Several tragedies of recent have provided opportunities for people to reach out and give to help those affected.  Giving online has become easier because of technology and  its also becoming the means of choice.  Unfortunately, this also affords those who have a bad purpose to take advantage of tragic circumstances with scams.  According to a recent release from National Cyber Awareness System, there are already some who are trying to take advantage of the Boston Marathon tragedy and those who are willing to contribute.   How can they do this?  By registering fake domain names and fake social media accounts.  The US-CERT had this to say:

For example, Twitter account
@_BostonMarathon was created shortly after the explosions took place.
The account stated it would donate $1 for each retweet, and was crafted
to closely resemble the legitimate Boston Marathon Twitter account
(@BostonMarathon). This account has since been suspended by Twitter;
however, the likelihood that similar social media accounts will surface
remains high.

US-CERT recommends that you look to official charities if you wish to donate money to support those affected by tragedies, especially those that have recently happened, such as the Boston Marathon bombing,  the West, Texas Fertilizer plant explosion and the Beaumont, Texas Oil Refinery fire.

Use caution when clicking links or interacting with social media accounts that claim to be representing a charity for a recent tragedy or need.   Do your homework.  Check out legitimate news agencies for verification or trusted  local organizations and churches.

UPDATE 8/10/2014:  What to do if you are infected with Facebook Malware (includes scanner download)

As of March 2013, there are 1.06 billion users and 689 million mobile users on Facebook.  Those users  visit 42 million pages and use 9 million apps.*   That’s a lot of opportunity for hackers to get your private information and hack into your stuff.  My post today is about explaining how they are doing it.  We’re going to cover a lot of ground so play close attention.  Here’s what we’ll cover : Five ways that your Facebook account can be hacked, ‘Silent Listeners’ and a recent phishing attack on Facebook of which you need to be aware.

Five ways your Facebook account can be hacked

The following are just some of the most popular ways among hackers to get into your account.  We’ll briefly consider them and, later, what you can do to protect yourself and others.

1. Keylogging – this is done through spyware programs and basically can monitor your keystrokes, grabbing whatever information it can including your password as you type.  Affects local and remote pcs.  Very easy for them to do. Until its removed, they can monitor everything that’s being typed.
2. Phishing – is about obtaining sensitive user information (passwords, credit cards, etc) through some kind of fraud, usually an email or a web page that directs you to click a link or give up some information that lands in the hands of a hacker.   In this instance, a fake facebook page is created and the user is tempted to trust it and enter information through a login prompt.  Once the information is entered it is stored in a text file.  Now the Hacker has your login credentials.  There has been a recent attack of this and Facebook has been warned.  I’ll write more about that  in a little bit.
3. Mobile phone hacking – This is similar to keylogging (discussed above) in that it uses a spyware program installed on your smart phone to capture your keystrokes.
4. Session Hijacking – this is one where the most dangerous thing you can do to invite it is be on a non secure connection (Http:  rather than Https:).  Session hacking allows the hacker to steal your browser session cookie information which allows you to authenticate (confirms your login) on a web site, in this instance Facebook.  Session cookies are usually temporary and get deleted when you close the browser. But during their time in use, a hacker can interrupt and steal the information associated with it.
5. Side-jacking – this is similar in goal to session hijacking but the means are different.  Using a packet sniffer, the Hacker seeks  to intercept unencrypted cookies from a website in this case, Facebook,  and exploit them over a unsecure wifi connection or LAN.  In this instance, both you and the Hacker have to be on the same connection.

‘Silent Listeners’

According to a recent 7 year Facebook study (yes, we’ve been on there that long!),  there are ‘silent listeners’ getting your information on Facebook.  Although users ( on the whole since 2009) have been sharing less information publicly (electing instead to share within circles of friends), they have had others listening in to the conversations, photos, and other shared posts.  Who are these other ‘silent listeners’?  They are the third party apps so popular on Facebook.  Yes, every time you agree to that invite from your friend to remember your birthday, read The Washington Times, play Farmville,  share music from Spotify, check-in with Foursquare or any other third party app, you are sharing your private information with them.  As noted by ThreatPost, a Kaspersky lab news agency, states:

That, along with user information given up by Facebook to entities of its choosing (law enforcement, etc.) and the information from private fields that is ultimately given to advertisers comprise a significant uptick in shared personal information that oftentimes, users are completely unaware they’re sharing. It’s these apps and entities that are ultimately likened to as “silent listeners” in the trio’s paper.

So you might want to think twice about using third party apps in the future or at least limit the ones you use.

Recent phishing attack on Facebook

As of two days ago, a new phishing campaign has been targeting Facebook users and Facebook pages.  It looks and feels like a Facebook page but what it does is ask you for information Facebook is not getting – a Hacker is.

The following is an image of the so-called “Facebook Verification page” which is a bogus page asking users/admins for the page URL/ name and your login credentials. **

Once you fill out the page the Hacker has your information to exploit for selling or his/her own purposes.

Advice:

Facebook Phishing Protection:

• Don’t click on links in email messages – unless you are absolutely sure of the source.  And even then, its not that hard to go to the web site out side the email to check it out.
• Don’t put personal information in an email.
• Do not enter personal information in a pop up page (opens a new window)
• Send suspect Facebook phish pages and emails to:  https://www.facebook.com/help/217910864998172

Facebook mobile phone Protection: When connecting through a mobile phone, use a VPN (Virtual Private Network).   If you can’t afford a business or paid VPN service, there are free alternatives.  These free services will NOT give you the same level of protection so don’t use them for sensitive data transmission like bank records and such.  VPN’s  also tend to slow down your browsing speed.  Bottom line: invest in a good VPN service.

Facebook Keylogging Protection:  This is a difficult issue because many businesses use them to monitor their employees.  So some anti-keylogger software does not filter all key loggers.  There are free anti-keylogger software and paid.  Best advice: comparison shop and make yourself aware of the pros and cons of each and your situation and need.

UPDATE 3/26/2013

One of our leading Cryptograghers,  Bruce Schneier, just came out with a post addressing social sharing changes to his blog.  Again, it concerns how your and my data is being tracked through social media buttons – often without our knowledge, most definitely without our consent.  As he states the problem…

The problem is that these buttons use images, scripts, and/or iframes hosted on the social media site’s own servers. This is partly for webmasters’ convenience; it makes adoption as easy as copy-and-pasting a few lines of code. But it also gives Facebook, Twitter, Google, and so on a way to track you — even if you don’t click on the button. Remember that: if you see sharing buttons on a webpage, that page is almost certainly being tracked by social media sites or a service like AddThis. Or both. (Schneier)***

His solution to this is to use an alternative sharing system called Social Share Privacy.  It’s a plugin that developers can use  on your site to help provide a layer of privacy between you and the trackers.  Its a 2-click system.  Its not perfect but if you don’t click, you don’t get tracked.  Here’s how it works…

The buttons are first disabled and a user needs to click them to enable them. So in order to e.g. like a site on facebook with these social share buttons a user needs to click two times. But in return for this extra click a user can only be tracked be this third party sites when he decides to enable the buttons. Using the settings menu a user can also permanently enable a social share button. (Social Share Privacy)

Our post deals mainly with security, but part of that includes how much information you want third-party apps to be taking and sharing with Big Data storehouses as well.  I’ll be writing a bit more about that in a future post.

But for now,  give Switched-On-Sites a call and allow me to help make your web site secure and your information private while you do business on the web.

*Figures provided by Digital Marketing Ramblings

** image src: The Hacker News

***Schneier on Security

Android Users: Malware Issue

There’s a  new type of malware that can infect your computer when you connect your smartphone or tablet to your computer and then install a backdoor on your computer.

The suspected malware are Clean and DroidCleaner found in Google Play android market. These two are actually the same application.  They are just released under two different names.

These applications are apparently disguised as a tool to clean memory for the Android operating system, but after installing and running it, it displays a list of all running  processes and then restarts the device. Later, in the background, the app downloads three files:

• autorun.inf,
• folder.ico,
• and svchosts.exe onto your phone.

Advice:

Currently, Google’s malware detection only targets about 15% of attacks.  Android 4.2  allows a user to access malware protection under ‘Quick settings’.  To access, ‘Quick settings’ can be accessed by swiping down from the top of the screen with two fingers, rather than the one-finger swipe used to access notifications. You can also use the settings button that located at the top of the notification drop-down menu.  You can access a malware scanner for the platform that screens “sideloaded” apps — meaning software not downloaded from Google Play — for any mischievous code.  As noted above, though, both of these apps mentioned above are found on the Google Play market.  So Buyer Beware!

Android Security Update Notice for Wireless Carriers

Android users may have noticed that they are not getting their regular security update notifications as they should leaving them and those they connect with open to exploit and risk.   The following explains why:

Activist Chris Soghoian, who has  targeted zero-day brokers in the past with his work, has focused his attention on wireless carriers and their reluctance to provide regular device updates for Android mobile devices.

Read more

Advice:

Make sure you check this link frequently, about once every 2 days.   Bottom line:  Google Android does not have the protection against malware that it should.  Keeping  up to date with security warnings is your best defense.