How to Stay Safe on Facebook
10 March 2011
phishing: using seemingly legitimate web pages or applications to steal or gain access to information
One of the biggest and least expected places to find malware and phishing is the Facebook news feed, which means that Facebook is becoming as much of a jungle as the rest of the Internet. Last year, it was estimated that more than 20% of posts in the news feed were phishing or malware posts from users or applications. Among my own group of friends, seeing spam posts from hacked accounts is fairly rare, but it does happen nonetheless, and I myself have been roped into a few and had to clean off my Wall and reset my password. Generally, the damage is minor; a bunch of spam posts to friends, for example, but the problem can, quite literally, grow exponentially if a spammer manages to make a fake application that looks enticing and legitimate enough for friends to follow the lead of the hacked account; which can then steal information off the unsuspecting users’ walls, personal data included.
Many of the phishing issues revolving around Facebook are preventable, but it seems that a lot of people simply don’t exercise the same caution while exploring their news feed as they do the Internet. Facebook, to a large degree, doesn’t filter the links that are posted and doesn’t take any sort of action against less-than-legitimate Applications. Particularly with Facebook’s newly added feature that allows its users to ‘like’ any website, Facebook itself is beginning to become nearly as much of a mess of questionable links as the rest of the Internet, if not worse due to the social aspect of it where malware links and Applications can spread from person to person, making them much more contagious and a lot more dangerous given the amount of data posted on profiles. However, there are some simple ways to protect from and to avoid problems altogether, which are important to keep in mind as malware from on Facebook is becoming more intrusive; less for the purpose of spamming than it may be to steal user data and promote false sites.
Primarily, don’t click any links in the news feed that have been ‘liked’ or shared by a lot of friends in a short period of time and especially, don’t visit links that were posted to a few dozen walls. Facebook filters links that have been reported and won’t allow them to be posted, but it seems to do a less-than-noticeable job in keeping the site clean. A great example is the recent slew of links to a fake YouTube page; once the link was clicked, the page would post itself to the user’s Wall, which was more of an annoyance than an actual problem. Despite being somewhat lax in its monitoring of shared Links, Facebook will temporarily disable access to accounts that it suspects have been hacked and allow their rightful owners to confirm and change their login information. The Help Center has a link to a reporting form where suspicious activity (links, in particular) can be reported to Facebook; https://www.facebook.com/help/contact.php?show_form=report_phishing.
The second most important way to protect a Facebook account is to pay attention and keep track of what Applications are allowed to do and what information they access. Facebook requires Applications to provide a page showing what information they use, which is important to pay attention to. Moreso, Facebook has strict rules regarding what Applications can and cannot do, and anything that claims to do something that doesn’t follow those guidelines is a fraud, simply because Facebook doesn’t provide certain data to applications. The ongoing issue in this area is the classic “See who is visiting your profile” or “See how many people visit your profile” type Applications. In short, Facebook doesn’t publicize that information to users or Applications, which instantly deems every one of those a fraud and potentially a phishing problem. Considering that 60% of the problems with clickjacking and phishing come from Applications, it seems that this may be one of the most overlooked areas with regards to Facebook security.
From a phisher’s standpoint, Facebook is one of the best places to collect personal information from, given the social and therefore extremely viral nature of anything shared; it’s bound to be clicked by at least one other person, and potentially can spread alarmingly fast, much faster than the pieces of malware spread across the Internet. Viruses and other problems can quickly become an epidemic because too many Facebook users feel that within the confines of Facebook the Internet is safe. In a word, if something in the news feed appears extremely popular and overly enticing, there’s likely something wrong with it, so stay away from it and especially, report accounts that have been compromised so that the account (and links in question) can be cleaned up as quickly as possible.
Clarification: Facebook does not publicise statistics for personal profiles, it does give users access to visit data for fan pages.