Wednesday, October 20, 2010

Be careful with your passwords

So I got a Facebook chat message from a friend today that said "Is this you?" and had a link to a facebook app.  Once I clicked it it asked me for my Facebook email and password which immediately made me suspicious.  Turns out my friend didn't send that at all and it seems likely that if I'd have put my email address and password in then my friends would have been getting the links too.

Welcome to the wonderful world of phishing, where less than scrupulous entities aim to steal your password by making you think you're entering it to a valid site for a valid reason.  There are a couple of common ways to do this, one is simply to send out an email asking someone to reply with there username and password for some legitimate sounding reason (any sane, legitimate, service will never ask you to email your password).  Another common variation is to create a web site that looks identical (or as close to identical as possible) to the site your trying to steal passwords for, then trick people into following a link to log in to this fake site instead of the site they think they're logging into.  These tactics are usually avoided by never sending passwords over email and double checking the address bar to make sure you're really at the site that you're logging into.

The Facebook scam I saw today was a variation on the latter example but had one important difference, because it was actually a Facebook app it looked like you were actually logging onto Facebook (specifically the apps.facebook.com domain).  In this particular case I was suspicious for a couple of reasons:
  • I was already logged into Facebook.
  • When you open up a Facebook app it's the app that controls the content on most of the page, that's why when you open up Mafia Wars or Family Feud you see the game screen.  In this case the app was presenting me with username and password fields.
  • Both the app and the invitation to click the link were very generic, "Is this you?" didn't give me anything remotely specific but did entice me to at least click the link.  The application itself was apps.facebook.com/newstoday and it was calling itself "Media Player".
  • The address including "newstoday" and the app being named "Media Player" wasn't consistent.
Once I saw the login screen presented I responded in chat that "I'd be surprised if it was me" and my "friend" (ie. whatever bot was logged into the account) went offline.  A quick conversation via sms confirmed that my friend didn't send me the link, and in fact wasn't even at a computer.

So what do you do when, like my friend did, you find out that your account has been compromised?  Facebook has a specific page regarding that but I'll share some general guidelines.
  • Change or reset your password, make sure to do it on any site or account on which you use the same password (bad idea, but we all do it).
  • Check your account activity for anything that was suspicious, on Facebook you'll want to check for sent messages, status updates, wall posts, chat messages sent (as much as you can check, because Facebook's chat history is pretty weak).
  • Check your account settings, contact info, privacy settings, etc.
There's also a feature on Facebook where you can see what computers have logged onto your account and end any sessions that they might have open, so you can disconnect any computers that might be someone else using your account.  You can also get an email or sms notification when a new computer logs into your account.

No comments:

Post a Comment