If you re-use passwords, Facebook may be your weakest link.
In recent days, hackers stepped up attacks in which the social networking site’s users were sent links that led them to phishing sites. And while Facebook credentials may not be particularly valuable on their own, they could be used to access other sites.
“About one-third of all people use the same password for every Web site they access. That’s lunacy,” Graham Cluley, senior technology consultant at security firm Sophos, told InternetNews.com. “If criminals grab Facebook credentials, they may also obtain access to eBay, PayPal, Amazon, and Gmail accounts.”
Reports have indicated that Facebook users are receiving messages that direct them to a malicious link. The phishing site to which they are directed is a typical phishing attack — it looks like Facebook but asks users for their Facebook username and password. In some cases, users may also be directed to underground pharmaceutical vendors.
Compromised Facebook accounts can be used to send the same malicious message to everyone in the network, taking advantage of the trust relationships that give social networking sites their value.
But the damage can extend beyond Facebook.
“We believe the bad guys here are phishing an account and then trying those credentials on webmail providers,” Facebook said in a statement. “So, for example, if a user is compromised on Facebook and has the same login and password for their Gmail, the attacker may be able to intercept the Facebook password reset and compromise the account again in the future. This is one of the reasons why people need unique passwords for their online accounts.”
Industry observers agreed.
“Phishing and … malware on an application with the global appeal of Facebook should be taken very seriously,” Dave Marcus, director of security research and communications for McAfee Avert Labs, said in an e-mail. “This threat is affecting users who are serving in areas of combat as well as business users who are on Facebook at work. There is definitely a significant risk of exposing critical networks to what would normally be a consumer threat.”
But how practical is it to ask users to create a unique password for every Web site? To help, users should also take advantage of password management programs, experts said.
Sophos’ Cluley pointed to a video that Sophos made to show users how to make their passwords stronger. In the video, he admitted that using a program might seem risky, but added, “you’re more secure using a password manager than using the same password for every site or using dictionary words.”
Cluley also recommended several pieces of software including one that’s free and open source: the KeePass Password Safe.
But not every tool to store passwords is a worthwhile one: Security firm Symantec advised users to not use the free password management program in their browser.
Facebook advised and all of the security experts contacted by InternetNews.com agreed that users should change passwords regularly, perhaps on the same day each month.
[cob:Special_Report]Experts agreed that Facebook’s mostly not to blame for this. “The villains are the spammers and hackers,” Cluley said. “Facebook is working hard to delete messages. Perhaps it needs to educate members to be careful online. On any network, when you get a message from your auntie Hilda, you
need to know that it’s not always from her.”
Enterprise networks should already have tools to fight these threats, Jamz Yaneza, threats research manager at security firm Trend Micro. “In a business, there should be a business policy that is propagated to the end user that this is company time and resources.”
Of course, some companies have adopted social networking into their business plan, and blocking Facebook is not an option for them. “Companies need to educate users about Web 2.0. They should not just click on every link,” said Yaneza.
Cluley agreed. “Users should think twice, especially if Facebook asks them to re-enter their user name and password.”
Educated users may be able to spot the attack, Yaneza said. “Most phishing attacks lead to sites outside the social networks. The Facebook attacks have been to external link. The link I tracked a week ago ended up in the Isle of Man .im domain and started downloading exploits and other
Yaneza added that Facebook users can protect themselves by using Facebook settings such as limiting those who can post to their wall.