Facebook just grew up and gave some of its users a shock they probably deserve. You might even have been one of them.
You may have received a message from a friend already on Facebook; something that doesn’t sound like them, but hey, they might have been out partying when they wrote it:
“have you heard about that blog that was about you? apparently it’s pretty bad,” it will say. “I think you and everyone should read it..” And then there’s a link.
Click on the link and you’d be taken—if you’re unlucky, and haven’t upgraded your browser recently–to a website that looks a lot like a Facebook login page.
If you’re wary, you won’t have gotten this far, because your browser—assuming you’re using one of the more recent versions–will have flashed a warning that you’re trying to visit a dodgy site. That’s because the site itself is not Facebook.com, but Facelibook.com—a website hosted in China.
What will happen then, if you don’t notice those extra two letters hiding in the website name and enter your name and password, is that you’ll be “phished”—in other words, your password and username will now be known by someone else. Someone else who won’t necessarily be a pal.
Phishing has been around for a few years, and sadly we’re still falling victim to it. It’s simple really: A bad guy uses whatever tricks he can—technology, our gullibility, simply looking over our shoulders—to steal our passwords, and then uses that access to either empty our bank accounts or pretend to be us.
In this case, they use the Facebook account to send more messages to other people. You see, the thing about Facebook is that it’s a trusted area. All the people we get messages from are people we trust, people we know, so what better way to lure people into a trap than to send messages so they look as if they’re from someone we know?
Giving someone access to your Facebook account is not a good thing, of course. They can not only send out creepy messages that compromise your friends (and endanger your friendships) but they’ll also have access to whatever information you’ve stored in your Facebook account: your previous jobs, your interests and your address for starters. That’s enough for them to steal your identity.
But that’s not all the Facebook thing does. I’m not quite clear whether these two attacks are the same, but they may well be: The hijacked accounts, I’m told, will now send out a slightly different message this time, along the lines of “You’ve been caught on hidden cam, yo” (“cam” is short for camera, for those of you not up with the lingo. “Yo” is a term of endearment reserved for the hip and would-be hip).
Click on this particular link and worse things happen. You’re told your version of Flash player is out of date—a normal enough message, as Flash players are programs used to play animated content in your browser—and then you’re instructed to download and install an update, a piece of software called codecsetup.exe. Agree and you’ll be treated to a video of a laughing clown as, behind the scenes, a piece of malware—or software with bad intentions—is downloaded to your computer.
You won’t necessarily be any the wiser. Your computer will continue to function. Only it will also have been infected with a virus, which could do any number of things, from reporting back home all your passwords, to turning your computer into a zombie in a botnet. (Zombies are computers that can be controlled remotely, and a botnet is network of hundreds, maybe thousands, of compromised computers which can be used to send spam or launch other computer-borne attacks.)
None of this is good for you. If you’re infected by this kind of virus, you need to disinfect, and that may require a professional. If you think you might be infected, first run a check on your computer with something like Housecall from TrendMicro (housecall.trendmicro.com).
Earlier in August Facebook itself reported that a small percentage of users were infected by this virus; the trouble is that a small percentage of all the millions of Facebookers is still hundreds of users. As Avi Dardik of antivirus company Yoggie Security Systems puts it, users are lulled into making a false step through a gradual series of moves: “Notice how sophisticated this series is–the user is essentially drugged to sleep in several steps,” he says.
The simple lesson from this is that Facebook—and other social networking sites—are becoming popular enough to entice the bad guys into coming up with ways to attack us. Now there are enough of us on these sites to make it worth their while. So we need to be careful clicking on links—as careful as when we open an ordinary email. Remember: Just because it’s from a friend doesn’t mean it’s safe.
Needless to say, make sure you’ve got antivirus software on your computer, and make sure it’s up to date. Also, make sure your browsers and operating system are up to date too: Antivirus alone is not enough to protect you. (I would recommend the latest version of the Firefox browser, but if you insist on using Internet Explorer, do make sure it’s the latest version.)
Here’s another way to play safe if you’re using Windows XP. Vista—the new version of Windows—plugs this hole by default, but the older version, XP, allows users to run their computer as an administrator. This means you can do anything—install software, change important settings, etc—which is good, but dangerous, because it means anything that can insinuate itself onto your computer can do the same thing.
This might be possible even just visiting a website—you don’t have to actively download or install anything—so it makes browsing potentially lethal. Better to forego those administrative privileges and play safe. The problem is you’ll have to switch back and forth between administrator and ordinary user should you want to install legitimate software, or change the settings on your computer.
Here’s a simple enough way round this: This link–http://is.gd/1JR6—will take you to a step-by-step guide I’ve written to surfing without administrative rights, while keeping those rights for everything else you do. That adds another layer of security that would save you from the kind of scary stuff I’ve been talking about. I’d recommend you do it right now.
Final word: Facebook et al are great playgrounds to mess around with your friends. But it’s not a bouncy castle: You can still hurt yourself.