CXO Security

2011-12-16T11:09:00.000-08:00

In addition to the run-of-the-mill scams you find all over the Internet, there are several scams that target social networking
sites and Facebook users. These include Gaming App scams, Vanity scams, Facebook account thieves, Malicious script
scams, and Clickjackers.
Avoiding gaming scams
When we talk about gaming App scams, we don’t mean you’ll be scammed by the App companies. They’re actually as
much of a victim as the Facebook users who fall for the scams. If you’re an online gamer you already know you have to be
careful not to fall for gaming scams. You already see offers for “cheats” and “hacks.” A lot of these things that promise to
turn you into a great gamer are really designed to steal your personal information.
Many phishing scams pretend to come from popular gaming sites. The danger isn’t using known third-party apps like
Frontierville—it’s falling for phishers pretending to offer you game points or clues. The common scams offer prizes like free
virtual objects. Other lures claim that your account has been suspended and provide a link for you to remedy the problem.
Some of these scams will arrive on your Wall, but a lot will go directly to your email. Why? Numbers. Farmville has over
16 million players. Any spammer hitting a large email list with a phishing lure is bound to net a good number of Farmville
players simply because there are so many Farmville players.
You may also see Wall postings like the previous one. Click on the link and you’ll be directed to a fake Facebook login
page. If you log into the fake page, you’re giving your Facebook password directly to the scammer. How can you tell this is
a phishing scam? Facebook will never direct you to the homescreen once you are logged in.
Facebook will never direct you to the homescreen once you are logged in.
This scammer also used a link shortening service for the above attack. While link shortening services are very helpful
because they simplify very long URLs, the downside is that you may not know where they point to until you click. Use extra
caution when clicking on these short links.
Avoiding Facebook account thieves
When Facebook accounts are stolen, it’s usually because the victim was tricked into using a fake Facebook login screen.
So how do the scammers trick you? Scammers try to catch you off guard and hit you with the fake Facebook login WHILE
you’re actually using Facebook. The scammer might post a status update on your Wall that includes a link to something
enticing. They might do this using an account they’ve stolen from one of your Friends so they gain your trust. The message
will be something that will grab your attention. It might be scandalous photos, a sneak preview of a hot upcoming film, or
a weird video. When you click on the link, you’re asked to log into Facebook again. Except that you’re not on Facebook
anymore. The link actually takes you to a different website, so when you re-enter your Facebook login credentials, you’re
handing them over to a scammer.
Unlike the insanely horrible email scams written in poor English by scammers, most of the fake Facebook login screens are
pretty believable.
This fake log-in screen above is recognizable because of the missing “e” in “Facbook” on the address bar. That’s a wellthought
scam since most people automatically insert missing vowels while reading without even realizing it.
How do you avoid subtle scams like this one? Remember that Facebook will never contact you by sending you a Facebook
message or posting a status message on your Wall. And, ALWAYS, look carefully at both the link in the address bar and
links you click. If it looks suspicious—DON’T CLICK. If Facebook does contact you, it will be via the regular email
account that you provided when you opened your Facebook account.
Always look at the link and DON’T click on it if it looks suspicious.
Also, remember that Facebook only needs you to log in once each session. If you’re asked to log in again—it’s NOT Facebook.
Avoiding malicious script scam
Malicious script scam is one of the sneakier attacks being used on Facebook users. A common con using this attack method
claims to allow you to see who’s been looking at your profile. This enticing scam tries to trick you into pasting text into your
browser address bar.
The “unique code” shown above is the malicious script. While you’re being patient as instructed, the script is setting up your
profile to spam all of your Friends.
In response to detecting these kind of attacks, Facebook added checks to help detect scripts being pasted into the address
bar. So if you do paste a script, Facebook will ask you to confirm that you really want to paste that script—and even tell you
why it’s a bad idea. Pay attention to these warnings.
Don’t paste a script into your browser address bar unless you know exactly what it does and how.
How do you avoid malicious script scam? Don’t paste a script into your browser address bar unless you know exactly what
it does and how. Also give your Friends a heads up if you start seeing spam from them. Your Friends may be completely
clueless that their Facebook accounts have been hacked. Let them know to change their passwords and how to recover a hacked account if needed. (Read on to learn how to recover a hacked account.)
This fake log-in screen above is recognizable because of the missing “e” in “Facbook” on the address bar. That’s a wellthought
scam since most people automatically insert missing vowels while reading without even realizing it.
How do you avoid subtle scams like this one? Remember that Facebook will never contact you by sending you a Facebook
message or posting a status message on your Wall. And, ALWAYS, look carefully at both the link in the address bar and
links you click. If it looks suspicious—DON’T CLICK. If Facebook does contact you, it will be via the regular email
account that you provided when you opened your Facebook account.
Always look at the link and DON’T click on it if it looks suspicious.
Also, remember that Facebook only needs you to log in once each session. If you’re asked to log in again—it’s NOT Facebook.
Avoiding malicious script scam
Malicious script scam is one of the sneakier attacks being used on Facebook users. A common con using this attack method
claims to allow you to see who’s been looking at your profile. This enticing scam tries to trick you into pasting text into your
browser address bar.
The “unique code” shown above is the malicious script. While you’re being patient as instructed, the script is setting up your
profile to spam all of your Friends.
In response to detecting these kind of attacks, Facebook added checks to help detect scripts being pasted into the address
bar. So if you do paste a script, Facebook will ask you to confirm that you really want to paste that script—and even tell you
why it’s a bad idea. Pay attention to these warnings.
Don’t paste a script into your browser address bar unless you know exactly what it does and how.
How do you avoid malicious script scam? Don’t paste a script into your browser address bar unless you know exactly what
it does and how. Also give your Friends a heads up if you start seeing spam from them. Your Friends may be completely
clueless that their Facebook accounts have been hacked. Let them know to change their passwords and how to recover a hacked account if needed. (Read on to learn how to recover a hacked account.)

Avoiding the Scammers

2011-12-16T11:07:00.001-08:00

It’s human nature to avoid dangerous situations. See a piano falling from the roof ? You’re going to automatically move
out of the way. See a scam email, you are going to delete it and report it as spam.
On Facebook, identifying scams is trickier since messages appear to be coming from people you know and trust. So how do
you spot a scam on Facebook? Let’s begin with a bit of context.
Online scams tend to be moving targets. In the beginning, the obvious scams were email attachments from people you didn’t
know. Then it was “Security alerts” from banks or credit cards. Today, it can also be a status update from a Friend asking
you to watch a new video or visit an “awesome” website.
Conventional Scammers
Scammers hit Facebook for the same reason they target the rest of the Internet. They want access to your information, or
your computer, or the money in your pocket. And sometimes they want to trick you into downloading malicious software
to your computer. The trick is to recognize the phishers, account thieves, and malware pushers.
Phishers steal personal information, often the data needed for identity theft and fraud. Phishing is an attempt to trick users
into revealing personal information or financial data. You’ve already seen phishing scams in your email. On Facebook,
phishers can try to scam you from multiple places—in status postings on your profile, in Facebook messages, and in
Facebook chat. They can even send you regular email pretending to be Facebook or a popular App like Farmville or Mafia
Wars.
Account thieves try to trick you into logging into a fake Facebook screen in order to steal your Facebook login and password.
This is why you should always check the address in your browser bar to make sure you are on Facebook and not some other
unrelated site.
Why would anyone want your Facebook account? They hope to access other accounts using your password. They might
want to sell your information, or to scam your Friends. People are far more likely to fall for a scam when it comes from
someone they trust, like a Friend.
Malware pushers want to install destructive software on your computer. That malicious software, called malware, is
designed to harm your computer or steal personal information. That malware might do a number of nasty things. It could
install spyware to log your keystrokes and collect financial account numbers and passwords. Or even lock up your computer
unless you pay a ransom. How do malware pushers target Facebook users? You’ll be presented with an offer to download
and install new software on your computer. It might be a new game, a digital photo organizer, a digital music player, or any
other useful piece of software. Before you download any “free” software, always ask yourself who made it and why it might
be free. If it feels a bit dicey, don’t download it. You are the first line of defense against malware. Think before you click!

Protecting Your Facebook Account

2011-12-12T14:07:00.001-08:00

You are the first line of defense in protecting your account. You can take control of your protection by using strong
passwords, taking advantage of the many advanced security settings that provide authentication as well as secure
communications, and making sure you log out when you are done.
Using good passwords
Using a good password is something that you should do every place you visit on the Internet, not just Facebook. Creating a
good password is fairly simple. You want it to be complex enough that it can’t be guessed, yet meaningful enough that you
can actually remember it.
Have a great password?
• Don’t use it for ALL your accounts.
• Don’t share it with friends.
• Change it regularly.
• Consider storing it in a password tool.
A good password has at least eight characters, one or more numbers, and at least one special character. Use non-words but
associate them with a word. Imagine your pet’s name is Buddy, you live on State Street, you’re 15, and you like to stargaze
at night. A good password for you would be budstat15*. Or go for something humorous you can remember. One woman
set her work password to remind her of why she went to work, 4da$cash.
Can’t remember that many details? Use a password tool to remember for you. Many browsers now include password vaults.
If yours doesn’t, consider a free tool like KeePass Password Safe (http://keepass.info/). And just in case you still forget, be
sure to add a security question and your mobile phone number in the ACCOUNT SETTINGS of your Facebook account.
Logging out of Facebook
Logging out of Facebook when you’re not using it is a simple and effective way to protect your account. Many people think
that if they close the web page or exit the browser that also logs them out of Facebook. It doesn’t. The next person who goes
to Facebook.com on that computer will find themselves already logged in—to your account. Logging out is crucial when
you’re accessing Facebook away from home.
But it’s also important at home if you share a computer. Just ask Nathan, a 16-year-old who left his Facebook account
logged in on the family computer. During one soccer practice, his sister dumped his girlfriend for him by changing his
Facebook relationship status to SINGLE. Since then, he makes it a point to always log out of Facebook before leaving the
house. And remember, if you forget to log out of an active session, you can always remotely close that session from the
ACCOUNT SECURITY section of the ACCOUNT SETTINGS page.

A Guide to Facebook Security

2011-12-12T14:05:00.000-08:00

If there was any doubt on the incredible power of social networking, consider the more than one billion pieces of
content shared each day with over half a billion users. Facebook connects over 500 million people in over 210
countries—indeed, its global population exceeds the size of most European countries, and counts among its members
citizens from every single continent in the world.
People on Facebook have great power—they can Friend, Chat, share Status Updates, post Comments, share Links, tag
Photos, post Videos, join Groups, create Pages, design Polls, and play together using Applications. They use Facebook
to promote causes, interests, and themselves! Facebook allows the world to be more open and connected by giving its
users the tools to interact and share in any conceivable way. And, to paraphrase the superhero, with great power comes
great responsibility. Just as a city paints sidewalks, and pedestrians look both ways before crossing the street, security
on Facebook is a responsibility shared between Facebook and the people who use its platform.
This guide is all about empowering you to Own Your Space—to understand what Facebook is doing to make the site
safe and secure and to take the actions that are needed in this new digital world to protect yourself and your account.
While the focus of this guide is on Facebook, the lessons here apply to every site you visit online. Throughout the
guide, we will highlight the unique tools that Facebook provides so that you can harness your power by protecting
your account, using advanced security settings, recovering a hacked Facebook account, and stopping imposters.
Beyond this, we want you to adopt the mantra: Stop. Think. Connect. Facebook has a ton to offer people, and
with a little bit of common sense you can stay safe and secure. We hope you find this guide useful. Please join the
conversation by visiting the Facebook Security Page at www.facebook.com/security.