Attacking social networking websites is becoming more common all the time. My guess is that they are being leveraged by criminals, who are after the vast amount of personal information people willingly put up on these sites.
For the past couple of weeks, the ongoing attack on FaceBook has figured prominently in the media. The attack isn't much different than some of the other ones we've seen in recent years – which are to take over a user account – and then use it to trick people into falling for a scam. In this instance, a phishy link is being used to direct the effort.
The intended victim receives a communication from someone they know (who has already been compromised), which directs them to a page that appears to be a FaceBook login. They are then prompted to put in their user name and password. If they do, their information is stolen and will be used to trick even more people into doing the same thing.
Stealing stolen user accounts on eBay has been a problem for years. On eBay, it is a means of using an established seller's credentials to trick people into thinking they are dealing with a "trusted seller." The only difference here is that instead of selling bogus or non-existent merchandise, the intent on FaceBook is probably to trick people into giving up personal or financial information.
This information can then be used to commit financial crimes, using the victim’s identity.
I found some information about the FaceBook attack on Symantec's Security Response blog. Thus far, according to the research conducted on this at their lab, no computers have been infected.
According to Marian Meritt at Symantec, the danger of giving up your FaceBook credentials might go beyond having your account compromised. She believes the hackers behind this are looking to compromise other accounts, where you might use the same credentials. I read some other articles on this and thus far this seems to be the consensus of why the attack is occurring, but no one seems to know for sure.
Whether this is the intent, or not – the advice given in the post is something that should be considered when dealing with the multiple accounts a lot of us have.
First and foremost, you should pay attention to the address in the bar at the top of your page. If it is not exactly the address of the legitimate site, you are probably being tricked into thinking that it is. For instance, www.faceboot.com is not www.facebook.com. Even better, if you spot a suspicious link, hover your mouse on it (without clicking on it) and the actual address will appear at the bottom left-hand of the page. Entering the legitimate address in your address bar is always smarter than clicking on a link, too.
Of course, it's also wise to check out the address at the top of the page after arriving at your destination, also. You should also stop and think when something pops up instructing you to enter your user and password information.
Also recommended is to use complex and unique passwords for each of your accounts, maintain an up-to-date browser and operating system and use updated security software from a reliable vendor.
When purchasing security software, ensure you are not buying counterfeit software or being tricked into purchasing scareware. Scareware is bogus security software that normally prompts a user to run a scan of their system, which reflects all kinds of bad things going on. The problem is that the problems normally do not really exist and the protection they are selling doesn't really protect you, either.
So far as buying counterfeit software, it normally doesn't protect you very well and it might even have some malicious code built right into the program.
While the FaceBook attack is the flavor of the week, it’s not the only social networking site that has been targeted in the recent past. Twitter and MySpace have been the targets of recent attacks, too. SC Magazine did a recent article where a security researcher from Websense was quoted as saying they have detected more than 200,000 sites impersonating the above mentioned social networking sites.
Going beyond social networking sites, financial, auction, e-commerce are frequently attacked, too. The common denominator is sites where criminals can harvest information and turn it into money. Please note that people interested in doing a little bit of due diligence on you personally might see what you are putting up on these sites. I’ve recently seen this presented as a “best practice” when doing background checks on people.
The key is to adopt the known best practices if you enjoy using these sites. Another wise thing to do is to be extremely thoughtful about what information you post on them and how it might be used against you.
Anything you post on these sites can and will be used against you if the wrong person gets their hands on it. In the end, being mindful of the information you are posting on a social networking site is probably the best defense you have. After all, you never know who is looking at it!
Showing posts with label Facebook. Show all posts
Showing posts with label Facebook. Show all posts
Sunday, May 17, 2009
Tuesday, November 27, 2007
Facebook invokes the opt-out defense when accused of privacy violations!
FaceBook, the much talked about social networking site, has received a lot of bad publicity recently.
Despite their immense popularity, personal information published on the site has been used to commit everything from identity theft to abusing children.
Hackers are also using the site to drop malicious software on unsuspecting visitors. This leads to even more privacy violations and in many instances, identity theft and financial crimes, also.
Now they are under fire for a marketing scheme, which posts what their members just purchased all over the electronic universe (Internet).
Kimberly Palmer also known as the "Alpha Consumer" at U.S. News and World report recently documented her sister's frustrations with this practice.
In her own words:
Facebook has defended their right to do this by saying that a member can opt-out from having their personal shopping habits disclosed in public.
I always chuckle when the words "opt-out" are used as a defense to justify a violation of privacy.
The financial services industry has been sending us snail mail for years that are called privacy notices. These notices, which are full of small print make a mockery of the meaning of privacy (my opinion). If you fail to respond to these letters, they can and will sell your information to the highest bidder.
Of course, in most of these instances, the institutions involved don't make it easy to respond to these notices.
The problem with opting-out is that the current laws make it too easy to opted right back in.
Opting out is like playing a game of "Whac a Mole," because whenever you conduct a transaction, you might be opting-in again.
Tom Fragala at the Truston blog recently chronicled his frustrations in a post entitled, "Opting-In After You Have Opted-Out." In this post, Tom writes about a personal episode where he was targeted by identity thieves and opted-out, only to be opted-in again.
He also did a follow-up post, "How Direct Marketers Get You to Opt-In After Opting Out," which shows how marketing people have gotten past opt-out legislation in general.
There is little doubt that opt-out laws need to be updated. I wonder if the law were changed so that people had to give their permission for a company to sell their information, we might see a marked decrease in criminal activity enabled by information that is too easy to access!
Sadly, the people making too much money by exposing it for marketing purposes don't seem to want to become more responsible. And as long as they have a lot of money to fuel special interests, the problem isn't going to disappear very quickly!
Kimberly Palmer article, here.
Wikipedia has an interesting article going into detail on all the privacy concerns with FaceBook, here.
12-2-07 (Update): It appears FaceBook is changing their policy on opt-out to make it more user friendly and transparent. Here is a story from the LA Times on the changes, which privacy advocates are claiming as a major victory:
Facebook adds safeguards on purchase data
Despite their immense popularity, personal information published on the site has been used to commit everything from identity theft to abusing children.
Hackers are also using the site to drop malicious software on unsuspecting visitors. This leads to even more privacy violations and in many instances, identity theft and financial crimes, also.
Now they are under fire for a marketing scheme, which posts what their members just purchased all over the electronic universe (Internet).
Kimberly Palmer also known as the "Alpha Consumer" at U.S. News and World report recently documented her sister's frustrations with this practice.
In her own words:
This past weekend, after my sister found a great pair of Dansko clogs and ordered them online from Zappos.com, her Facebook friends received a newsfeed message that told them she had just "found something cool at Zappos.com." Since she hadn't planned on announcing her purchase to so many people, she quickly deleted the message but not before feeling that her privacy had been invaded.
It turns out Facebook has relationships with online retailers, including Zappos.com, Fandango.com, and Overstock.com, that allow the social networking site to post information when purchases are made. My sister isn't the only one upset by it; the liberal group MoveOn.org started a petition asking Facebook to respect users' privacy and stop the practice. The blog Binary Freedom has asked Facebook not to ruin the holidays by alerting people to their gifts ahead of time.
Facebook has defended their right to do this by saying that a member can opt-out from having their personal shopping habits disclosed in public.
I always chuckle when the words "opt-out" are used as a defense to justify a violation of privacy.
The financial services industry has been sending us snail mail for years that are called privacy notices. These notices, which are full of small print make a mockery of the meaning of privacy (my opinion). If you fail to respond to these letters, they can and will sell your information to the highest bidder.
Of course, in most of these instances, the institutions involved don't make it easy to respond to these notices.
The problem with opting-out is that the current laws make it too easy to opted right back in.
Opting out is like playing a game of "Whac a Mole," because whenever you conduct a transaction, you might be opting-in again.
Tom Fragala at the Truston blog recently chronicled his frustrations in a post entitled, "Opting-In After You Have Opted-Out." In this post, Tom writes about a personal episode where he was targeted by identity thieves and opted-out, only to be opted-in again.
He also did a follow-up post, "How Direct Marketers Get You to Opt-In After Opting Out," which shows how marketing people have gotten past opt-out legislation in general.
There is little doubt that opt-out laws need to be updated. I wonder if the law were changed so that people had to give their permission for a company to sell their information, we might see a marked decrease in criminal activity enabled by information that is too easy to access!
Sadly, the people making too much money by exposing it for marketing purposes don't seem to want to become more responsible. And as long as they have a lot of money to fuel special interests, the problem isn't going to disappear very quickly!
Kimberly Palmer article, here.
Wikipedia has an interesting article going into detail on all the privacy concerns with FaceBook, here.
12-2-07 (Update): It appears FaceBook is changing their policy on opt-out to make it more user friendly and transparent. Here is a story from the LA Times on the changes, which privacy advocates are claiming as a major victory:
Facebook adds safeguards on purchase data
Subscribe to:
Posts (Atom)
