Facebook Plunges Again
Tumblr 101: Tips And Tricks To Get Started
Did you realize some Facebook apps are being used to steal your data?
Phishing [Wikipedia] is nothing new. The bad guys have been spamming our inboxes for a long, long time hoping we'll click on some bogus link and provide them with important personal info like usernames, passwords, and credit card numbers.
Attacks like this rarely limit themselves to one avenue. So where do the bad guys go to find victims when they're not busy spamming? Why, the world's number one social networking site, of course!
Yep. Facebook, with its millions of users and juicy apps platform make it the perfect place for this type of vermin to set up shop. Trend Micro has found several phishing scams before that lured people to fake (but convincing) Facebook sites to harvest data. Now, however, they're doing it to you from the inside.
Trend researchers have discovered three applications so far that run on the Facebook apps platform. They can post notifications to your timeline, just like any legitimate app. The actual phishing is still done off-site, but the look is very, very convincing and you're returned to your Facebook profile afterward. It looks innocent enough, but once you've entered your credentials there's no telling what someone has planned for them.
Attacks like this rarely limit themselves to one avenue. So where do the bad guys go to find victims when they're not busy spamming? Why, the world's number one social networking site, of course!
Yep. Facebook, with its millions of users and juicy apps platform make it the perfect place for this type of vermin to set up shop. Trend Micro has found several phishing scams before that lured people to fake (but convincing) Facebook sites to harvest data. Now, however, they're doing it to you from the inside.
Trend researchers have discovered three applications so far that run on the Facebook apps platform. They can post notifications to your timeline, just like any legitimate app. The actual phishing is still done off-site, but the look is very, very convincing and you're returned to your Facebook profile afterward. It looks innocent enough, but once you've entered your credentials there's no telling what someone has planned for them.
Once Facebook receives notice that something like this is going on, the apps are typically shut down very quickly. They can, however, reappear with different names and the same old tricks.
How do you protect yourself? Many antivirus products include some element of phishing defense, but you may also want to use additional protection like WebOfTrust or AVG's LinkScanner. They'll notify you with big, read warnings when you're on a website that isn't trusted.
Apart from that, be careful what apps you install and make sure you only enter your Facebook username and password on Facebook.com. If the domain in your web browser's address bar doesn't match, exercise caution.
Comments
3
Subscribe to commentsSaint SeminoleAug 20th 2009 1:31PM
Certainly good advice, for any website. Unfortunately, Facebook's very infrastructure makes this approach easy, since every app you install asks the dangerous question: "Can we get all your data, at any time, without asking you again?" And people keep clicking on those things.
It was that very "app approval" process that scared me away from Facebook in the first place, along with the site's own TOS, which basically asks the same question, in addition to claiming rights to your photos, etc. (Yes, I'm one of those odd people who reads the TOS before signing up to something...)
RichAug 20th 2009 2:25PM
Just yet another example why to avoid Facebook.
MarcoAug 22nd 2009 2:20PM
Good article, Lee.
I realized something weeks ago. Actually, I hate Facebook and all this web 2.0 style social networking. I have real friends and don't need to stay in contact with them via some network lol. Thanks to the good lord (or maybe just the developers...), we have phone and email... or I could just walk to them ;-)
Anyways, when I use Mobster for example... the people I play with can see my *full* name in the application. "I" automatically send them notifications that I played with them. Same with every other Facebook application that I was trying out. Even the movie review site Flixster or whatever their name was. No way to deactivate it.
A reason for me to delete *all* applications from Facebook. Facebook cannot guarantee any privacy for me. It was asking me to set up privacy options... but what if I did hide my profile to others... how is it possible that others - non friends - can access them via third party applications. No way Facebook! :-(
And somehow Facebook is starting to become a second MySpace...