As the number of scams and malware threats increase on Facebook and Twitter, it can be hard to keep track of what’s legitimate and what’s not anymore in a way that is in plain-English for non-techies, who are arguably the ones who need this information the most.
My mom needs information like this. My mom isn’t going to read the Sophos Security blog. I do read that blog – and many, many others related to security, so I’ve put together two new resources for the “normal” (non-technical) people out there who keep falling for these rogue applications.
On Facebook, “like” the Social Media Scam Alerts page to get updates as new Facebook scams and rogue applications are identified. The posts will be short, without a lot of technical jargon to make them easy to share with your less brainy friends and family.
On Twitter, follow @scamdb for tweets about the latest scams, phishing and rogue apps affecting Twitter users.
Social Media Security Tips
In addition to staying informed about bad applications, some better practices and common sense will go a long way here.
We have become completely desensitized to clicking on things in websites, our social networks, on our smartphones and in email – and this is why these types of attacks are so wildly successful, often garnering tends of thousands of “likes” before they are detected and banned by Facebook or Twitter. More often than not on social media websites, the attack is not a technical attack, it’s a social engineering attack, tricking you into clicking on something because what they are offering is something you want and you found the link through a reasonably trusted source (your friends twitter stream or Facebook news feed.)
Be skeptical. If something looks too good to be true, it probably is, even if you trust the person it came from.
Confirm before you click. If you’re not sure, take a moment to email or (gasp!) call your friend and confirm they actually intentionally posted that message. If they didn’t, you’ll be doing them (and all of *their* friends) a favor by bringing it to their attention quickly.
If your friend posted to their Facebook wall that they are stuck in London and need money for passport/plan home/etc – resist the urge to immediately send cash. Be rational, contact them using a different method (email, phone) and confirm that it’s really them. Use common sense. Did your friend even mention they were going to London?
That “stuck in London” scam has made its rounds for several years through email and social networks. I don’t know why it seems to always be London, but that’s almost always the city I’ve seen in these scams.
Use the SSL version of social networking websites when you’re surfing on public or unsecured wifi. As Ashton Kutcher learned this week at TED, non-encrypted sessions + a little Firefox addon called Firesheep = getting pwned in front of your six-and-a-half-million Twitter followers.
Facebook offers a clunky (and currently unreliable) way to switch to HTTPS for your Facebook sessions, but that method resets back to HTTP if you access a non-SSL application. My understanding is that Facebook security is aware of the bug that resets the default preference back to non-SSL, but I don’t think it’s been fixed yet.
An alternative is using something like the Electronic Frontier Foundation’s HTTPS Everywhere addon. The first release of this addon was a little buggy, but the second release seems more stable. (The first version rendered Amazon.Com effectively useless.) You can select which sites you want to use HTTPS Everywhere on, and it will always force the HTTPS (versus the plain HTTP) connection.
Ideally, you should try to avoid public or unsecured wifi connections whenever possible. Make sure your computer and smartphone preferences are to NOT automatically join wifi networks. If you have to be on public wifi, your best bet will be to tunnel your traffic over VPN, but not everyone is going to have that as an option.
In the big, scary internet, there are countless ways your personal information and login credential are at risk. Some of these are technical vulnerabilities in the websites you trust your information to, but the social engineering approach is gaining tremendous momentum. It’s cheap, it’s fast, and it works. Remember that even if you think you have nothing of value, when you are careless with your security, you are also putting your friends and family at risk.
Take a moment to check out the security presentation I posted a few weeks back that covers important information on privacy and password security, and consider joining the new Facebook and Twitter resources.