What Is Facebook Doing About Scams?

It is important that each of us remain aware of scams.  Social Networking sites like Facebook are target rich environments for malicious parasites who would do you harm.  Facebook is now taking action on several fronts to warn users when a link they are clicking appears to lead to malware or malicious trickery.

From now on, Facebook will display a warning to users if it detects that suspicious activity is going on behind those mouse clicks.  A scam was circulating recently where Facebook users were inadvertently commenting on what looked like a news site providing details of the iPhone 5.  Clicking on the link led to a page with a “captcha” window where distorted numbers and letters are presented for the user to type to prove they are real users and not an automated script.  If the submit button was clicked, the spam message was spread onto the user’s Facebook page.   Another scam was spreading today that urged people to click some web element to “verify their accounts”.  Facebook was quick to remove those posts.

In many cross-site scripting (XSS) attacks, people are asked to copy and paste Javascript or another type of code into their browser’s address bar with the lure of seeing a video, or getting something for free.  The code ends up infecting their machine with malware, or doing something unexpected.

Clickjacking attacks involve tricking people into revealing personal information, or taking control of their web session when they click on a seemingly innocuous web element.  Clickjacking and XSS attacks take advantage of a vulnerability common across a variety of browsers in the form of embedded script that can execute without the user’s knowledge.

To block these attacks, the site will ask users to confirm their “like” before posting a story to their profile and their friends’ News Feeds.  Facebook is also offering a form of two-factor authentication called “Login Approvals,” which if turned on will require users to enter a code whenever they log into the site from a new or unrecognized device.  The code is sent via text message to the user’s mobile phone to reduce the chances of it being intercepted or spoofed by the attacker.  Facebook has also started performing “Login Tracking” where you are asked to identify the system you are logging in from with a unique name, and that information is sent to your registered email account.

Facebook is also partnering with the free Web of Trust safe surfing service to give its users more information about the sites they are going to from within the social network.  When a user clicks on a potentially malicious link, a warning box will appear, and provide more information about why the site might be dangerous.  The user can either ignore the warning or go back to the previous page.  Web of Trust has rated more than 31 million sites.  Facebook also maintains its own internal black list of sites that it blocks users from sharing.

They have also recently tightened up their programming APIs, and are migrating to OAUTH 2.0 in an attempt to bring security into the developers’ environment.  OAuth is now a mature standard with broad participation across the development industry.  They have also been working with Symantec to identify issues in their authentication flows to ensure that they are more secure.

It looks to me like Facebook is at least aware of the risks that these attacks pose to its reputation and continued existance as a trusted medium for collaboration and social interaction.  They are doing the right things, and I believe will eventually provide a more secure environment and continued popularity.