Security

Twitter and Facebook users were getting hit with scams on Monday.

Twitter users warned about direct messages that said, "I make money online with google. i learned how here [link]," according to Twitter users.

A Twitter representative said it was not a phishing scam because the site to which the spam links does not ask for a username and password, or look like a Twitter page.

"We're on it and fixing accounts as fast as possible," she wrote in an e-mail. "You can keep posted on known issues as well by checking in on the Twitter Status page."

On Facebook, meanwhile, people were seeing messages from friends that said, "just take a look at it and read it over and try it if you want [link]." The link goes to a site that appears to be hosting malware. Accounts that are generating the messages are likely compromised, and the owners should change their passwords immediately.

"We're aware of this campaign, and are blocking malicious URLs and resetting affected users' accounts," a Facebook representative said in an e-mail. "The link in the spam message is for a work-at-home scam, not a phishing site. We're still investigating, but it's likely people's accounts were compromised through a previous phishing scheme."

Twitter users warned about a "make money online with google" scam on Monday.

(Credit: Twitter Search)

Updated at 3:39 p.m. PST with Facebook comment and at 2:15 p.m. PST with comment from Twitter.

On the heels of one fake Facebook e-mail scam, a researcher warned on Wednesday of another such campaign in which users of the popular social network are being tricked into revealing their passwords and downloading a Trojan that steals financial data.

In the latest scam being blasted to e-mail in-boxes, a legitimate-looking Facebook notice asks people to provide information to help the social network update its log-in system, said Fred Touchette, a senior security analyst at AppRiver. When the user clicks the "update" button in the e-mail, they are directed to a fake Facebook log-in screen where their user name is filled in and they are prompted to provide their password.

This is a screen shot of the message in the body of the fake Facebook e-mail.

(Credit: AppRiver)

When they provider that information, victims are taken to a page that offers an "Update Tool," but that is actually the Zeus bank Trojan that is designed to steal financial and personal data, Touchette said.

Users of smart phones that have the Facebook app installed can also easily be duped because the phishing e-mail appears as an actual Facebook notification complete with Facebook icon, he said. The message is received in the e-mail in-box on the phone as well as under the Facebook notification section in the app itself, he added.

There are likely to be a lot of victims given how many e-mails the scammers are sending. AppRiver has captured about 6 million e-mails in its filters and noticed that the messages were coming in at a rate of 30,000 a minute at one point, according to Touchette. That's about 10 times the usual botnet e-mail message rate, he said.

More details are on the AppRiver blog.

On Tuesday, researchers reported that a different botnet, Bredolab, was distributing fake "Facebook Password Reset Confirmation" e-mails that included a Trojan. As of late Wednesday night, security provider Cloudmark said it had seen more than 730,000 of the Bredolab-related e-mails.

To protect against such phishing attacks, people should be extremely cautious about clicking on links in e-mails and they can mouse over the link to see if the domain is a legitimate domain, Touchette said.

Meanwhile, Facebook users should easily be tipped off that the latest scam is just that, a scam, he said. "Facebook doesn't need all of its users to update their accounts in order for them to make changes to their site," he added.

If there is any question about the legitimacy of the e-mail or the link, users should close the e-mail and go directly to the site to check for important notices to customers, he said.

This is the prompt Facebook users get as part of the latest phishing scam. Downloading the "update tool" installs a Trojan.

(Credit: AppRiver)

A new variant of the Bredolab Trojan horse is attached to a fake "Facebook Password Reset Confirmation" e-mail, security firm MX Labs is reporting.

Some users are receiving the e-mail from "The Facebook Team," according to the security firm. The sender's e-mail address displays "service@facebook.com." In reality, the address and sender were spoofed.

MX Labs found that the e-mail was accompanied by an attachment named, "Facebook_Password_4cf91.zip and includes the file Facebook_Password_4cf91.exe" that, the e-mail claims, contains the user's new Facebook password. The security firm said that the element between the underscore and .zip are randomly chosen letters and numbers for each recipient.

When a user downloads the file, it could wreak havoc on their computer. MX Labs said in a blog post that the Trojan horse Bredolab "executes files from the Internet, such as rogue anti-spyware. To bypass firewalls, it injects its own code into legitimate processes svchost.exe and explorer.exe. Bredolab contains anti-sandbox code (the trojan might quit itself when an external program investigates its actions)." In other words, it's nasty.

Once it makes its way to the user's PC, Bredolab creates "%AppData%\wiaservg.log" and "%Programs%\Startup\isqsys32.exe" in the user's system files. MX Labs said that it also creates two new processes, called "isqsys32.exe" and "svchost.exe."

Another security watchdog, M86 Security, wrote that there's more to the outbreak than Bredolab. After it sneaks its way onto the user's computer, M86 said, Bredolab downloads a bot called Pushdo. The company found that Pushdo immediately starts "spamming out more of these Facebook password reset e-mails."

For its part, Facebook was quick to point out that the e-mail containing the virus wasn't coming from the social network.

"This virus is being distributed through email, not on Facebook," a Facebook spokesperson wrote. "The email is disguised as a Facebook password reset e-mail with an attachment that purportedly contains the new password, but is actually the virus. We're educating users on how to detect this through the Facebook Security Page."

Facebook said that users should be "suspicious of unexpected emails claiming to be from Facebook." The company also said that it will never send users a new password as an attachment.

Those users that have downloaded the file should use anti-malware software to remove it. Click here for a list of security software available from CNET's Download database.

Updated at 1:03 p.m. PDT to include new details from M86 Security.

I'm not an employee of MySpace, but I was able to join its Facebook network.

(Credit: Facebook)

I do not work for MySpace. But my Facebook profile now says I do, thanks to what appears to be a sneaky little flaw in MySpace's recently launched e-mail client.

Professional networks on Facebook are intended to be limited to employees, and require a corporate e-mail address to which Facebook sends a confirmation e-mail to verify accuracy. But when MySpace launched MySpace Mail this summer, it made e-mail addresses with the myspace.com domain--which is also used internally for corporate e-mail--available to any members of the News Corp.-owned social network.

A reader tipped off CNET News to the hack, which requires a little bit of HTML know-how. We're not going to give detailed instructions out of the interest of MySpace employees' own security--and it looks like Facebook has put a fix in place, because when a CNET colleague used a MySpace Mail address to register around 2:40 p.m. PT on Wednesday, he was informed that the address was invalid.

See what happens?

(Credit: Facebook)

In vague terms, it looks like MySpace was aware of the fact that members might try to register for its network on Facebook, because the confirmation link to Facebook does not work in MySpace Mail, nor does copy-pasting it. Basically, it's mangled somehow. But, the tipster explained, the real link is still in the page's HTML source. And indeed, I was able to join MySpace's network on Facebook.

This does have security implications, because many Facebook members limit some of their profile data to people who went to their schools or work for the same company--Facebook first launched corporate networks in the spring of 2005. Many may display their cell phone numbers, photo albums, or home addresses only to college alumni or co-workers.

It's an issue for Facebook as well because the massive social site does have an obligation to make sure that its restricted networks don't lie fallow. If there's a change in corporate e-mail structure at a company with a Facebook network, particularly a big one, that can mean something big with regard to potentially thousands of Facebook members' security.

A MySpace representative told CNET News that the company was looking into the matter and would be able to comment soon.

This post was updated at 2:44 p.m. PT on Wednesday to note that the problem appears to have been corrected by Facebook.

Facebook on Thursday fended off an attack in which multiple identical profiles were created to spread malware.

Antivirus provider AVG Technologies said users of its LinkScanner service detected numerous profiles that were identical except with different names and each included a link to what was represented as a home video but which instead displayed a fake antivirus alert when clicked. The scams are designed to trick people into paying for software they don't need, to get credit card information from victims for identity fraud purposes, and often to install spyware on the computer.

"Clearly, the Data Snatchers have found a way to automate the creation of Facebook accounts, which means they've found a way to bypass the Facebook Captcha," Roger Thompson, chief of research at AVG, wrote in a blog post. Successfully translating a Captcha, a hard-to-read image of letters supposed to ensure that a human is involved, is required for a new account .

The malicious link was blacklisted by the major Web browsers and Facebook was blocking the URL from being shared on its site, said Facebook spokesman Simon Axten. Meanwhile, the company was working to identify all the fake accounts and disable them, he added.

Axten disagreed with the AVG speculation that the Captcha system had been broken.

"We're looking into how these accounts were created, but it's very likely that the sign-up process was manual, or that the person behind the attack farmed out the Captchas to be solved by humans for a price," Axten wrote in an e-mail.

For its Captcha system Facebook uses ReCaptcha, "which was recently acquired by Google and is about as well-regarded a Captcha provider as there is," he said.

When the link in the fake Facebook profiles is clicked a fake alert pops up that tries to convince the user that the computer is infected.

(Credit: AVG)

eBay is the most trusted company in terms of privacy, and Yahoo and Facebook are among the Top 10, according to a new report released on Wednesday.

Following eBay is Verizon, the U.S. Postal Service, WebMD, IBM, Procter & Gamble, Nationwide and Intuit, with Yahoo and Facebook in the ninth and tenth spots, the study from the Ponemon Institute and Truste says.

Here are the list of the most trusted companies in privacy, according to a study by the Ponemon Institute and Truste.

(Credit: Ponemon Institute/Truste)

It was Facebook's debut on the list, as well as the first time a telecommunications company and a government operation cracked the top three.

While the list ranks the most trusted companies based on consumer brand perception it doesn't necessarily translate to the list of the most trustworthy companies, Kevin Bankston, a senior staff attorney at the Electronic Frontier Foundation, told CNET News.

"They really ought to do one ranking for the poll and a separate one for the actual privacy evaluation," Bankston wrote on Facebook. "Blending them together makes these rankings rather useless."

Basically, privacy practices were analyzed and ranked only for a list of 23 companies that were highly rated in a survey of more than 6,000 U.S. consumers earlier this year, according to Truste spokeswoman Carolyn Hodge. The Top 20 from that survey were analyzed and that included 23 companies because of several ties, she said.

So, the latest study most accurately reflects which companies were deemed to have the best privacy practices among a list of companies that consumers perceive as being trustworthy.

"It absolutely is based on consumers' perception of specific brands. That's what we're trying to get at," Hodge said. "The idea behind this research is to promote consumer education about privacy and to promote adoption of best practices by companies...We understand consumers are probably going to name companies they trust and there may not be a clear correlation with privacy."

Regardless, Hodge and Larry Ponemon, founder of the institute that bears his name, said the companies on the list deserved recognition.

"None of these companies is doing badly at privacy," said Hodge. "We're talking about the best companies out there."

"Clearly there can be variance between perception and reality," Ponemon said. But, he noted, Verizon recently adopted a new more consumer-friendly privacy policy, eBay does a good job on data security and Facebook has made great improvements lately on user privacy.

"I'm not a big fan, but what Facebook is is an experiment...they've had issues and come a long way on privacy," he said.

In assessing the level of trustworthiness of the popular brands, Truste staff looked at 40 criteria, Hodges said. The criteria included things like whether a company: has a clear, readability and easy to find privacy statement; provides adequate access to account information; uses cookies and discloses that to users; shares data with other companies and affiliates; has a data retention policy; has a chief privacy officer; whether they disclose a user's e-mail during password reset; and whether they use Web beacons.

In addition, representatives from the Ponemon Institute called companies without identifying themselves and asked questions about privacy practices to see how well their customer service representatives respond to consumer inquiries about that.

Here is the list of the most trusted companies from December 2008.

(Credit: Truste)

A recent simplification of Facebook's user privacy controls wasn't enough for some policymakers.

On Thursday, in conjunction with the Canadian Privacy Commissioner, Facebook announced a new set of modifications to its user privacy controls as well as its developer API, and the targets of these changes are the thousands of third-party applications built on Facebook's developer platform. That means there may be major implications for developers--some of whom rely almost exclusively on Facebook activity as a revenue source.

The Canadian Privacy Commissioner's office released a set of recommendations for Facebook last month, specifically highlighting concerns that third-party applications could access a significant amount of users' personal data. "It's clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates," commissioner Jennifer Stoddart said in a release at the time.

Facebook's newest set of changes will require third-party applications to specify which fields of user data they access (birthdays, favorite music, geographic location, etc.) and will require users to offer explicit permission before an app can access any of their friends' profile data. This is also in tune with recommendations offered earlier this week by a chapter of the American Civil Liberties Union, which highlighted the amount of personal data that third-party apps can access--sometimes without a user knowing it.

"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," Elliot Schrage, Facebook's vice president of global communications and public policy, said in a release Thursday. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."

But what does it mean for developers? This could make it difficult for some apps--particularly the sillier ones that rely on heavy viral spread and often one-time use--to gain traction and stay effective. These are similar concerns to those that arose when Facebook cracked down on apps that it deemed "spammy" (and often rightfully so). But on the other hand, the new privacy controls could stem off bad press that could easily paint the developer platform as a whole as unsafe or untrustworthy.

"It is important for developers to have access to information, but we want to balance that with transparency and control for users," Ethan Beard, Facebook's director of platform product marketing, said in a blog post geared toward developers.

"We have committed to making these enhancements over the next twelve months, and anticipate a lengthy beta period including opportunities for you to provide input, multiple blog posts, and updated documentation delivered well ahead of time," Beard's post continued. "Understanding that this will likely require modifications to your code base, we want to give you the earliest heads up that these enhancements are on our road map."

The Northern California chapter of the American Civil Liberties Union has put out a campaign designed to raise awareness of the privacy implications of Facebook's developer platform. It's focusing specifically on the popular "quiz" applications, like "Which Cocktail Best Suits Your Personality?" and "Which Wes Anderson Movie Character Are You?" These are largely one-time-use apps that many a Facebook user clicks on and tries out with little concern.

According to the ACLU chapter, "millions of people on Facebook who use third-party applications on the site, including the popular quizzes, do not realize the extent to which developers of quizzes and other applications have access to personal information. Facebook's default privacy settings allow nearly unfettered access to a user's profile information, including religion, sexual orientation, political affiliation, photos, events, notes, wall posts, and groups." For the promotion, it's put together a quiz about how much you know about Facebook-based quizzes.

Side note: Creating a Facebook quiz app to draw attention to the pratfalls of Facebook quiz apps is very meta.

"It's time for Facebook to upgrade its privacy controls so that quizzes can only see what people want them to see," Chris Conley, technology and civil liberties fellow at the ACLU of Northern California, said in a release. "Users need stronger protections than Facebook currently provides."

So are the ACLU-NC's claims legitimate? The most damning one asserts that "regardless of whether a user's Facebook profile is 'private,' by taking a quiz the user allows its developer to gain access to the user's profile information...by Facebook default, every time one of a user's friends takes a quiz, the quiz has access to that user's profile information." That could have particularly alarming security implications if an app turns out to be malicious.

Facebook does not deny this, but notes that "sensitive" information like contact details are not available to third-party apps, and that Facebook has settings for users to tweak exactly how much their friends' apps can see.

Last month, the company modified its privacy settings to make them more user-friendly.

The ACLU chapter recommends that Facebook make it an opt-in, rather than opt-out process for apps to access a user's friends' data and require that apps list the specific profile data fields that they will be accessing.

"We generally agree with (the ACLU's) recommendations and have already made public announcements about relevant changes that are under way," Facebook spokesman Barry Schnitt said in an e-mail. "Specifically, we recently disabled hundreds of applications, including quiz applications, that were inconsistent with Facebook Platform policies...We've also had productive discussions with the Canadian Privacy Commissioner about improving user data controls on Platform. We'd be glad to also have productive discussions with the ACLU and generally catch them up, if they want to give us a call."

The office of the Canadian Privacy Commissioner, which has taken issue with Facebook's privacy policies, is holding a press conference on Thursday to address the subject, and Facebook plans to hold a conference call with reporters in response.

Facebook on Thursday said it had disabled six rogue apps that were stealing Facebook users' log-in credentials and spamming people, and within hours more appeared.

Five more of the apps appeared on Thursday, called "Friends," "Friends Gifts," "Matching," "Pok," and "Your Photos," according to an updated blog post by Trend Micro researcher Rik Ferguson.

By that night those new ones were disabled too. Facebook "will continue to ensure that all applications on Facebook Platform comply with Facebook policies," a spokeswoman for the company said.

According to Ferguson's post: "The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters' advertising returns."

He had discovered six rogue apps earlier in the week. One of those was disabled as of Wednesday, and later the other five from the first batch were disabled.

Before the apps were removed, victims had been receiving notifications that someone had commented on a post of theirs. The notifications contained links to a phishing site where users were prompted to provide their Facebook log-in credentials and then prompted to install one of the rogue apps, according to Ferguson. Once the app was installed, the victim's friends were spammed.

Updated at 10:44 p.m. PDT with Facebook disabling the five new apps and at 12:43 p.m. with discovery of five new rogue apps.