your posts
  • Places you check into
  • Your contact information

Apps and Websites

Remember that app that you tried out back when you first joined Facebook?  Yeah, it still has access to your information.

Click on Edit Settings to remove the apps that you don’t use anymore.  If you want to start with a clean slate, you can click Turn off all platform apps.

Other Apps, Games and Websites settings recommendations:

  • Info accessible through your friends – Uncheck everything
  • Game and app activity – Friends only
  • Instant personalization – My preference is Disabled
  • Public search – Disabled

Block Lists

Maybe it’s an ex.  Maybe it’s a stalker.  Maybe it’s a spammer who refuses to leave you alone.  It doesn’t matter who you want to block or why.  The important thing is that Facebook lets you use this page to Block Users.

Facebook also lets you use this page to block app invites, event invites, and apps.  Instead of constantly declining invitations to mind your neighbor’s farm, join their Mafia, or play Phrases with them, all you have to do is tell Facebook which apps you don’t want to play.  Simple as that.

Step 4: Tweak Your Account Settings

There are a TON of options on the Edit Account page, but I’m only going to touch on the ones that you absolutely need to update.

Settings

  • Make sure your password is strong (letters + numbers + special characters) and hard to guess.  Again, I recommend using a password vault to store your passwords.
  • Linked Accounts – If you’re logged into another site, your browser will automatically log you into Facebook.  Keep this list as short as you can.
  • Account Security – Set this to https.  Otherwise, that shady character at Starbucks will hijack your account.
  • Download Your Information – If you want to backup your entire profile to your local computer, this is where you do it.
  • Notifications
    • Visit this page and start unchecking boxes.  Not so much a security setting as a “leave me the heck alone” setting.  You’re welcome. ;]
  • Mobile
    • If you choose to send updates to your mobile phone, NEVER set Limit my daily texts to Unlimited.
  • Payments
    • The fewer places your credit card information is stored online, the better. It’s up to you whether you want to pay Facebook to watch Grown Ups.
  • Facebook Ads
    • My recommendation is to set both dropdown boxes to No one.

As Facebook continues to improve their privacy policy, I’m sure these options will change.  In the meantime, these steps should be enough to keep you safe for now.

Facebook will close all accounts today….

The latest scam to hit Facebook users is a slight variation of the survey scams that target them daily. In an announcement supposedly coming from Mark Zuckerberg saying that Facebook will close down all accounts:


According to Graham Cluley the offered link triggers the application permission dialog of a rogue application named “Update your Acc Urgent”, which will supposedly allow the user to keep his or hers account.

A click on the “Allow” button adds the application to the user’s profile, and allows it to – among other things – to post status messages or other content on the user’s Wall – which it does immediately by posting the same message the user fell for.

In the meantime, the user is taken to a Facebook page containing the following explanation (which is horribly written):

[box type="info"]Facebook active account verification process. Facebook is recently becoming very overpopulated, There have been many members complaining that Facebook is becoming very slow.Record shows that the reason is that there are too many non active Facebook members And on the other site too many new Facebook members. We need each and every user to verify their account with our new verification process to see if Members are active or not, Once you have visited this verification. You have 15 minutes to verify your account.If you are active please verify to show that you are active .On failing to do so, The user will be deleted without hesitation to create more space. Sorry for the trouble! Regards CEO,Founder of Facebook Mark Zuckerberg[/box]

A pop-up also appears in which the user is offered a number of surveys from which to choose, and the filling of one of them will supposedly prove that the user’s account is active and prevent its deletion.

Of course, this action has nothing to do with keeping your Facebook account active, and everything to do with keeping the scammers’ pockets filled with money, as they get paid for every completed survey. Users who have fallen for the scam are advised to delete the application and any messages it may have posted on their Wall.

Secure Browsing and Social Authentication at Facebook

The “social CAPTCHA” method of authentication that Facebook developed to prevent the Tunisian government to access the accounts of the people whose login credentials they have stolen will become a standard fixture, confirmed Facebook’s Alex Rice.

Facebook is calling it “social authentication”, and if suspicious activity is detected on a user’s account – for example, if the account was accessed in America in the morning and then a few hours later from a IP address located in China – the person who’s trying to access the account will be presented a few pictures of friends of the account’s legitimate user and asked to name the person in those photos.

“Hackers halfway across the world might know your password, but they don’t know who your friends are,” says Rice.

Another feature that Facebook is introducing is secure (https) browsing. So far, encryption was limited to the login process, but from now on, if you choose to do so, you can change your Account Security Settings by enabling that option.

Rice warns that those who choose that option might notice a slowing down when it comes to the loading of the pages, and some features and third-party applications not working because they are currently not supported in HTTPS.

“We’ll be working hard to resolve these remaining issues,” he says. “We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future.”

We can speculate on whether these features were triggered by the recent hacking of Mark Zuckerberg’s Facebook account, or are really the result of the work done following the Tunisian government’s attempt to steal the passwords of Tunisian Facebook users, but in the end it doesn’t matter because it’s a welcome improvement.

Mexican Twitter-Controlled Botnet

Malware-infected drones in the Mehika Twitter botnet, active in Mexico this summer, take instructions from a Twitter account maintained by hackers instead of conventional command and control servers. The use of Twitter as a botnet command channel was first detected in August 2009 before similar techniques were applied to abuse Facebook profiles as command channels a few months later in November.

Check out the Security News article – [The Register]