Why are you tagged in this video? It’s a viral Facebook scam , Please Avoid

Image via CrunchBase

Facebook users have been hit by another fast-spreading scam today, pretending to be a link to a YouTube video that they have been tagged in.

The scam messages use potential victims’ first names, claiming that they have been tagged in the “Youtube” video.

Phrases used in the attack include:

YO [name] why are you tagged in this video

WTF!! [name] why are you tagged in this video

hey [name] i cant believe youre tagged in this video

hey [name] you look so stupid in this video

omg! [name] why are you tagged in this vid

OMG [name] why are you in this video

Each “video” has a random number of views and likes, but the length of the movie always appears to be 2:34. Eagle-eyed Facebook users might realise something is awry when they see that the links refer to “Youtube” rather than the rather more accurate “YouTube”.

But if you do make the mistake of clicking on the video thumbnail you will be taken to a webpage which tries to trick you into cutting-and-pasting a malicious JavaScript code into your browser’s address bar (this appears to be one of the scammers’ favourite methods of attack at the moment).

You have to concede, it’s a cunning piece of social engineering by the bad guys. Wouldn’t you want to see a video that your Facebook friends say you have been tagged in?

If you’re a regular user of Facebook, make sure you join the Sophos page on Facebook to be kept informed of the latest security threats.

Source :- http://nakedsecurity.sophos.com

Related articles

• Why are you tagged in this video? It’s a viral Facebook scam (nakedsecurity.sophos.com)
• I Can’t Believe You Are In This Video Facebook Scam Spreading (techie-buzz.com)
• DAD CATCHES DAUGHTER ON WEBCAM – Beware Facebook Viral Scam! (itinfoguide.wordpress.com)
• Dad catches daughters on webcam: Beware viral Facebook video link (pratyushkp.wordpress.com)
• OMG Look What This Kid Did To His School Facebook Scam Spreading (techie-buzz.com)
• Viral Scam Link Hits Facebook – Dad catches daughters on Web Cam (secboyuk.wordpress.com)
• Dislike Button Scam Spreads Then Disappears (allfacebook.com)
• “I can’t believe you’re in this vid” And “Why are you tagged in this video” Spam On Facebook: Reported And Shown In Action (pulkit.me)
• ‘Enable Dislike Button’ scam spreading on Facebook (zdnet.com)

Visit the New Facebook? Hacker warning spreads like wildfire on social network

Image via CrunchBase

Facebook users are posting warnings to one another about a hacker operating on the network, using the offer to “Visit the new Facebook” to break into pages and kick out the page’s legitimate administrators.

Unfortunately the alerts do not include enough information to be useful, and members of the public may be unwittingly perpetuating a hoax in the belief that they are helping their friends, family and online chums avoid a nasty virus infection.

THIS NOTICE IS DIRECTED TO EVERYONE WHO HAS A PAGE ON FACEBOOK: IF SOME PEOPLE IN YOUR PROFILE OR YOUR FRIENDS SEND YOU A LINK WITH WORDS "VISIT THE NEW FACEBOOK '' AND THERE IS THE LINK BELOW, DO NOT OPEN! IF YOU OPEN IT YOU CAN SAY GOODBYE TO YOUR PAGE. IT'S A HACKER WHO STEALS YOUR DETAILS AND REMOVES YOU FROM YOUR OWN PAGE. COPY AND SPREAD THE WORD

Although there are many scams and attacks which spread on Facebook every day, no-one appears so far to actually have gathered any evidence that this one exists – and there is probably more nuisance being caused by users passing on the warning than by any attack which may or may not have happened.

Users believe they’re doing the right thing when they share warnings like this – but unfortunately they haven’t always checked their facts.

Please don’t share security warnings with your online friends until you have checked them with a credible source (such as an established computer security company). Threats can be killed off fairly easily, but misinformation like this can live on for months, if not years, because people believe they are “doing the right thing” by sharing the warning with their friends.

If you’re a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

Source :- http://nakedsecurity.sophos.com

Related articles

• Visit the New Facebook? Hacker warning spreads like wildfire on social network (nakedsecurity.sophos.com)
• Facebook Dislike button spreads fast, but is a fake – watch out! (nakedsecurity.sophos.com)
• Bobby Roberts hacker chain letter spreads quickly on Facebook (nakedsecurity.sophos.com)
• Facebook spam prevention scam spreading like wildfire (go.theregister.com)
• Dad catches daughters on webcam: Beware viral Facebook video link (pratyushkp.wordpress.com)
• OMG Look What This Kid Did To His School Facebook Scam Spreading (techie-buzz.com)
• Spam from your Facebook account? Malware attack poses as official warning (pratyushkp.wordpress.com)
• Sophos urges Facebook to better protect its users (zdnet.com)
• Heads up FB friends! New chain letter spreads on Facebook (nakedsecurity.sophos.com)
• Spam from your Facebook account? Malware attack poses as official warning (nakedsecurity.sophos.com)

Facebook Dislike button spreads fast, but is a fake – watch out!

Image via CrunchBase

Don’t be too quick to click on links claiming to “Enable Dislike Button” on Facebook, as a fast-spreading scam has caused problems for social networking users this weekend.

Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls:

Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!

Like the “Preventing Spam / Verify my account” scam which went before it, the scammers have managed to waltz past Facebook’s security to replace the standard “Share” option with a link labelled “Enable Dislike Button”.

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.

Clicking on the link, however, will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.

The potential for malice should be obvious.

As we’ve explained before, there is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.

Here’s another example that is spreading, attempting to trick you into pasting JavaScript into your browser’s address bar, before leading you to a survey scam:

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Source :- http://nakedsecurity.sophos.com

Related articles

• Facebook Dislike button spreads fast, but is a fake – watch out! (nakedsecurity.sophos.com)
• Facebook Dislike Button! (itinfoguide.wordpress.com)
• OMG Look What This Kid Did To His School Facebook Scam Spreading (techie-buzz.com)
• How to Add a Dislike Button to Your Facebook Page (businessinsider.com)
• How to keep safe from Facebook scams and spams (mobilegameroids.wordpress.com)
• No Haters Allowed: Why A Dislike Button Is Not Coming To Facebook (readwriteweb.com)
• Have you suffered from a fake Facebook link? [Norman Feiner] (ecademy.com)
• PREVENTING SPAM scam on Facebook does exactly the opposite (pratyushkp.wordpress.com)
• Bin Laden Scam Video Sweeps Facebook [News] (makeuseof.com)
• Is your ‘stalker ex’ still creeping your Facebook page? (eset.com)

17 Twitter Tips from Mashable Connect Attendees

Image via CrunchBase

While Twitter users have become more active in the past year, there are only a few who are consistently valuable, engaging and respected.

Becoming one of those users is a challenging task, but it’s also something that can pay big dividends. That’s why we asked the world’s leaders in digital for their advice on how to become a master Twitter user.

On May 12-14, several hundred of the world’s digital leaders gathered in Orlando for the first-ever Mashable Connect, an intimate three-day conference focused on the impact of social media and digital on entertainment, media, technology and society. Connect attendees, along with Team Mashable, had the chance to hear about the biggest trends in digital from the leaders of Syfy, HBO, Edelman, Gowalla, Tumblr, Buddy Media and more.

Here’s the sage advice our Connect attendees had to give:

---

Twitter Tips

---

• 1) @jeffpulver, Casting Director, #140conf: “The secret to Twitter is to listen, connect, share and engage. It’s the conversations that matter.”
• 2) @davepeck, Director of Community, Meshin: “Respond to everybody, positive or negative.”
• 3) @michiganflavor, COO, MIFlavor.com: “Retweet, retweet, retweet. People love to see their stuff retweeted, and they’ll start retweeting you.”
• 4) @shrmsocmedguy, Social Media Strategist, Shrm: “Use your tweeting to set up meetings.”
• 5) @dstatusstalker, Chief Status Stalker, Status Stalker: “Start a conversation. Reach out to others, and say hello.”
• 6) @kratzpr, Founder, Kratz PR: “Don’t think of it as a tool, think of it as a gateway for being social.”
• 7) @ctreada, CEO, Notice Technologies: “Ignore it; they’re all pornographers anyway.” (Chris’s other tip: “Chill out.”)
• 8 ) @jkrohrs, VP of Marketing, ExactTarget: “Don’t tweet if you can’t spell.”
• 9) @moniguzman, Director of Outreach, Intersect: “Tweet what comes naturally. Don’t try to fulfill someone else’s expectations.”
• 10) @shashib, Social Media Swami, Network Solutions: “More than an RSS feed, connecting with people on Twitter gives you interesting content that is validated by them.”
• 11) @jennydevaughn, Director, Social Strategy, @HODES: “You need to have brand sacrifice if you want to be viewed as an expert in your field. Only tweet about 10 topics, events or ideas.”
• 12) @robkey, CEO, Converseon: “Embrace your insignificance.”
• 13) @zagrrl: VP Technology, Innovation Center for US Diary: “The best way to learn is to share.”
• 14) @heidiotway: VP & Director Social Media, Salter Mitchell: “Follow the best, learn from the best.”
• 15) @jonnorp, Director of Social Media, American Airlines: “Remember that it flies forever.”
• 16) @chrisvary, Director of Emerging Technology, Weber Shandwick: “Don’t connect your Twitter to Facebook.”
• 17) @joeyinteractive, Interactive Creative Director, Disney Parks: “Marketing doesn’t spread; stories do.

Source :- http://mashable.com

Related articles

• 17 Twitter Tips from Mashable Connect Attendees (mashable.com)
• All the News You Might Have Missed From Mashable Connect (mashable.com)
• There’s a Badge for That [COMIC] (mashable.com)
• 57 New Digital Media Resources You May Have Missed (mashable.com)
• HOW TO: Explore Content on Mashable (mashable.com)
• Misunderstood & Overlooked? Gowalla Revisits Its Roots To Find Stories in Location (mashable.com)
• Announcing Mashable & Gowalla’s SXSW 2011 Partnership (mashable.com)
• Mashable Follow Opens To All (fakeiitian.com)

Dad catches daughters on webcam: Beware viral Facebook video link

Image via CrunchBase

Facebook is being hit by another viral message, spreading between users’ walls disguised as a link to a saucy video.

The messages, which are spreading rapidly, use a variety of different links but all claim to be a movie of a dad catching his daughters making a video on their webcam:

[VIDEO] DAD CATCHES DAUGHTERS ON WEBCAM [OMGGGG].AVI
[LINK]
two naughty girls get caught in the WORST moment while making a vid on their webcam! omg!!

The messages also tag some of the victims’ Facebook friends, presumably in an attempt to spread the links more quickly across the social network.

If you make the mistake of clicking on the link you are taken to a webpage which shows a video thumbnail of two scantily clad young women on a bed. The page urges you to play the video, however doing so will post the Facebook message on your own wall as a “Like” and pass it to your friends.

Unfortunately, the new security improvements announced by Facebook this week fail to give any protection or warning about the attack.

When I tested the scam Sophos was presented with a (fake) message telling me that my Adobe Flash plugin had crashed and  needed to download a codec.

Users should remember that they should only ever download updates to Adobe Flash from Adobe’s own website – not from anywhere else on the internet as you could be tricked into installing malware.

Ultimately, you may find your browser has been redirected to a webpage promoting a tool for changing your Facebook layout, called Profile Stylez and – on Windows at least – may find you have been prompted to install a program called FreeCodec.exe which really installs the Profile Stylez browser extension.

It’s certainly disappointing to see Facebook’s new security features fail at the first major outbreak – clearly there’s much more work which needs to be done to prevent these sorts of messages spreading rapidly across the social network, tricking users into clicking on links which could be designed to cause harm.

Source :- http://nakedsecurity.sophos.com

Related articles

• Dad catches daughters on webcam: Beware viral Facebook video link (nakedsecurity.sophos.com)
• Facebook Scam Alert: Look what happens when Father catches Daughter on Webcam! (techie-buzz.com)
• What is FouTube? Viral Facebook clickjacking video scams explored (nakedsecurity.sophos.com)
• ALERT: Avoid ‘Father Catches Daughter On Webcam’ (allfacebook.com)
• Beware of Fake Osama bin laden links on web! (trak.in)
• Beware Video Osama Traps on Facebook (socyberty.com)
• ““Shocking New Video of Osama Bin Laden’s Death†Facebook Spam” and related posts (teck.in)
• Photo tagged as a Facebook bunnygirl? Beware viral scam (nakedsecurity.sophos.com)
• Osama Bin Laden death video scam spreads virally on Facebook (nakedsecurity.sophos.com)
• Osama Bin Laden death video scam spreads virally on Facebook (securitybloggersnetwork.com)

Eidos confirms website hack, email addresses and resumes stolen

Image via Wikipedia

Eidos has revealed that resumes of job hunters and email addresses of video game fans have been stolen by hackers in an attack on the Eidos and “Deus Ex: Human Revolution” websites.

Square Enix, the parent company of Eidos, confirmed the hack in a PDF press release. (Why do companies publish their press releases as PDFs, anyway? That’s just daft.)

Here’s part of the statement from Square Enix:

Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.

Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

There are two main risks here.

One threat is that if your email address is one of the 25,000 that has been stolen, you could receive a scam email (perhaps containing a malicious link or attached Trojan horse) that pretends to come from a video game company. After all, the hackers know that you’re interested enough in video games to give your email address to Eidos.

Secondly, the resumes from job hunters. This is a more serious problem. Just think of all the personal information you include on your CV: full name, date of birth, email and home address, telephone number, job history. This kind of information is a god-send to identity thieves interested in defrauding internet users.

So, it seems Sony is not the only video game company to be having problems with its computer security.

Lets hope the continuing stream of stories of companies having customer data stolen from them makes them take security more seriously in the future.

More information about the hack can be found on the KrebsOnSecurity blog.

Source :- http://nakedsecurity.sophos.com

Related articles

• Eidos confirms website hack, email addresses and resumes stolen (nakedsecurity.sophos.com)
• “Hacker attack breaches Square Enix Deus Ex: Human Revolution and Eidos web-sites” and related posts (videogamesblogger.com)
• E-Mails and Resumes Stolen in Eidos Website Hacking (1up.com)
• Fauxnonymous Strikes Again? Eidos Site Hacked, User Info Snatched (techland.time.com)
• Eidos Hacked: Thousands of E-Mails, Resumes at Risk (wired.com)
• Anonymous Hacks Eidos, Deus Ex Websites (escapistmagazine.com)
• Report: Eidos and Deus Ex websites hacked, user information obtained (joystiq.com)
• Games maker Square Enix hacked (bbc.co.uk)
• Cyberwar continues: another game company hacked, info compromised (dvice.com)
• Eidos servers hacked, was Deus Ex source code taken? (geek.com)

You Can Now Tag Pages in Facebook Photos

Image via CrunchBase

Ever had the urgent need to tag the Coke can you’re holding in that beach picnic picture on Facebook? Well, now you can, as the social network has added the ability to tag Pages in Facebook photos.

Starting Wednesday (although the feature does not appear to be live yet), users will be able to tag Pages for Brands & Products as well as People (more options coming soon) in their Facebook photos.

Tagged photos will appear in the Photos tab of a Page, rather than on that Page’s Wall, and anyone can tag a Page — even if a user hasn’t “Liked” it. Page admins can also nix photos from the tab by going into Edit Page > Posting Options > and unchecking “Users can add photos.”

For those who concerned about their privacy, Facebook assures us that privacy settings will still apply; if your photos are visible to everyone, everyone will be able to see the tagged snap, and if your photos are set to “only friends,” only friends will be able to check out that pic of you standing in front of the local Rite Aid.

This move could definitely be beneficial to certain brands. Imagine if people started tagging themselves wearing, say, Levi’s jeans. All of those snaps would then go to the Levi’s Facebook Page and result in free advertising.

Source :- http://mashable.com

Related articles

• You Can Now Tag Pages in Facebook Photos (mashable.com)
• You Can Now Tag Pages in Facebook Photos (jessidavis.com)
• Tag Pages in Facebook photos (cnn.com)
• Now You Can Tag Celebrities In Your Facebook Photos, Too (lockergnome.com)
• New Facebook Feature: Tag Your Business in Photos (keepthepeakunique.com)
• Can I make them stop tagging my photos? (debsanswers.wordpress.com)
• Facebook Launches Photo Tagging for Pages (strategistalks.com)
• You Can Now Whore Yourself Out by Tagging Products and Corporate Pages on Facebook [Facebook] (gizmodo.com)
• Facebook Rolls Out Page Tagging in Photos (webpronews.com)
• Facebook Now Features Photo Tagging for Pages (marketingpilgrim.com)

Hypocritical Facebook scores PR own-goal with sleazy attack on Google privacy

Image via CrunchBase

Facebook has been left red-faced after having to admit that it hired a PR agency to plant negative stories with the press about privacy concerns on Google.

The irony is, of course, that Facebook is hardly a shining example of how an online firm should protect its users’ privacy.

Here’s what happened:

* Facebook secretly hired giant public relations firm Burson-Marsteller to seed stories in the media about privacy concerns with Google Social Search.

The Social Search feature of Google scours the web for publicly available information about you from sites such as Twitter, Yelp, Picasa, and FriendFeed, and displays it in the search results of your online friends.

* Facebook’s plan backfired badly when Burson-Marsteller approached former FTC investigator and blogger Christopher Soghoian offering him the story, but refusing to reveal who its client was. An unimpressed Soghoian published the email exchange.

Amid much speculation, The Daily Beast news website revealed that the firm pulling Burson-Marsteller’s strings was Facebook.

* Facebook confirmed it had hired PR firm Burson-Marsteller to promote the company’s position against Google’s Social Search facility and admitted that it should have presented the issues in a “a serious and transparent way”.

This wouldn’t necessarily have been a problem, if the PR agency had been up-front that it was representing Facebook when pitching the anti-Google stories in the first place. What is seedy is that Facebook’s involvement was deliberately hidden.

This whole story reeks of poor judgement by Facebook and its PR agency.

And it’s rather hypocritical for Facebook to point fingers at possible questions over Google’s attitude to privacy, when its own house is in such a mess.

For instance, Facebook recommends that users adopt privacy settings that can reveal their personal data to anyone on the internet.

Don’t believe me? Read the small print in Facebook’s privacy policy:

"Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."

"The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."

In other words, if you make your Facebook information available to “everyone”, it actually means “everyone, forever”. Because even if you change your mind, it’s too late – and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook.

If Facebook really cared about your privacy online, wouldn’t it recommend more privacy-conscious settings and not default to sharing your profile information with search engines?

If you’re interested in being safer on Facebook, read more about the security and privacy challenges that exist for Facebook users. You could also do a lot worse than follow the advice in our step-by-step guide for better security and privacy on Facebook.

And, if you’re a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

Full disclosure: Parts of Sophos, although not Naked Security, use Burson-Marsteller on some PR projects.

Source :- http://nakedsecurity.sophos.com

Related articles

• Hypocritical Facebook scores PR own-goal with sleazy attack on Google privacy (nakedsecurity.sophos.com)
• Facebook PR firm’s Google smear tactics described as ‘creepy’ (guardian.co.uk)
• The Burson-Marsteller Mess: What Happens When the PR Firm Becomes The Story? (customerthink.com)
• Facebook smeared Google? C’mon! (slate.com)
• Facebook-Google rivalry heats up with PR fiasco (cbsnews.com)
• Facebook red-faced after PR attack on Google (windsorstar.com)
• Burson-Marsteller Deletes Critical Facebook Posts but Spares Google-Smear Flacks (wired.com)
• Busted! Facebook hires PR firm to discredit Google (rt.com)
• Facebook red-faced after PR attack on Google (business.financialpost.com)
• Facebook-Google rivalry intensifies with PR fiasco (seattletimes.nwsource.com)
• Facebook denies Google ‘smear bid’ (mirror.co.uk)

Facebook announces new security features

Image via CrunchBase

Facebook has just published an article entitled Keeping You Safe from Scams and Spam. It’s all about improving security on its network.

In the past, Facebook has seemed curiously reluctant to do anything which might impede traffic.

After all, Facebook’s revenue doesn’t come from protecting you, the user. It comes from the traffic you generate whilst using the site.

So this latest announcement is a welcome sign, since some of the new security features prevent or actively discourage you from doing certain things on the Facebook network. Let’s hope that everyone at Facebook has accepted that reduced traffic from safer users will amost certainly give the company higher value in the long term.

But do Facebook’s new security features go far enough? Let’s look them over.

* Partnership with Web of Trust (WOT)

WOT is a Finnish company whose business is based around community site ratings. You tell WOT if you think a site is bad; WOT advises you as you browse what other people have said about the sites you visit.

Community block lists aren’t a new idea – they’ve been used against both email-borne spam and dodgy websites for years – and they aren’t perfect. Here’s what I said about them at the VB2006 conference in Montreal:

[C]ommunity-based block lists can help, and it is suggested that they can be very responsive if the community is large and widespread. (If just one person in the entire world reports a [dodgy] site, everyone else can benefit from this knowledge.)

But the [cybercriminals] can react nimbly, too. For example, using a network of botnet-infected PCs, it would be a simple matter to 'report' that a slew of legitimate sites were bogus. Correcting errors of this sort could take the law-abiding parts of the community a long time, and render the block list unusable until it is sorted out. Alternatively, the community might need to make it tougher to get a [site] added to the list, to resist false positives. This would render the service less responsive.

Another problem with a block list based on “crowd wisdom” is that it can be difficult for sites which were hacked and then cleaned up to get taken off the list. Users will willingly report bad sites, but are rarely prepared to affirm good ones.

False positives, in fact, have already been a problem for Facebook’s own bad-link detector, which is also mentioned in the announcement. Naked Security has had its own articles blocked on Facebook simply for mentioning the name of a scam site.

In short, the effectiveness, accuracy and coverage of the WOT partnership remains to be evaluated. But I approve of the deal. It’s a step forward by Facebook. However, Facebook’s own bad-link detector could do with improvement.

* Clickjacking protection

Facebook introduced some anti-clickjacking measures a while ago. It’s a good idea. If you’re trying to Like a page known to be associated with acquiring Likes through clickjacks, Facebook won’t blindly accept the click. You’ll have to re-confirm it.

Again, I approve of this. But in my opinion, it’s not going far enough. It would be much better if Facebook popped up a confirmation dialog every time you Liked something, so that the “blind Likes” triggered by clickjacking would neither work nor go unnoticed. (Indeed, this popup dialog would be a great place for users to report clickjacks to the WOT community block list!)

That’s not going to happen. Facebook wants Liking to be easy – really easy – as it helps to generate lots of traffic. A popup for every Like almost certainly wouldn’t get past Facebook’s business development managers. Not yet, at any rate. But if we all keep asking, perhaps they’ll see the value?

* Self-XSS

This is a geeky way of saying “Pasting JavaScript into your own address bar.”

We’ve already reported on the potential danger of doing this. When you put JavaScript in your address bar, you implicitly give it permission to run as if it were part of the page you just visited. That’s always a risky proposition. Facebook is adding protection against this behaviour.

Facebook also says it’s working with browser makers on this problem. That’s good.

Perhaps all browsers should simply disallow Javascript in the address bar by default? It’s a useful feature, but the sort of user who might need it would surely be technically savvy enough to turn it on when needed.

* Login approvals

Facebook’s final announcement is what it describes as two factor authentication (2FA). Facebook will optionally send you an SMS every time someone logs in from “a new or unrecognised device”. (Facebook doesn’t say how it defines “new”, or how it recognises devices.)

This is a useful step, and will make stolen Faceook passwords harder to abuse. In the past, you would only see Facebook’s “login from new or unrecognised device” warning next time you used the site, by which time it might have been too late.

The new feature means that you’ll get warnings about unauthorised access attempts pushed to you. Furthermore, the crooks won’t be able to login because they won’t have the magic code in the SMS which is needed to proceed.

It’s a pity Facebook isn’t offering an option to let you enable 2FA every time you login. It would be even nicer if they added a token-based option (and they’d be welcome to charge a reasonable amount for the token) for the more security-conscious user.

A token would also allow users to enjoy the benefits of 2FA without sharing their mobile phone number with Facebook – something they might be unwilling to do after Facebook’s controversial flirtation, earlier this year, with letting app developers get at your address and phone number.

Source :- http://nakedsecurity.sophos.com

Related articles

• Facebook announces new security features – but do they go far enough? (nakedsecurity.sophos.com)
• Facebook Partners with Security Startup, Protects Users From Scammer’s Links (readwriteweb.com)
• Facebook Security Features Crack Down on Scams and Spam (webpronews.com)
• Facebook to Tighten Security to Prevent Spamming (sharepress.org)
• Facebook Blocks Malicious Links Via Web Of Trust (allfacebook.com)
• Facebook’s Newest Wall (technologyreview.com)
• Facebook adds new user security features (news.cnet.com)
• Q&A: Fighting a Clickjack Attack (gadgetwise.blogs.nytimes.com)
• Facebook adds new user security features (news.cnet.com)
• Facebook adopted a warning service (robbiz1978.blogspot.com)
• Facebook adds new protection against dubious web links with WOT (venturebeat.com)

PREVENTING SPAM scam on Facebook does exactly the opposite

Image via CrunchBase

If you’re seeing Facebook messages asking you to “do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT,” don’t do so – you’d be creating spam, not stopping it!

The messages look something like this:

Usually, however, the clickable links at the bottom of messages on your Wall – highlighted in pink below – should look like this:

The scammers have replaced the “Share” option with a link labelled “== VERIFY MY ACCOUNT ==”. Clicking this not only activates the Share option (which you no longer realise you’re pressing), but also invokes a raft of heavily obfuscated JavaScript from a site in the .info domain. (This site is blocked by the web protection software in Sophos‘s endpoint and web gateway products.)

With all the unexpected Sharing going on, this message has spread like wild-fire. Instead of preventing spam, this particular campaign has been generating it at astonishing rates.

The good news is that Facebook seems to have taken some action to prevent the “Share” button being replaced in these messages. Since a few minutes ago, malicious messages appear with no links at all, like this:

The lessons to be learned from this outbreak of spam are as follows:

* Assume that messages which ask you to verify your account by clicking on a link are false. You wouldn’t (I hope) click on links in emails which claimed to come from your bank trying to panic you about your account. That would be a classic phishing scam using a false site to steal your username and password. So don’t trust that sort of link on Facebook, either.

* When you take some action on Facebook which doesn’t deliver what was promised – for example, if you end up Sharing or Liking something you didn’t intend to, or if you click through to an offer or competition which suddenly morphs into something completely different (a bait-and-switch) – assume you have been tricked. Review the side-effects of your actions. Remove any applications you may trustingly have accepted; unlike things you didn’t mean to like; and delete posts you didn’t intend to make.

* Be wary of unexpected changes to Facebook’s interface for Liking, Commenting, Sharing and so forth. Unfortunately, the nature of social networking sites is that they like to undergo rapid change. Cybercrooks exploit this by assuming that you accept ongoing changes as “part of how things work”. Don’t do so. If you see something different, check with an official source to see if it’s expected or not.

If sufficiently many Facebook users dig their heels in every time Facebook makes a gratuitous or confusing change in its interface, its privacy settings or its feature set, then it’s possible that Facebook will learn to adapt in ways which best suit the privacy and safety of its users, instead of adapting to improve its traffic and benefit its paying customers.

(Remember that as a Facebook user, you aren’t a customer. You’re effectively an informal employee, paid not in cash but in kind. Your “wage” is free access to the Facebook system. Your clicks generate the value for which Facebook can charge its customers – the advertisers who benefit from the fact that you use the network at all. Don’t sell yourself short.)

Source :- http://nakedsecurity.sophos.com

Related articles

• PREVENTING SPAM scam on Facebook does exactly the opposite (nakedsecurity.sophos.com)
• Facebook spam prevention scam spreading like wildfire (go.theregister.com)
• Verify My Account Spam Runs Rampant On Facebook (allfacebook.com)
• Facebook Security Features Crack Down on Scams and Spam (webpronews.com)
• Facebook adds new user security features (news.cnet.com)
• Facebook adds new user security features (news.cnet.com)
• “F – You Faggot. Go Kill Yourself”: Facebook Spam Just Got A Whole Lot Hatier (queerty.com)
• Don’t fall for the “First Exposure: iPhone 5” Facebook scam (news.cnet.com)
• Don’t fall for ‘First Exposure: iPhone 5’ Facebook scam (news.cnet.com)
• Facebook Partners with Security Startup, Protects Users From Scammer’s Links (readwriteweb.com)