UPDATE 8/10/2014: What to do if you are infected with Facebook Malware (includes scanner download)
As of March 2013, there are 1.06 billion users and 689 million mobile users on Facebook. Those users visit 42 million pages and use 9 million apps.* That’s a lot of opportunity for hackers to get your private information and hack into your stuff. My post today is about explaining how they are doing it. We’re going to cover a lot of ground so play close attention. Here’s what we’ll cover : Five ways that your Facebook account can be hacked, ‘Silent Listeners’ and a recent phishing attack on Facebook of which you need to be aware.
Five ways your Facebook account can be hacked
The following are just some of the most popular ways among hackers to get into your account. We’ll briefly consider them and, later, what you can do to protect yourself and others.
- Keylogging – this is done through spyware programs and basically can monitor your keystrokes, grabbing whatever information it can including your password as you type. Affects local and remote pcs. Very easy for them to do. Until its removed, they can monitor everything that’s being typed.
- Phishing – is about obtaining sensitive user information (passwords, credit cards, etc) through some kind of fraud, usually an email or a web page that directs you to click a link or give up some information that lands in the hands of a hacker. In this instance, a fake facebook page is created and the user is tempted to trust it and enter information through a login prompt. Once the information is entered it is stored in a text file. Now the Hacker has your login credentials. There has been a recent attack of this and Facebook has been warned. I’ll write more about that in a little bit.
- Mobile phone hacking – This is similar to keylogging (discussed above) in that it uses a spyware program installed on your smart phone to capture your keystrokes.
- Session Hijacking – this is one where the most dangerous thing you can do to invite it is be on a non secure connection (Http: rather than Https:). Session hacking allows the hacker to steal your browser session cookie information which allows you to authenticate (confirms your login) on a web site, in this instance Facebook. Session cookies are usually temporary and get deleted when you close the browser. But during their time in use, a hacker can interrupt and steal the information associated with it.
- Side-jacking – this is similar in goal to session hijacking but the means are different. Using a packet sniffer, the Hacker seeks to intercept unencrypted cookies from a website in this case, Facebook, and exploit them over a unsecure wifi connection or LAN. In this instance, both you and the Hacker have to be on the same connection.
According to a recent 7 year Facebook study (yes, we’ve been on there that long!), there are ‘silent listeners’ getting your information on Facebook. Although users ( on the whole since 2009) have been sharing less information publicly (electing instead to share within circles of friends), they have had others listening in to the conversations, photos, and other shared posts. Who are these other ‘silent listeners’? They are the third party apps so popular on Facebook. Yes, every time you agree to that invite from your friend to remember your birthday, read The Washington Times, play Farmville, share music from Spotify, check-in with Foursquare or any other third party app, you are sharing your private information with them. As noted by ThreatPost, a Kaspersky lab news agency, states:
That, along with user information given up by Facebook to entities of its choosing (law enforcement, etc.) and the information from private fields that is ultimately given to advertisers comprise a significant uptick in shared personal information that oftentimes, users are completely unaware they’re sharing. It’s these apps and entities that are ultimately likened to as “silent listeners” in the trio’s paper.
So you might want to think twice about using third party apps in the future or at least limit the ones you use.
Recent phishing attack on Facebook
As of two days ago, a new phishing campaign has been targeting Facebook users and Facebook pages. It looks and feels like a Facebook page but what it does is ask you for information Facebook is not getting – a Hacker is.
The following is an image of the so-called “Facebook Verification page” which is a bogus page asking users/admins for the page URL/ name and your login credentials. **
Once you fill out the page the Hacker has your information to exploit for selling or his/her own purposes.
Facebook Phishing Protection:
- Don’t click on links in email messages – unless you are absolutely sure of the source. And even then, its not that hard to go to the web site out side the email to check it out.
- Don’t put personal information in an email.
- Do not enter personal information in a pop up page (opens a new window)
- Send suspect Facebook phish pages and emails to: https://www.facebook.com/help/217910864998172
Facebook mobile phone Protection: When connecting through a mobile phone, use a VPN (Virtual Private Network). If you can’t afford a business or paid VPN service, there are free alternatives. These free services will NOT give you the same level of protection so don’t use them for sensitive data transmission like bank records and such. VPN’s also tend to slow down your browsing speed. Bottom line: invest in a good VPN service.
Facebook Keylogging Protection: This is a difficult issue because many businesses use them to monitor their employees. So some anti-keylogger software does not filter all key loggers. There are free anti-keylogger software and paid. Best advice: comparison shop and make yourself aware of the pros and cons of each and your situation and need.
One of our leading Cryptograghers, Bruce Schneier, just came out with a post addressing social sharing changes to his blog. Again, it concerns how your and my data is being tracked through social media buttons – often without our knowledge, most definitely without our consent. As he states the problem…
The problem is that these buttons use images, scripts, and/or iframes hosted on the social media site’s own servers. This is partly for webmasters’ convenience; it makes adoption as easy as copy-and-pasting a few lines of code. But it also gives Facebook, Twitter, Google, and so on a way to track you — even if you don’t click on the button. Remember that: if you see sharing buttons on a webpage, that page is almost certainly being tracked by social media sites or a service like AddThis. Or both. (Schneier)***
His solution to this is to use an alternative sharing system called Social Share Privacy. It’s a plugin that developers can use on your site to help provide a layer of privacy between you and the trackers. Its a 2-click system. Its not perfect but if you don’t click, you don’t get tracked. Here’s how it works…
The buttons are first disabled and a user needs to click them to enable them. So in order to e.g. like a site on facebook with these social share buttons a user needs to click two times. But in return for this extra click a user can only be tracked be this third party sites when he decides to enable the buttons. Using the settings menu a user can also permanently enable a social share button. (Social Share Privacy)
Our post deals mainly with security, but part of that includes how much information you want third-party apps to be taking and sharing with Big Data storehouses as well. I’ll be writing a bit more about that in a future post.
But for now, give Switched-On-Sites a call and allow me to help make your web site secure and your information private while you do business on the web.
*Figures provided by Digital Marketing Ramblings
** image src: The Hacker News
***Schneier on Security