Blog Archives

Why are you tagged in this video? It’s a viral Facebook scam , Please Avoid

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Facebook users have been hit by another fast-spreading scam today, pretending to be a link to a YouTube video that they have been tagged in.

Facebook video scam

The scam messages use potential victims’ first names, claiming that they have been tagged in the “Youtube” video.

Phrases used in the attack include:

YO [name] why are you tagged in this video

WTF!! [name] why are you tagged in this video

hey [name] i cant believe youre tagged in this video

hey [name] you look so stupid in this video

omg! [name] why are you tagged in this vid

OMG [name] why are you in this video

Each “video” has a random number of views and likes, but the length of the movie always appears to be 2:34. Eagle-eyed Facebook users might realise something is awry when they see that the links refer to “Youtube” rather than the rather more accurate “YouTube”.

But if you do make the mistake of clicking on the video thumbnail you will be taken to a webpage which tries to trick you into cutting-and-pasting a malicious JavaScript code into your browser’s address bar (this appears to be one of the scammers’ favourite methods of attack at the moment).

You have to concede, it’s a cunning piece of social engineering by the bad guys. Wouldn’t you want to see a video that your Facebook friends say you have been tagged in?

If you’re a regular user of Facebook, make sure you join the Sophos page on Facebook to be kept informed of the latest security threats.

Source :- http://nakedsecurity.sophos.com

Advertisements

Visit the New Facebook? Hacker warning spreads like wildfire on social network

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Facebook users are posting warnings to one another about a hacker operating on the network, using the offer to “Visit the new Facebook” to break into pages and kick out the page’s legitimate administrators.

Unfortunately the alerts do not include enough information to be useful, and members of the public may be unwittingly perpetuating a hoax in the belief that they are helping their friends, family and online chums avoid a nasty virus infection.

Visit the new Facebook warning

THIS NOTICE IS DIRECTED TO EVERYONE WHO HAS A PAGE ON FACEBOOK: IF SOME PEOPLE IN YOUR PROFILE OR YOUR FRIENDS SEND YOU A LINK WITH WORDS "VISIT THE NEW FACEBOOK '' AND THERE IS THE LINK BELOW, DO NOT OPEN! IF YOU OPEN IT YOU CAN SAY GOODBYE TO YOUR PAGE. IT'S A HACKER WHO STEALS YOUR DETAILS AND REMOVES YOU FROM YOUR OWN PAGE. COPY AND SPREAD THE WORD

Although there are many scams and attacks which spread on Facebook every day, no-one appears so far to actually have gathered any evidence that this one exists – and there is probably more nuisance being caused by users passing on the warning than by any attack which may or may not have happened.

Users believe they’re doing the right thing when they share warnings like this – but unfortunately they haven’t always checked their facts.

Please don’t share security warnings with your online friends until you have checked them with a credible source (such as an established computer security company). Threats can be killed off fairly easily, but misinformation like this can live on for months, if not years, because people believe they are “doing the right thing” by sharing the warning with their friends.

If you’re a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

Source :- http://nakedsecurity.sophos.com

Facebook Dislike button spreads fast, but is a fake – watch out!

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Don’t be too quick to click on links claiming to “Enable Dislike Button” on Facebook, as a fast-spreading scam has caused problems for social networking users this weekend.

Messages claiming to offer the opposite to a like button have been appearing on many Facebook users’ walls:

Dislike button on Facebook

Facebook now has a dislike button! Click 'Enable Dislike Button' to turn on the new feature!

Like the “Preventing Spam / Verify my account” scam which went before it, the scammers have managed to waltz past Facebook’s security to replace the standard “Share” option with a link labelled “Enable Dislike Button”.

The fact that the “Enable Dislike Button” link does not appear in the main part of the message, but lower down alongside “Link” and “Comment”, is likely to fool some users into believing that it is genuine.

Clicking on the link, however, will not only forward the fake message about the so-called “Fakebook Dislike button” to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.

The potential for malice should be obvious.

As we’ve explained before, there is no official dislike button provided by Facebook and there isn’t ever likely to be. But it remains something that many Facebook users would like, and so scammers have often used the offer of a “Dislike button” as bait for the unwary.

Here’s another example that is spreading, attempting to trick you into pasting JavaScript into your browser’s address bar, before leading you to a survey scam:

Offer of Dislike button leads you into posting script into your browser's address bar

If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.

Source :- http://nakedsecurity.sophos.com

Dad catches daughters on webcam: Beware viral Facebook video link

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Facebook is being hit by another viral message, spreading between users’ walls disguised as a link to a saucy video.

The messages, which are spreading rapidly, use a variety of different links but all claim to be a movie of a dad catching his daughters making a video on their webcam:

Dad catches daughters on webcam message

[VIDEO] DAD CATCHES DAUGHTERS ON WEBCAM [OMGGGG].AVI
[LINK]
two naughty girls get caught in the WORST moment while making a vid on their webcam! omg!!

The messages also tag some of the victims’ Facebook friends, presumably in an attempt to spread the links more quickly across the social network.

If you make the mistake of clicking on the link you are taken to a webpage which shows a video thumbnail of two scantily clad young women on a bed. The page urges you to play the video, however doing so will post the Facebook message on your own wall as a “Like” and pass it to your friends.

Unfortunately, the new security improvements announced by Facebook this week fail to give any protection or warning about the attack.

Dad catches daughters on webcam message

When I tested the scam Sophos was presented with a (fake) message telling me that my Adobe Flash plugin had crashed and  needed to download a codec.

Dad catches daughters on webcam message

Codec downloadUsers should remember that they should only ever download updates to Adobe Flash from Adobe’s own website – not from anywhere else on the internet as you could be tricked into installing malware.

Ultimately, you may find your browser has been redirected to a webpage promoting a tool for changing your Facebook layout, called Profile Stylez and – on Windows at least – may find you have been prompted to install a program called FreeCodec.exe which really installs the Profile Stylez browser extension.

ProfileStylez

It’s certainly disappointing to see Facebook’s new security features fail at the first major outbreak – clearly there’s much more work which needs to be done to prevent these sorts of messages spreading rapidly across the social network, tricking users into clicking on links which could be designed to cause harm.

Source :- http://nakedsecurity.sophos.com

You Can Now Tag Pages in Facebook Photos

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Ever had the urgent need to tag the Coke can you’re holding in that beach picnic picture on Facebook? Well, now you can, as the social network has added the ability to tag Pages in Facebook photos.

Starting Wednesday (although the feature does not appear to be live yet), users will be able to tag Pages for Brands & Products as well as People (more options coming soon) in their Facebook photos.

Tagged photos will appear in the Photos tab of a Page, rather than on that Page’s Wall, and anyone can tag a Page — even if a user hasn’t “Liked” it. Page admins can also nix photos from the tab by going into Edit Page > Posting Options > and unchecking “Users can add photos.”

For those who concerned about their privacy, Facebook assures us that privacy settings will still apply; if your photos are visible to everyone, everyone will be able to see the tagged snap, and if your photos are set to “only friends,” only friends will be able to check out that pic of you standing in front of the local Rite Aid.

This move could definitely be beneficial to certain brands. Imagine if people started tagging themselves wearing, say, Levi’s jeans. All of those snaps would then go to the Levi’s Facebook Page and result in free advertising.

Source :- http://mashable.com

Hypocritical Facebook scores PR own-goal with sleazy attack on Google privacy

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Facebook has been left red-faced after having to admit that it hired a PR agency to plant negative stories with the press about privacy concerns on Google.

The irony is, of course, that Facebook is hardly a shining example of how an online firm should protect its users’ privacy.

Here’s what happened:

* Facebook secretly hired giant public relations firm Burson-Marsteller to seed stories in the media about privacy concerns with Google Social Search.

Google Social Search example

The Social Search feature of Google scours the web for publicly available information about you from sites such as Twitter, Yelp, Picasa, and FriendFeed, and displays it in the search results of your online friends.

* Facebook’s plan backfired badly when Burson-Marsteller approached former FTC investigator and blogger Christopher Soghoian offering him the story, but refusing to reveal who its client was. An unimpressed Soghoian published the email exchange.

Amid much speculation, The Daily Beast news website revealed that the firm pulling Burson-Marsteller’s strings was Facebook.

* Facebook confirmed it had hired PR firm Burson-Marsteller to promote the company’s position against Google’s Social Search facility and admitted that it should have presented the issues in a “a serious and transparent way”.

This wouldn’t necessarily have been a problem, if the PR agency had been up-front that it was representing Facebook when pitching the anti-Google stories in the first place. What is seedy is that Facebook’s involvement was deliberately hidden.

This whole story reeks of poor judgement by Facebook and its PR agency.

And it’s rather hypocritical for Facebook to point fingers at possible questions over Google’s attitude to privacy, when its own house is in such a mess.

For instance, Facebook recommends that users adopt privacy settings that can reveal their personal data to anyone on the internet.

Facebook's recommended privacy settings

Don’t believe me? Read the small print in Facebook’s privacy policy:

"Information set to 'everyone' is publicly available information, may be accessed by everyone on the Internet (including people not logged into Facebook), is subject to indexing by third party search engines, may be associated with you outside of Facebook (such as when you visit other sites on the internet), and may be imported and exported by us and others without privacy limitations."

"The default privacy setting for certain types of information you post on Facebook is set to 'everyone.' You can review and change the default settings in your privacy settings. If you delete 'everyone' content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook."

In other words, if you make your Facebook information available to “everyone”, it actually means “everyone, forever”. Because even if you change your mind, it’s too late – and although Facebook say they will remove it from your profile they will have no control about how it is used outside of Facebook.

If Facebook really cared about your privacy online, wouldn’t it recommend more privacy-conscious settings and not default to sharing your profile information with search engines?

Facebook public search

If you’re interested in being safer on Facebook, read more about the security and privacy challenges that exist for Facebook users. You could also do a lot worse than follow the advice in our step-by-step guide for better security and privacy on Facebook.

And, if you’re a regular user of Facebook, be sure to join the Sophos page on Facebook to be kept informed of the latest security threats.

Full disclosure: Parts of Sophos, although not Naked Security, use Burson-Marsteller on some PR projects.

Source :- http://nakedsecurity.sophos.com

PREVENTING SPAM scam on Facebook does exactly the opposite

Image representing Facebook as depicted in Cru...

Image via CrunchBase

If you’re seeing Facebook messages asking you to “do your part in PREVENTING SPAM by VERIFYING YOUR ACCOUNT,” don’t do so – you’d be creating spam, not stopping it!

The messages look something like this:

Usually, however, the clickable links at the bottom of messages on your Wall – highlighted in pink below – should look like this:

The scammers have replaced the “Share” option with a link labelled “== VERIFY MY ACCOUNT ==”. Clicking this not only activates the Share option (which you no longer realise you’re pressing), but also invokes a raft of heavily obfuscated JavaScript from a site in the .info domain. (This site is blocked by the web protection software in Sophos‘s endpoint and web gateway products.)

With all the unexpected Sharing going on, this message has spread like wild-fire. Instead of preventing spam, this particular campaign has been generating it at astonishing rates.

The good news is that Facebook seems to have taken some action to prevent the “Share” button being replaced in these messages. Since a few minutes ago, malicious messages appear with no links at all, like this:

The lessons to be learned from this outbreak of spam are as follows:

* Assume that messages which ask you to verify your account by clicking on a link are false. You wouldn’t (I hope) click on links in emails which claimed to come from your bank trying to panic you about your account. That would be a classic phishing scam using a false site to steal your username and password. So don’t trust that sort of link on Facebook, either.

* When you take some action on Facebook which doesn’t deliver what was promised – for example, if you end up Sharing or Liking something you didn’t intend to, or if you click through to an offer or competition which suddenly morphs into something completely different (a bait-and-switch) – assume you have been tricked. Review the side-effects of your actions. Remove any applications you may trustingly have accepted; unlike things you didn’t mean to like; and delete posts you didn’t intend to make.

* Be wary of unexpected changes to Facebook’s interface for Liking, Commenting, Sharing and so forth. Unfortunately, the nature of social networking sites is that they like to undergo rapid change. Cybercrooks exploit this by assuming that you accept ongoing changes as “part of how things work”. Don’t do so. If you see something different, check with an official source to see if it’s expected or not.

If sufficiently many Facebook users dig their heels in every time Facebook makes a gratuitous or confusing change in its interface, its privacy settings or its feature set, then it’s possible that Facebook will learn to adapt in ways which best suit the privacy and safety of its users, instead of adapting to improve its traffic and benefit its paying customers.

(Remember that as a Facebook user, you aren’t a customer. You’re effectively an informal employee, paid not in cash but in kind. Your “wage” is free access to the Facebook system. Your clicks generate the value for which Facebook can charge its customers – the advertisers who benefit from the fact that you use the network at all. Don’t sell yourself short.)

Source :- http://nakedsecurity.sophos.com

Free Subway gift card spam spreading on Facebook

Sophos  received a number of questions from Facebook fans of Sophos regarding messages that have spread across the social network claiming to offer a $100 gift card for the Subway sandwich chain.

Here’s a typical message:

Subway Facebook message

Free Subway Gift Cards - Limited Time

Get Your Free Subway Gift Card Now! Click for Details

So, what’s going on here? Well, the first thing to realise is that it’s not something endorsed by Subway.

Although the link you click through to has no qualms about using Subway’s logo, and images of meals you can purchase at Subway, it’s actually from an independent third party company.

Subway gift card webpage

Many people will probably be so keen to receive $100 worth of Subway meals that they won’t read the small print at the bottom of the page:

The above listed merchants or brands in no way endorse or sponsor FreeGiftCardSon.us's offer and are not liable for any alleged or actual claims related to this offer. The above listed trademarks and service marks are the marks of their respective owners.

FreeGiftCardSon.us is solely responsible for all Gift fulfillment. In order to receive your gift you must: (1) Meet the eligibility requirements (2) complete the rewards bonus survey (3) complete a total of 5 Sponsor Offers as stated in the Gift Rules (4) not cancel your participation in more than a total of 2 Sponsor Offers within 30 days of any Sponsor Offer Sign-Up Date as outlined in the Gift Rules (the Cancellation Limit) and (5) follow the redemption instructions.

The pages ask you some simple and apparently harmless questions: are you male or female, which age group do you fall into, etc.. before asking for your email address.

Subway gift card spam wants your email address

At this point the page tells you that you must post the message onto your Facebook page in order to qualify for the free $100 Subway gift card.

In this way the message is spread virally to your Facebook friends.

But there’s still no sign of your free Subway gift card, because the site now wants you to hand over much more personal information, including your name, address, email address, full date of birth, cellphone and telephone number etc.

Form asks for your personal details

Again, notice that the webpage doesn’t seem to have any issue with using the Subway logo – despite not being affiliated with Subway. Clearly this is done in an attempt to trick Facebook users into believing that they are talking directly to the high street brand.

According to the small print, you’ll have to complete multiple “sponsor offers” before they will even consider sending you a gift card – which may cost you both in time and money, but also the sheer treasure trove of personal information you will have handed over.

Sophos advice? Avoid these “offers” as they’re unlikely to ever prove fruitful, and may result in you handing over a wealth of data about yourself to complete strangers. When you agree to post a message about such gift cards on Facebook, you are putting your online friends at risk of having their privacy damaged too.

Source :- http://nakedsecurity.sophos.com

7.5 Million Facebook Users Are Younger Than 13

Image representing Facebook as depicted in Cru...

Image via CrunchBase

Some 7.5 million Facebook users over the past year were younger than 13, according to a Consumer Reportssurvey.

The report, made public on Tuesday, is based on a survey of 2,089 members of a TNS interactive consumer panel. Using that sample, the magazine was able to estimate that more than 5 million Facebook users are 10 years old and younger, making up the bulk of the 7.5 million figure. Facebook’s terms of service require users to be at least 13 years old. To join, though, users merely have to enter their supposed birth dates when they sign up.

But Facebook’s screening requirements for minors may be a moot topic. In a statement, Jeff Fox, technology editor for Consumer Reports, said the majority of parents of kids 10 and under “seemed largely unconcerned by their children’s use of the site.”

Reps from Facebook could not be reached for comment.

This isn’t the first time Facebook’s policies on minors have been called into question. A class action suit filed in August in Los Angeles alleged that Facebook’s “Like” button triggered instances in which minors were endorsing products without their parents’ consent.

Source :- http://mashable.com

%d bloggers like this: