***14-Apr-2007Social networking sites like Facebook are helping the phishers
Privacy settings on social networking websites such as Facebook give people a false sense of security that could expose them to phishing attacks, a computer security researcher says.
Facebook and sites like it offer users the opportunity to share varying amounts of information with others on the network, ranging from a restrictive setting that lets only people designated as friends see personal details, to one that lets anyone and everyone read the user's profile.
"This illusion of privacy leads people to be a little freer in their disclosure," Symantec Corp. security researcher Nick Sullivan wrote in a post to the company's security response weblog on Friday.
A quick scan of Facebook profiles confirms his assertion, with a broad range of information freely offered by the service's users.
The profiles can include e-mail and physical addresses, phone numbers, birthdays, work and education histories and other information that can be compiled into a comprehensive profile.
"This 'private' information found in many accounts is a treasure trove of contextual information for the determined phisher or identity thief, if they can get to it," Sullivan wrote.
One way to do so is to seize control of the account of someone designated a friend or someone in the same network, he said.
Phishers can easily engineer fake notifications that follow the format of legitimate friend requests e-mailed to Facebook members, for example. A typical e-mail would ask a user to click on a link to confirm that they are friends with an individual requesting addition as a friend on the network.
"Some users are conditioned to follow this process whenever they receive an e-mail of this sort," and almost reflexively log in to a site through a link provided in an e-mail, he noted.
"This simple, clean design is very easy for a phisher to mimic. … This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions."
Talk about this article on our phishing news discussion forum
MillerSmiles is the web's dedicated anti-phishing service. Launched in 2003, the site has become one of the most trusted internet security related websites on the internet.
For enquiries relating to this story or any other part of the MillerSmiles website please email the MillerSmiles team here
If you are interested in business and partnership opportunities with MillerSmiles please email us here