Social network phishing

I read an article the other day about Tweets promising free Twitter followers being a phishing scam.

I’d go into details, but it’s the same old story: you click on a link, which takes you to a website that asks for your Twitter username and password. Once the phishermen have this information, they lock you out of your own account and use it to perpetuate the phishing attack or to drive people to other scam websites. The same thing happens on Facebook. When one of your friends suddenly can’t seem to write in coherent language and starts shouting about some iffy product or cheap prescription drugs, that’s a sure sign of a phishing victim.

The thing that bothers me is how well it seems to be working. Why so much emphasis on increasing your Twitter followers?

If you’re a celebrity, I can understand why you’d end up with over a million followers just on the basis of  who you are. If you have a proactive sort of agent, you might even be encouraged to look at your number of followers as a metric of how much “star power” you’ve got.

If you work in the marketing department of a company and have spent six months convincing management that the company really needs a Twitter account, I can understand the desire to get as many followers as possible in a short amount of time.

However, if you’re just somebody who uses Twitter as a communication tool, what reason is there (beyond your ego) for thinking you need to add a hundred random followers (and subsequently falling for this scam)? Unless you’re doing something interesting on the site (telling us what your cat is doing is not one of them), I can’t think of any. For the 99% of us who are “just sorta there,” is there really any advantage to having scads of followers?

You might think this is going to lead into, “What’s the whole point of Twitter, and why don’t you just go outside for once?” but I’ll resist the temptation. Twitter’s neat, and I see the appeal. However, AOL was pretty neat at one time, too.

So have at it—use Twitter. Complain about the cruddy customer service at a store and see how scary-quick they respond to you. See what Pee-Wee Herman and LeVar Burton are up to. But never click on those “add more followers” links, and never, never, ever enter your username and password on a website other than the real Twitter page.

And go outside now and then.

Couldn’t resist.

Fraudulent Facebook email contains malware attachment.

There’s a new fake email message making its way around the web the last few months. This time, it targets Facebook users.

The messages all have something to do with your Facebook password, using subject lines such as “Password Reset Confirmation Email.” They contain an attachment that is supposed to be your new password, but is actually a pretty nasty Trojan horse program that opens your computer up to a variety of attacks. One of these programs is known as Bredolab, and it’s just bad news all around. Below is the text of an example message from “The Facebook Team:”

Because of the measures taken to provide safety to our clients your password has been changed. You can find your new password in attached document.


The Facebook Team

There are other fake Facebook messages that try to lure victims with a “New Login System” message and contain a disguised link. In this case, it seems to be a pretty standard password-stealing attempt, but given the amount of malware that can be spread and the fraud that can be committed with a hacked Facebook account, it could lead to much worse problems than someone just messing with your Facebook page.

Facebook is never going to send you an email message with your password as an attachment. In fact, they’re never going to send you an attachment at all. If you get one of these messages, hold your cursor over the link (DO NOT CLICK) and you’ll see that the message actually takes you to a non-Facebook website (most likely hosted overseas).

Furthermore, Facebook isn’t going to “confirm” your request for a password reset unless you’ve actually requested it, and any links contained in these messages will be hosted at, not a website with just an IP address (numbers separated by periods, as in “123.45.678.90”), and not a website hosted overseas.

Once again, a new threat just goes to reinforce the old rules of thumb: never open an attachment in an email message you weren’t expecting, and never click on links in an unsolicited email message without verifying first that the message is legitimate.

What is the deal with Facebook and Twitter lately? It seems like they’ve both been targets of an awful lot of phishing, fraud and malware activity these past few months.

Both sites have astounding numbers of users—I recently heard that if Facebook was a country, it would be the fourth most populous in the world, just behind the U.S.—so I imagine it has to do with the sheer numbers involved. When you’ve got over 300 million potential victims, even a 0.1% success rate (1 in 1,000) is a pretty large number of people.