Facebook 'ideal' for phishing attacks: researcher

Advertisement (Why?)

Security researcher Nick Sullivan over at Symantec Corporation believes that privacy settings on social networking websites such as Facebook give people a false sense of security that could expose them to phishing attacks. "This illusion of privacy leads people to be a little freer in their disclosure," he wrote in a post to the company's security response weblog. Private information, ranging from e-mail and phone number to physical address, can all be available to the determined phisher or identity thief. One way to do get to the information is to seize control of the account of someone designated a friend or someone in the same network, he said.

Phishers can easily engineer fake notifications that follow the format of legitimate friend requests e-mailed to Facebook members, for example. A typical e-mail would ask a user to click on a link to confirm that they are friends with an individual requesting addition as a friend on the network. Some users almost reflexively log in to a site through a link provided in an e-mail, he noted. "This simple, clean design is very easy for a phisher to mimic. … This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions."

News source: CBC News

(3 replies) #1 CocoVG on 15 Apr 2007 - 21:40

I disable Facebook's ability to e-mail me anything. I simply log into the site the regular way whenever I want to visit. After all, I don't need to log in every time someone requests me as a friend, or writes on my wall. If others followed the same example..it would just be a matter of setting appropriate privacy settings.

#1.1 +stifler6478 on 15 Apr 2007 - 22:05

Or you could just look at the url in the address bar after you click a link and make sure it actually says <network>.facebook.com/<etcetc> and not something else... This behavior is otherwise known as not being an idiot on the internet.

-Spenser

#1.2 CocoVG on 15 Apr 2007 - 22:56

Quote - (stifler6478 said @ #1.1)

Heh. I think the idea is that most people don't do that, that's why phishing e-mails work! So unfortunately, rather than fix user behaviour (ideal), we're stuck with patching user behaviour instead (don't have Facebook send e-mail).

Cheers!

#1.3 Samboini on 16 Apr 2007 - 11:09

As above, or turn all messages off. Suprise suprise, you have yourself no problems.

#2 iOsiris on 15 Apr 2007 - 22:14

Why don't you guys just log in to facebook.com first then?..

#3 Primexx on 15 Apr 2007 - 22:23

hm, article makes sense.

(2 replies) #4 CrisCr0ss on 16 Apr 2007 - 01:40

This doesnt really affect me as if i receive an email from facebook than i delete it and open facebook.com I have never clicked on the link in an email, not sure why.

#4.1 clonk on 16 Apr 2007 - 04:21

Good for you.

#4.2 +WindowsNT on 16 Apr 2007 - 10:31

I do the same, it's one way to ensure you are not being "phished"

#5 thenay on 16 Apr 2007 - 02:43

I have my profile on the highest restrictions, i'm not stupid....

#6 obsolete_power on 16 Apr 2007 - 07:30

I don't accept friend requests from people I don't know. Same goes to clicking on links from people I don't know.

#7 plastikaa on 16 Apr 2007 - 11:01

The solution to this is being annoying so you dont have any friends, then no-one will add you, and therefore you will know its not a real facebook email when you recieve one

#8 Cryton on 16 Apr 2007 - 14:11

That's spooky. Only a couple of hours ago I received an email saying that someone or other had added me as a friend or something. But it was sent to one of my accounts that is nothing to do with facebook. I'm going to do what comment 1 said; sounds like a good idea to me.

#9 +GreenMartian on 16 Apr 2007 - 14:32

Pfft... If neowin implements tagging like slashdot, this would surely be tagged "duh".

Any social networking site, or just any website frequented by people that come from non-technical background (in case you haven't noticed, they outnumber us geeks who know which site to click and which not to) is "Ideal" for phishing attacks.

I honestly envy the job of these so-called "researchers"

#10 C_Guy on 16 Apr 2007 - 15:16

Did anyone else stop reading after "security researcher" and "Symantec Corporation"?

Check this out, Symantec: Since Facebook doesn't rely on encrypted data transmission, there is no "illusion of privacy". No data exchanged on a website that's not secure (http://) is private.

Symantec actually pays this guy?

#11 creamhackered on 16 Apr 2007 - 18:24

I could see how loads of people would fall victim to this if it started happening.

#12 TGT on 16 Apr 2007 - 18:52

Do people REALLY post their phone numbers, home/work addresses, and other contact information? If they do, they should be shot.... or bared from the internet.

#13 black_death on 16 Apr 2007 - 20:40

what a moron, any site with lots of users is "ideal" for phishing attacks!

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Neowin.net