More security failure as Phishing attacks return to Facebook
by Steve Ragan - May 22 2009, 14:00Once again Facebook users are being targeted by Phishing attacks similar to those reported just last Friday here on The Tech Herald. This time however, they bring with them a nasty twist.
Phishing attacks on social networking sites are nothing new, and this recent attack is an old trick in itself because it uses several domains to lead users to a fake log-in screen where their Facebook account credentials are captured, at the same time Malware is silently downloaded to the computer.
If your account was compromised, or if you think it was compromised, during this recent attack, you should consider changing your password. The recent scam centers on several URLs (i.e., kirgo.at, bests.at, areps.at, and nutpic.at) and presents a page that looks exactly like Facebook’s log-in screen. When users enter their e-mail and password, not only are their credentials stolen, but Malware is silently downloaded onto their systems.
Without dwelling on the reoccurrence of yet another Phishing attack against the users of Facebook, we would like to point out some tips to help avoid falling victim to them -- as it's apparent that Facebook seemingly can’t stem the tide.
The following tips come from the public Resources tab on Facebook’s Security profile. This is the same page that you can access while logged in as well. When looking at the advice, it’s no wonder there are so many users falling victim to the Phishing attacks, as there are some serious gaps in the guidance.
“If a link or message seems weird, don't click on it,” reads the very first tip from Facebook. This is decent advice. If you see a message that just looks off, then ignore it. Yet, at the same time, it’s missing some other pointers, and clarity.
This is especially true if the message comes from someone you do not know, or someone who is not a normal acquaintance. Often, since most Facebook users are obsessed with the service, they'll know the patterns of 'speech' and the types of messages friends are likely to leave on their Wall. When there is a sudden deviation from that pattern, be sure to pay attention and don’t be afraid to call people on it.
If in doubt, ignore the message. Real friends will check up on you. Phishing attacks more often than not blast the same message from various compromised accounts only once. Since they are using compromised accounts, be vigilant of any e-mails sent from your Facebook profile or messages left on other people’s Walls.
“Be aware of where you enter your password. Just because a page on the Internet looks like Facebook, it doesn't mean it is. Learn to tell the difference between a good link and a bad one,” reads tip number two. Calling this vague would be too easy, so let’s just add some information to it.
Facebook, if you actually point your browser to it, uses EV SSL. However, at no time will you see this tip on Facebook’s security page. You can’t use this feature, apparently unless you do it yourself. In addition, even if you use the SSL address, it isn’t persistent. Once you log-in, things go from HTTPS to HTTP.
So why should you use the HTTPS address when logging in? The SSL-secured address is an EV SSL page, so that means your browser bar will change color. In Firefox or Internet Explorer, for example, the color is green. The entire address bar will change to this color.
In Phishing attacks, such as the recent one, this would prevent anyone from accessing a false Facebook domain. EV SSL, while not preventing the download of Malware on the Phished domain, offers a clear visual clue that something is wrong with the site.
So while Facebook’s security advice says to learn how to tell the difference between a good and bad domain, it needs to explain this better. Moreover, the service should really be telling account holders to use the HTTPS address and only the HTTPS address when logging in, as well as making it a persistent HTTPS connection using the EV cert.
As this newest Phishing attack on Facebook also comes with Malware, aside from the previous two tips, users should make sure they are using updated anti-Virus software. There are several free options from AVG, Panda, Avast and others, along with paid versions as well. When it comes to the operating system, keep that properly updated too. Always apply the latest patches as soon as they are available, and this goes for Web browsers as well.
While on the subject of browsers, Firefox has started to block the newest Phishing sites, as has Internet Explorer. Yet, these provide just one layer of protection -- Phishing filters are great, but you'll need the other stuff as well.
It’s strange to see such vague security advice for users on a site that has been plagued with security issues. Most of Facebook’s core users are not security people. You could argue that the bulk of them are not all that technical to start with.
So, to conclude, my advice to Facebook is this:
If you take the initiative to launch a security awareness program, then launch one. Don’t just fill up a small FAQ with redundant or vague information. In addition, make the information easy to access; the help section on Facebook, as it stands now, will frustrate most users to no end, ensuring that they get no help at all.
The Tech Herald: Phishing and Facebook: Two things that seem to go together
Comment on this Story