Facebook shrugs off warning to vet potentially malicious programs

[Al-khiyal]

.....Ferguson, meanwhile, advised users
to regard every message on Facebook
as "guilty until proven innocent".....

Facebook shrugs off warning to vet potentially malicious programs

March 2, 2009 -- Facebook must revise its policy on letting programs that have not been previously vetted for malicious intent be unleashed on the site, a web security expert has warned.

But the founder of the five-year-old social networking site, Mark Zuckerberg, insists that he will not put such safeguards in place – arguing that "an open system anyone can participate in is generally better."

Rik Ferguson, senior security advisor at Trend Micro said that in comparison to vetting procedures at rival social networking site MySpace and Apple's iPhone App Store for the iPhone, Facebook's hands-off policy – whereby anyone can offer a program for use by Facebook's 175 million users – will contribute to a growth in rogue applications, and that users should be wary of any new or fast-spreading ones they encounter.

Ferguson says he has monitored four malicious applications in the past week alone, as well as the resurgence of the "Koobface" virus, first seen last July, which sends out intriguing-sounding links to friends of an infected user, who is then tempted to a "video" page which instead infects their computer. Only PCs running Microsoft Windows are at risk.

"The [Facebook] policy is facilitating the growth of rogue applications, and making it easier," Ferguson said. "If Facebook does nothing, they will continue to increase.

"This feels like a test run for something more malicious in the future. It may be about stealing identities, or it may be much more."

An application called "Error Check System" warns that friends are having problems accessing a user's profile, while two called "Closing Down" try to get users to install an application to prevent their profile being shut down for "violating Facebook's terms of use" – telling the target to visit a page to answer a charge that they broken the site's conditions of use.

The applications appear to be trying to gather personal information, but because Facebook hosts all user data and the data related to applications, it is impossible to tell how much information these rogue apps have gathered, said Ferguson.

It is possible that the information could contribute to identity theft by scraping contact details, siblings and pets' names and maiden names, some of which can be to trick users into handing over passwords in sophisticated "phishing" scams.

"The speed with which these applications have spread comes down to the classic combination of fear, uncertainty and doubt," said Ferguson. "It's because these messages appear to come from friends that makes them so powerful."

Speaking to the BBC, Facebook founder Mark Zuckerberg insisted that the site would not start vetting applications before they go live on the site.

"Our philosophy is that having an open system anyone can participate in is generally better," he said. ""When we were starting this we wanted anyone to be able to develop an application. This has made it so students in their college dorm rooms could build applications for free. That's how I got started with Facebook. We really want to make sure that sort of innovation is possible."

A Facebook spokesman said the malicious applications and the more severe Koobface worm had affected only a small percentage of its users, and that it provided detailed advice on its security page.

Koobface last struck the site in December, posting comments on profiles which contain links that will download the virus to a user's PC, and also affected rival social networking sites MySpace, Bebo and Friendster.

Ferguson, meanwhile, advised users to regard every message on Facebook as "guilty until proven innocent".

He said users should set their profiles to private rather than allowing them to be indexed by search engines, and advised that they remove phone numbers, family names and travel plans.

"And just because a message seems to come from a friend, don't believe it. We give these messages more credibility because they come from someone we know but every message should be treated with caution."

[Bent_Bladi]

wth Zuckerberg !!!!!!!! ????

[Al-khiyal]

Facebook users hit by increase in phishing attacks

May 1, 2009 -- One prominent downside to the tremendous user base that social networking sites amass is that they become huge targets for malicious intents. Given the sheer size of many of these sites, protecting users from online attacks isn't terribly practical, so it's usually left up to the individual. Facebook has been dealing with this first hand lately, after coming under attack by a large number of phishers.

In the past few days, Facebook has reported a massive surge in phishers using fake pages and other viral methods to trick users into releasing usernames and passwords. This expands further with the stolen information being used to harvest more usernames via contact lists. With a user base of 200 million, even a small percentage of infections could spiral out of control if this isn't dealt with. Declining to reveal specific numbers, Ryan McGeehan, threat analyst for Facebook, admitted that it was enough for them to begin taking steps to stop the attacks.

Attacks like these come and go, and McGeehan along with many security experts believe that the number one way to protect any group of people is through education. But when you are dealing with literally hundreds of millions of people, where do you start and how do you educate them all?

[Al-khiyal]

Facebook boosts security after dual phishing attacks

May 1, 2009 -- Facebook has brought in some soldiers to fight the war against malware and phishing scams on the social-networking site. After two different malware attacks this week, Facebook announced it would begin using San Francisco-based MarkMonitor's antifraud services as an additional layer of protection against attacks.

"Our deep commitment to the safety of our users requires a strong proactive security strategy, best-of-breed technology, and active engagement with industry leaders," said Ryan McGeehan, threat analyst at Facebook. "MarkMonitor demonstrated that it understood the complexity of the phishing issue we were facing, so it was a natural next step for us to bolster our own security systems with their anti-malware solution."

Users victimized

This week some of Facebook's 200 million users were victims of phishing attacks. One attack took control of users' accounts, sending messages to their friends telling them to check out a specific Web site, fbstar.com. The other incident pointed victims to fbaction.net.

Andy Cutler, co-partner of Cutler and Company, was not aware his account had been under the control of a hacker until he received several e-mail and text messages alerting him that his account been phished.

"The first thing I did for survival was to go into my Facebook account and change my password," Cutler said. "I just figured if someone hacked my account, I was not going to tear down the page but to change my password, and I did post a notice on Facebook saying I had been phished and apologized."

Cutler's hacker did some damage by sending a total of 19 different messages averaging 20 different people per message. For Cutler it could have been a communications disaster, as he has 495 friends in his Facebook account.

Trust breached

While the attack didn't cause any major problems to Cutler and his friends, it did hurt Facebook's reputation.

"I tell you what it did do for me - it put Facebook in a different light for me than other social-network tools," Cutler said. "I'm pretty active in Twitter and Facebook has been a way to keep up with people in my networks, but I have to say I was disappointed in Facebook that this can get through their security system."

Aarin Morrow of Denver thought she was pretty tech-savvy until she became a victim of the fbaction.net attack.

"What happened is a friend of mine was a victim the day before with fbaction.net and I'm very computer tech-savvy and still clicked on it and stupidly logged in," Morrow said. "I said this is weird and e-mailed my friend and asked about the link, and he said he didn't send it."

Morrow became a victim again the next day with the fbstar.com attack. A total of 45 of Morrow's Facebook friends received the message "Look at This," pointing the friends to the fbstar.com Web site.

"What is unfortunate about this is that MySpace got spammed with stuff like this and Facebook never had those problems, but no one is exempt from having this issue happening," she said. "In the future I will be more cautious."

Obligation to users

"I think FB has an obligation to its users to say please don't fall for this scam," Cutler said. "By allowing the system to be hacked, it created a catch-22 for them. People now have negative feelings toward the company and it impacts the way people view them and their communication because they don't know if they can trust their communication."

This isn't the first time Facebook has had to deal with malware issues. In February, users were dealing with another scam where hackers took control of users' accounts and sent out messages to their friends asking for financial help after being robbed. In some cases, Facebook had to disable the accounts and users had to create new accounts.

"The meteoric success of Facebook makes it a natural target for malware attacks that seek to capitalize on their trusted and recognizable brand," said Frederick Felman, chief marketing officer of MarkMonitor.

"The MarkMonitor technology and 24/7 security operations center are key to helping Facebook fight phishing and malware," said Te Smith, a spokesperson for MarkMonitor.

When MarkMonitor verifies a malicious site, it updates phish-site block lists for its network of popular browsers, security vendors, and e-mail providers. Then it takes down the malicious site to get it off the Internet.