There’s an old saying: in the kingdom of the blind, the one-eyed man is king. It seems like social media is chock-a-block with the blind, a fact the one-eyed men are wasting no time exploiting. If Web 2.0 does one thing well, it’s that it makes jumping in to the world of Facebook, Twitter and LinkedIn easy and pain free, meaning that anyone can – and does – jump into the fray, almost instantly getting started friending and trending, flagging and tagging. One doesn’t have to be a tecchie to figure out how to use social media; one just has to start typing. In fact, it may be a little too easy. In the eyes of IT professionals, it’s almost as if the hackers and spammers have hung a large shingle out – HELP WANTED. LACK OF TECHNICAL EXPERIENCE AN ASSET. So if anyone was wondering why the war between social media and spam feels like a losing battle, look no further than this.
In the most recent spam scam to assault Facebook, users are being greeted with a message advising them to ‘verify’ their account, seemingly a noble act of spam prevention and surely not spam itself, right? Not so fast. Those rascally little hackers have swapped out the ‘Like – Comment – Share’ links with a ‘== VERIFY MY ACCOUNT ==’ link, making clicking eminently attractive and practically unavoidable for the uninformed user. Clicking the link, of course, has exactly the opposite effect advertised by the malware, not only posting the message on the user’s wall, but in fact spreading JavaScript that, according to The Register, is “highly obfuscated.” (If interested, you can check out an interesting analysis of the script here.)
“Facebook has become a veritable cesspool of spam, with fake links promising to show users things like how many people have visited your profile or the never-released photos of Osama bin Laden’s body,” reports the Detroit Free Press. In fact, it seems that these clickjacking schemes have become the norm and Facebook, by its own admission, has only been able to react to the scams as they appear. “We’ve been shutting down the scammy pages that are the source of this spam as soon as we detect them or they’re reported to us,” Facebook’s Fred Wolens told the Free Press.
So let’s return to the kingdom of the blind. No disrespect to any Facebook user intended, but knowing how to recognize a genuine security threat often requires three things: experience, specialized understanding in what goes on under the hood, and the requisite savvy that comes with being an IT professional. The first one is easy. Think about the first time you learned that touching an open flame wasn’t such a good idea. Anyone who’s been nailed at least once by a malicious link will testify that they think twice before clicking again. The second and third, however, require specialized information that, simply speaking, aren’t part of the average computer user’s frame of reference. And to be fair to Facebook users everywhere, they shouldn’t need to have that specialized knowledge. It would be counterintuitive to the concept that Facebook is easy to join. Easy to use.
To give Facebook credit, last week the website announced several new features implemented to combat clickjacking:
Web of Trust (WOT) – Web of Trust is a free service that grades sites based on user experience. Basically a community that relies upon reported links, WOT intercepts links in Facebook, warning the user that the link could be dangerous, if it has been frequently reported by the community.
Clickjacking Prevention – Since clickjacking is based on tricking the user into thinking they’re clicking on one thing when in fact they’re clicking on another, Facebook has implemented extra security measures to detect if links are trying to pretend they’re something else. In essence, users will be required to confirm their choices when they click “Like.”
Cross-Site Scripting (XSS) Protection – Malware often tricks users into pasting malicious code into the browser address bar. Facebook has added an extra layer of protection, providing a popup window advising the user that he or she is trying to address a bad link.
Login Approvals – Facebook has added an optional – but highly recommended – layer of security by offering two-factor authentication, meaning that whenever a user tries to log on to Facebook from a new device, he or she will also have to enter a code sent via SMS to the user’s mobile device.
If you’re reading this and you have responsibility for office workers who have access to Facebook, you’re probably already copying and pasting into an enterprise-wide email. That would be a wise choice.
Let’s face the facts. Social networking does a great job of bringing people together in cyberspace. The problem: it also makes it way too easy to put hackers, spammers and cyberpunks together with innocent users who are not trained – or even interested in being trained – in how to recognize malicious code and spam when and where it appears. As memberships continue to grow in unprecedented proportions, hackers will continue to figure out how to exploit the system.
You had better hang on. The one-eyed men aren’t going away anytime soon. In fact, they’re fitting themselves for crowns.