Social Networking Security Threats
Social Networking Security Threats - Part-I
Facebook: Self-XSS, clickjacking
and survey scams abound
With so many users, Facebook is a mark for scams; it can also expose your personal information far beyond your group of friends.
Users need to recall that Facebook makes money from its advertisers, not users. Since advertisers want to get their message out to as many persons as possible, Facebook shares your information to everyone, not just your "friends." And most recently, Facebook's facial gratitude technology automatically suggests that friends tag you, unless you turn it off.
Scams on Facebook comprise cross-site scripting, clickjacking, survey scams and identity mugging. One of the scammers' favorite methods of attack of the minute is known as cross-site scripting or "Self-XSS." Facebook messages such as Why are you (tag) labelled in this video? and the Facebook Dislike button yield you to a webpage that tries to trick you into cutting and pasting a malevolent JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer permitting for malware installation without your knowledge.
Facebook scams also tap into interest in the news, leave activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “make a Imperial Bridal guest name” and "In honor of Mother’s Day" seem innocuous enough, until you comprehend that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. Since this material is often used for passwords or password challenge questions, it can lead to uniqueness theft.
Other attacks on Facebook users include "click-jacking" or "like-jacking," also known as "UI equalizing." This malicious technique tricks web users into revealing confidential information or takes control of their computer when they click on apparently innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's information. One disguise is a button that appears to perform another function. Clicking the button sends out the dose to your contacts through status updates, which propagates the scam. Scammers try to pique your keenness with posts similar "Baby Born Amazing effects" and "The World Funniest Condom Commercial – LOL". Both clickjacking cheats take users to a webpage urging them to watch a video. By viewing the video, it’s posted that you “like” the link and it’s mutual with your friends, spreading it virally across Facebook.
Clickjacking is also often knotted to “review scams” which artificial users into connecting an application from a spammed link. Cybercriminals take advantage of news themes, such as the Osama bin Laden video scam, which takes you to a fake YouTube site in an effort to get you to complete a survey. Scammers earn directive for each person that completes it. Taking the survey also spreads the scam virally to your Facebook friends.
In philosophy, new Facebook security features provide protection against scams and spam—but unfortunately they’re mainly incompetent. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now seem on Facebook and other social networks on a daily basis.
Our recent social networking poll also asked computer operators which social network they felt posed the biggest security risk. Facebook is clearly seen as the biggest peril with 81% of the votes, a significant rise from the 60% who felt Facebook was the riskiest when we first asked the query a year ago. Twitter and MySpace each received 8% of the votes this year, and LinkedIn only 3%.
With so many users, Facebook is a mark for scams; it can also expose your personal information far beyond your group of friends.
Users need to recall that Facebook makes money from its advertisers, not users. Since advertisers want to get their message out to as many persons as possible, Facebook shares your information to everyone, not just your "friends." And most recently, Facebook's facial gratitude technology automatically suggests that friends tag you, unless you turn it off.
Scams on Facebook comprise cross-site scripting, clickjacking, survey scams and identity mugging. One of the scammers' favorite methods of attack of the minute is known as cross-site scripting or "Self-XSS." Facebook messages such as Why are you (tag) labelled in this video? and the Facebook Dislike button yield you to a webpage that tries to trick you into cutting and pasting a malevolent JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer permitting for malware installation without your knowledge.
Facebook scams also tap into interest in the news, leave activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “make a Imperial Bridal guest name” and "In honor of Mother’s Day" seem innocuous enough, until you comprehend that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. Since this material is often used for passwords or password challenge questions, it can lead to uniqueness theft.
Other attacks on Facebook users include "click-jacking" or "like-jacking," also known as "UI equalizing." This malicious technique tricks web users into revealing confidential information or takes control of their computer when they click on apparently innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's information. One disguise is a button that appears to perform another function. Clicking the button sends out the dose to your contacts through status updates, which propagates the scam. Scammers try to pique your keenness with posts similar "Baby Born Amazing effects" and "The World Funniest Condom Commercial – LOL". Both clickjacking cheats take users to a webpage urging them to watch a video. By viewing the video, it’s posted that you “like” the link and it’s mutual with your friends, spreading it virally across Facebook.
Clickjacking is also often knotted to “review scams” which artificial users into connecting an application from a spammed link. Cybercriminals take advantage of news themes, such as the Osama bin Laden video scam, which takes you to a fake YouTube site in an effort to get you to complete a survey. Scammers earn directive for each person that completes it. Taking the survey also spreads the scam virally to your Facebook friends.
In philosophy, new Facebook security features provide protection against scams and spam—but unfortunately they’re mainly incompetent. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now seem on Facebook and other social networks on a daily basis.
Our recent social networking poll also asked computer operators which social network they felt posed the biggest security risk. Facebook is clearly seen as the biggest peril with 81% of the votes, a significant rise from the 60% who felt Facebook was the riskiest when we first asked the query a year ago. Twitter and MySpace each received 8% of the votes this year, and LinkedIn only 3%.
0 comments:
Post a Comment
Don't Forget to Share and Comment