Reader “Jeremy M” has got in touch, with an amusing example of an attempted attack that has been seen on Facebook.
Here is what the suspicious Facebook message from “Mark Zukcemberng” says:
Dear Facebook user,
After reviewing your page activity, it was determined that you were in violation of our Terms of Service. Your account might be permanently suspended.
If you think this is a mistake, please verify your account on the link below. This would indicate that your Page does not have a violation on our Terms of Service. We will immediately review your account activity, and we will notify you again via email.
Verify your account at the link below:
[LINK]Thanks for being part of Facebook Community.
In this particular case, someone has cutely responded:
Lol, that’s cute. Learn to spell Zuckerberg properly and then your phishing attempt will be a tiny bit more credible.
But if you weren’t being cautious, you might click on Zukcemberng’s link and not realise that you were being taken to a third-party app accessible via Facebook’s site.
And at the end of a long day, or if you awoke with bleary eyes after a night on the tiles, you might not think twice about following the webpage’s request that you enter your Facebook login details.
A moment’s carelessness can lead to your Facebook account being compromised, and hackers having access to your private messages, your profile and any pages you might administer.
I hope for your sake that you weren’t also using that same password for other online accounts – such as your web email or PayPal account.
To better protect yourself against attacks like this, don’t forget that Facebook offers two factor authentication protection through Login Approvals that will send a confirmation message to your mobile phone whenever it sees an attempt to log into your account from an unknown device.
By the way, there’s a reason that the phisher isn’t using a profile which uses the identical spelling of the famous Facebook founder’s name – Facebook won’t let you! “Mark Zuckerberg” is one of Facebook’s banned names, that it won’t let you use when you create an account, even if it is your real name.
Of course, if you were to contact Facebook with a copy of your passport or a scanned driving license, maybe they would acquiesce. But then, if you’re going to go to all that effort, maybe you would find your life less painful if you simply changed your name by deed poll.
If you are on Facebook, and want to be kept updated with news about security and privacy risks, and tips on how to protect yourself online, join the Graham Cluley Security News Facebook page.
I received one of these messages. I responded with "Seems Legit"
On the subject of phishing…
While this certainly won't help in all cases and it certainly won't counter MITM (man in the middle) attacks, there is still something that can help against the "failing to see the differences" (no matter what the differences are). I do mention several caveats though and I also will note that for many people this will be much more work than it is worth (for the person in question). But otherwise… for those who use the browser Firefox if you get the plugin 'noscript' you will notice that a lot of sites break (because the scripts are blocked). Further, if you temporarily allow scripts and reload you may have to do that again (because unfortunately many sites don't have the scripts on their site themselves so link to one which links to another – when the first is enabled). But where does this fit into phishing? Besides the advantage of stopping XSS, clickjacking and other attacks, there is this concept in security (especially relevant and in fact critical in building firewalls and security models in general): that which is not explicitly allowed is forbidden. So how do you use that? You whitelist your valid sites (but be cautious with how many you allow and that means also how many dependencies you allow) and then if by chance you come across a phishing attempt (mind you, another thing this won't protect against is sites you already trust and log in e.g., for those who use facebook, it might include facebook… if a link from there takes you to another site however, it would help) you can discern whether or not it is the 'true' site. You'll note messages in the status bar (bottom, at least in my set up) that look like "Scripts Partially Allowed, …" or you might notice that all scripts are allowed. If you allowed all scripts then you can be more (note: not 100%) confident it is the correct site.
Things to be aware of though:
1. Yes, this will break many sites and you either temporarily allow scripts (some times repeatedly) or you determine (over time) what needs to be allowed and what does not.
2. This might be too much for many people to handle for the fact it DOES break functionality. For people like me, this is more often than not a good thing. Especially for sites like facebook. No thanks Mark! (Humour aside, this is indeed something that you may or may not have good results with).
3. If you allow too many sites or globally allow scripts it sort of defeats the purpose of this.
4. This obviously won't help if a site itself (that you trust) is compromised. For example, if you use this for your bank account and the bank's website is compromised then that's another issue entirely.
5. Similar possibilities exist for 4.
6. If you allow a site be aware that some sites may over time change to refer to another site. Is it legit or not? You have to use your judgement based on the facts you have (upgrade notice prior to the change, for example).
This also prevents (or can) obnoxious redirects by scripts (if the web server itself redirects you, as one example, that is another story entirely).
Bottom line with security is that you do have to weigh the gains against the inconvenience. At the same time though, you should not be too click ready, should always be aware that there are risks (and there is no such thing as a 100% secure device, not even if it is offline – physical access is all one needs in order to get complete access. Yes, if you encrypt your entire disk volumes it will take more time but it still can be done; in other words: you can never be too cynical or wary of the possibility there is foul play) and if there is something that is a huge inconvenience there is a high chance that someone will (like me, though nothing like this as for me I only write a tool when I will be doing something more than once and I can automate it.. others however might do just what you need) have addressed it with a utility of some sort (example is password database applications like Keepass). Realistically this is probably too much for most people but for those who are:
a) bothered by scripts (including popups and other obnoxious things [sound, video you don't want, other things], adverts are indirectly stopped too)
b) not bothered by having to enable scripts temporarily with the chance that some times sites will break (note: writing comments/posts could be lost so either be sure you know what scripts need to be enabled OR write it in a text editor or word processor and copy/paste).
…then this is just one extra layer of defence (security is a many layered thing). One more thing: don't be too reliant on it. By not thinking beyond it, there is the risk you miss something. This is merely an additional way to know whether or not you are at the site you think you are (if you whitelisted said site). Never let your guard down though and never stop thinking because in the end of the day, using your brain is required (perhaps, however, not literally at the end of the day…). The point of this is: is the site allowed explicitly by me ? If not, and I know I added what the site should be, then something isn't right (whether that is additional scripts added or whether it is foul play, you have to decide). That doesn't mean if it is allowed all is OK for sure. There is a big difference (just throwing this disclaimer in here as it is important).
/end ridiculously long (but hopefully helpful in some way) response.