About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Phishing for Convenience on Facebook

Tuesday, December 18, 2007 at 2:10pm by Craig Schmugar
Craig Schmugar

We often talk about the trade-offs between security and convenience, especially as it pertains to Web 2.0.  Much of the technologies utilized by Web 2.0 sites were built for collaboration and a rich user experience, which has really fueled the explosion of social networking sites like MySpace, Facebook, and others.  Today I bit the bullet and created a Facebook account, only to observe a prime example of security taking a backseat to convenience.  Here I’m not criticizing the security of Facebook’s servers or applications so much as the expectation the site is establishing with its user base.  The pages in the screenshots below are served over a secure HTTPS connection, but the information Facebook is asking for is what you’d expect to find in a typical phishing attack.

The page in question is https://register.facebook.com/findfriends.php.  When navigating to this page without logging in, it appears as follows:

This page is tame compared with the version you get once you’ve logged in:

To recap, for your convenience, Facebook is allowing you to enter in the following information:

”¢Â Email username and password
”¢Â AOL Instant Messenger username and password

The site also asks you to click “Yes” when prompted to display “nonsecure items” so that you can the download and execute an application named “facebook.exe” (from an insecure site), so that the program can then harvest your Outlook contacts and upload them to their server.

I’m not suggesting that Facebook has anything other than good intentions here, but training users to handover confidential information for a little convenience is not a good thing.

P.S.  The CAPTCHA is real.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (5)

  • Svein February 4, 2008 1:14AM

    Yes, you can delete your account from Facebook. And yes, some info is stored in order to successfully identify you if you delete your account then choose to sign back up. Try it.

    Reply
  • Rob Hampton December 20, 2007 11:35AM

    EVEN after working computer security at my company for 10 years, I fell for the Facebook info requests because so many of my colleagues were using the program.

    The request for your e-mail logon and password to access your Outlook contacts did not occur to me that data could be harvested and kept due to the Facebook caveat that they do not keep it. Hummm, would you buy a used car from these people?

    In the past several months I have found Facebook all but un-usable due to the constant add-ons and screen paint delays. I use it less and less. So what happens to the data one has already stored or had logged?

    Thus I ask: If I delete my account (can I delete my account?) does Facebook have my data as long as they want?

    Reply
  • Will December 19, 2007 5:30AM

    That is a stunning display of stunning stupidity. And yet, if you asked 98% of the people who gladly provide that information where they are least secure, they will say something silly. Sigh.

    Reply
  • Vesselin Bontchev December 18, 2007 10:36PM

    Facebook is by far not the only social networking site that does this. Plaxo, Spock and others have pretty much the same capability. :-(

    Regards,
    Vesselin

    Reply
  • Abhishek Karnik December 18, 2007 6:18PM

    I totally agree with you. I think its ridiculous that people actually offer to give away their personal information too. Another such website is Tagged.com

    Reply