Facebook on Thursday was hit with yet another spyware attack.
This time hackers managed to crack the security captchas — the words or letter combinations that users are asked to retype when registering — to create new Facebook accounts designed to steal users’ account and personal information.
Roger Thompson, chief of research at AVG Technologies, detailed this latest scam in a blog post Thursday morning. He said that this new tactic was “one of the first if not the first time” that hackers were able to compromise the Facebook captcha.
“We’re seeing a lot of these, all from different profiles, but with the same picture and link,” Thompson said. “I’m sure Facebook will deactivate all these accounts as quickly as they find them, but it can’t be an easy thing for them to find.”
Facebook spokesman Simon Axten told InternetNews.com the social-networking site is working to identify all the bogus accounts in order to disable them en masse.
“The URL contained in the profiles has already been blacklisted by the major Web browsers and blocked from being shared on Facebook,” he said. “We’re looking into how these accounts were created, but it’s very likely that the sign-up process was manual, or that the person behind the attack farmed out the captchas to be solved by humans for a price.”
Axten said Facebook uses an outside captcha company, reCAPTCHA, for the security feature. reCAPTCHA was acquired by Google last month and, according to Facebook, is a highly regarded provider for sites including Ticketmaster.com.
Facebook and its more than 300 million members are no strangers to the exponential increase in attacks on social networking sites in the past few years.
Along with a series of so-called “419” scams, Facebook has been tagged by all manner of hacking schemes, including a February attack when spammers hijacked a Facebook group with more than 1.5 million users.
Security software vendor Websense last month reported that 95 percent of user-generated comments on blogs, message boards and chatrooms are spam or contain links to malicious code.
“On the education front, we encourage users not to click on strange links and to take appropriate steps if they feel their computer or Facebook account has been compromised, Axten said.