On Thursday night, Facebook was attacked by hackers for the fourth time this month. Who is behind the attacks isn’t known, but the malefactors appear to be using several old tricks–phishing, malware downloads, and other conceits–to get people to give up their Facebook password credentials, or trick them into buying things from suspect e-commerce sites.
Facebook has been attacked with phishing and malware in the past. But the increased incidence of the outbreaks suggests that they’re having more trouble controlling the phenomenon than before. Since hacking campaigns like these rely on fooling users, Facebook is a vulnerable target–with over 200 million people, the odds are at least a few will get tricked into giving up their information, allowing the hack to propagate and the people behind it to make money.
So how does this caper work? Facebook says it’s not an internal virus on their servers, but does that make sense with what we know? Why can’t these attacks be stopped quickly? And how do you avoid being ensnared? FastCompany.com grilled the experts, and their answers are below.
1. Who does this attack affect?
All Facebook users, Mac and PC owners alike. The scam sucks you in by taking control of a Facebook account and sending messages to all that person’s friends. When you click on the message from your friend, there’s a link inside; click it, and the trouble begins. Some of the links take you to malware sites, which will download a virus on your PC. Others take you to shady online retailers hawking Viagra or other suspect goods. In some variants of the scam, you are directed to a fake Facebook site that tells you that you’ve been logged out. Once you enter your credentials to log back in, they’ve tricked you into handing over the keys to your account. The scammers will then use your account to spam all your friends with the same message.
2. What’s the scam attempting to do?
Like most, these attacks exist to make the hackers money. According to Facebook spokesperson Barry Schnitt, the process works like this:
“Once the phisher had control of some accounts, they tried to monetize by send out run of the mill spam,” the kind that gets you to buy pharmaceuticals or other junk, Schnitt explains. Once you opt to buy whatever they’re peddling, they’ve got all your contact info and your credit card number, and they can either sell that information to other miscreants or use it to engage in full-scale identity theft and fraud.
3. How does it work?
“With phishing attacks, the user is entering credentials on another site,” that looks just like Facebook, explains Chris Wysopal, founder and CTO of Veracode, a software security testing company. “Those credentials can then be used to log into Facebook and then post messages that advertise the phishing site to a person’s network. With malware, the user is tricked into downloading an executable which then steals the credentials–or an active session cookie–to advertise the malware to a person’s network,” he says.
4. Is this a worm?
“It’s a phishing attack. We haven’t seen any evidence of a worm,” claims Facebook spokesperson Barry Schnitt. The experts agree, based on what’s transpired so far, but they also note that it’s impossible to be sure without peering directly into Facebook’s network.
“If I was a bad guy–and I am not–I would always go for the low hanging fruit that is easiest to pull off first,” says Steve Manzuik, an author who has written extensively on network and IT security. “Writing a worm these days is probably harder than simply spamming users with a script.”
“A true worm would take advantage of a XSS vulnerability like the Sammy worm on MySpace, or would require a client side vulnerability in the browser, Flash, or some other component that automatically interprets web content,” Wysopal elaborates. “Something like that would spread very, very rapidly. We haven’t seen that on Facebook.”
5. How does this scam send messages from my account?
With a simple software script. “Once it has someone’s credentials, the script would log in to Facebook as them and send a message to all their friends to check out the
phishing or malware site. Then it repeats with each new victim,” says Wysopal.
6. How does this scripting work, once your account is compromised?
“The [phishing] URL is simply content at this point,” says Manzuik. “So the attacker writes his script with a boilerplate email including the URL which leads to the malicious site.” Once the hackers have the credentials, the script automatically logs into the accounts, and starts generating messages within the Facebook system, behind the user interface. “It is pretty much a classic email attack with the added complication of carrying it out via Facebook,” says Manzuik.
7. Is this the Koobface virus again?
Koobface (an anagram of “Facebook”) used bogus Facebook messages to send a link to a malware download, disguised as an Adobe Flash update. That malware only works on Windows computers, and it’s been confirmed that Mac users are also victims of this latest round of attacks–meaning that unlike Koobface, the scripting involved might be totally Web-based. “I wouldn’t be surprised if there was a new variant of Koobface,” says Wysopal. “McAfee just reported that Koobface was the most popular malware of Q1 with 800 variants detected. Each variant likely spins a different social engineering tale on Facebook to get people to install it.”
According to Schnitt at Facebook, the latest round does involve some malware, which could be a newer strain of virus known as BoFace variant No. 56, which has seen increased incidence since last summer, according to antivirus specialist PandaLabs.
8. How did this start?
The epidemiology of attacks like this has a lot to learn from the starting point of the attacks. Some theories: the hackers could have started with good old spam emails that pretended to come from Facebook, encouraging users to enter their login information on a fake Facebook site. Or, the hackers could have started legitimate Facebook accounts and accrued random friends, before blasting them with spam messages to get the process started. If these guys wrote the script that automates message sending, they’re probably plenty familiar with Facebook’s interface–meaning they’re users themselves.
Another possibility: the hackers took advantage of a security hole in a common Facebook app to gain access to users’ accounts.
9. Will Facebook ever be safe from this kind of chicanery?
No. “The problem with sites like Facebook, Myspace, Twitter and even sites like Youtube is the exact reason that they exist–allowable user content,” says Manzuik. “When you give your end users as much control as they do and the ability to publish their own content, you are asking for security problems.”
10. What’s Facebook doing to help?
“The first thing we do is stop the link: delete it from all places sent, and reset the passwords of all the accounts affected,” says Schnitt. But they can only work so fast. For more information, check out Facebook’s advice for avoiding the phishing pratfalls.
If you have more information about these attacks, or have screenshots showing examples, send them to Fast Company: ideas(at)fastcompany(dot)com.