This week has witnessed several scams involving social sites. On Tuesday Twitter users posted answers to their online security questions for everyone to see. On Wednesday Twitter account of the New York Times was hacked, and on Thursday we witnessed a phishing attack on Facebook.
Phishing lure: think twice, then click.
Facebook scam was a typical phishing scenario. On Thursday morning users received a message from Facebook with a bogus link. After clicking on the link, a user was taken to the spoof site, which looked exactly like the authentic Facebook page, and was asked to enter her login and password again. Accounts that had become a part of the scam started sending the link to users’ friends and contacts. Due to this fact, the fraud spread fast.
Barry Schnitt, Facebook spokesman, said that the range of the scam had not been estimated yet. He pointed out that all compromised passwords were reset automatically “so that any data the bad guys have becomes useless very quickly”. This is terribly wrong. As far as many people use one and the same password to several accounts, not only their Facebook page is at stake. Links to other online social accounts and contact information can be easily found in a user’s profile. As a result, no account mentioned publically is immune to attacks.
Manipulating human nature, just for fun
People are eager to give answers to secret questions when a scam looks like a game initiated by their friends. It is a trait of the human nature; we incline to mass action. On Tuesday it was our favorite microblogging service Twitter that proved this when #TwitterPornNames game made its way into the trending topics list at the speed of light. The tag was shown on every user’s home page in the “Trending Topics” section, and more people were involved. It was another example of how vulnerable our online self is for social engineering pros (read “hackers”).
The idea behind #TwitterPornNames was pretty simple: combine the names of your first pet and the street you grew up in and get one hilarious name. Share it with your followers and have fun. I am sure that a lot of people played the game right, this means combining two fake names to make a good tweet and not giving answers to their online security questions to malicious attackers. However, others enjoyed themselves and unconciously posted answers usually used to reset account passwords.
The truth is that one has to be very serious about her online presence. The whole bunch of information shared with friends on social websites can provide fraudsters with precious knowledge of passwords to bank accounts or answers to secret questions that can be used to access mailboxes. So, never talk to strangers about your passwords, and
have a great and secure weekend :)