Friday, June 10, 2011

Facebook Facial Recognition

Facebook has been gathering data from you photos and has now created a new tool to use facial recognition to tag people in photos. This doesn't sound like a bad idea at first, even Google did this with Picasa. The bad part is this is Facebook. The site riddled with thousands of privacy issues that grow every time a new feature is launched.

The new feature doesn't give a person the chance to approve being tagged. This means if someone posts a bad picture of you in a bad situation, or a situation that looks bad but wasn't that photo could be put up by one of your friends and suddenly it's a mark on your record permanently. You can't take it down, you have no control over it.

Also you only have the option to opt out, it's not an opt in sort of thing, meaning if you know about it, you can try to dive into your privacy settings to find the opt out but you'll probably spend 15 minutes searching for it. It also means, right now the facial recognition software has been scanning all of your photos.


Facebook may even push the ability to use facial recognition onto their app developers, resulting in that facial recognition data being spread out across the world out of your control. This data could be used for harmful things, such as stalking a person, ruining someones reputation and more horrible acts. Facebook could even use it to tailor ads to you. For example,  your buddy was drinking Michelobe Light in one of your photos, you didn't drink at all but were tagged in the photo. Suddenly beer ads start showing up like mad on your Facebook pages.

The software sees someone you're associated with smokes weed or does an illegal drug, suddenly your seeing related ads to that.

This information could be used later on to create a mobile app that could identify you in real time just by viewing your face for a split second. Instantly everything you did online is revealed to a person you never met just because they pulled out their phone for 2 seconds.

Google had actually planned on creating software that could do the above in Google Goggles but decided it was too big of a privacy issue. So Google put out that they will never create such software. Facebook on the other hand has a huge reputation of not caring about anyone's privacy and simply putting out peoples information then after months finally making it possible to hide it again.


What do you think of the new facial recognition tool? good, bad, unsure? post in the comments!

Wednesday, May 4, 2011

Bin Ladin's Death spurrs Bin Ladin Scams

A tip came in about this, I haven't seen this personally but be wary of links related to Bin Ladin's death:


A link which claims to point to a shocking video of the death of bin Laden is already spreading virally across Facebook just hours after his death was announced. The messages, posted as updates on Facebook users’ walls, claim to point to banned video footage of bin Laden’s death. But instead of a shocking video, users are presented with a survey which gives scammers money every time it is completed.


Paul Ducklin, Head of Technology in Sophos Asia Pacific, advises computer users to watch out for scams related to bin Laden’s death not just on Facebook but on other parts of the internet too.


couple tips to avoid scams:
  • Don’t blindly trust links you see online, whether in emails, on social networking sites, or from searches. If the URL and the subject matter don’t tie up in some obvious way, give it a miss.
  • If you go to a site expecting to see information on a specific topic but get redirected somewhere unexpected – to a “click here for a free security scan” page, for instance, or to a survey site, or to a “download this codec program to view the video” dialog – then get out of there at once.  Don’t click any further as it is a scam.

Tuesday, May 3, 2011

Browser Exploit: See what you'll look in the future!

A new browser exploit has surfaced, this one takes control of a users browser without them knowing. It sends messages to all of their friends and posts messages to their walls.

This exploit says " hahah mine is hilarious!!! check yours out :)
See what you'll look in the future!
 
aging-4.info
This cutting-edge technology will show you exactly how your face will look in the future!"


This scam spreads very virally as it tries to put out links that users would likely click as well as take over the inftected users chat and send messages to everyone in their friends list.

First things first, if you use Internet Explorer, stop using it, it's the least secure browser and things like this WILL happen to you again if you don't.

Set your Facebook account to use SSL(basically it's military grade encryption, this makes it super difficult for hackers to attack you). If you wish you may also set your account to send you an email when someone else logs into your account.
Unfortunately now it's time for the clean up. Start an anti-virus scan, and while it's scanning go on Facebook, look through all of your out-going posts(you can see these by clicking on your name(this takes you to your profile page)) delete all of the malicious posts, and bulk message ALL of your friends let them know this happened and tell them to ignore any links that your account sent to them. Otherwise your friends will all get infected too as the scam spreads.

Now that you've done that, change your Facebook password, it is possible that it was stolen.

Monday, May 2, 2011

Mac users hit with Anti-virus scam when using Google Image Search.

This article is a direct reposting of an article by Sophos. All images and content in this message are from them unedited, I claim no rights to their content, simply spreading the word.
A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden's death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple's Mac OS X.
JavaScript Fake AV scannerStrangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.
When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like "BestMacAntivirus2011.mpkg.zip".
Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.
Fake AV for Mac installer/download
In a similar social engineering trick as we have seen in Windows fake scanners it pretends to be a legitimate Mac anti-virus program calledMacDefender.
The scanner doesn't actually touch the hard disk while "scanning", although on a Mac it can be hard to know without a hard disk light.
It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utilitytest, also known to Unix shell programmers as [.
Mac fake scan results
Credit card at risk warningIt uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.
It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.
Buy fake Mac AV

Sunday, April 17, 2011

(your friend) has answered a question about you!

If you see the message "[insert friend's name here] has answered a question about you!"
Be very wary of this wall post. It's not a real app, it's actually a clever hackers browser exploit. What happens after you click the link is your web browser is hacked,

I used my fake account to check out this scam and after clicking the link which causes the exploit, it takes you to the installation/permission page for the app Friend Expose, which is an app that seems to be spreading around rapidly. This app however appears to actually be a fraud in itself. It's only pretending to be a question app.

How do I know this?

I literally JUST made my fake Facebook account It has only one friend added, that friend is my real Facebook account. but this is what  I see in the app:


The app tells me people answered 62 different questions about me and that I can "unlock" who said what.

Seeing as I'm my only friend on this account, and on my real account I don't even have friend expose. This isn't even possible.

Friend Expose gives you credits  for "answering questions about friends".

The app mimics question apps because it makes it even more stealthy, stealthy enough to not get caught by Facebook. I answered the question with "yes" just for shits n giggles.
Yea I do have a nice ass! lol
Immediately it shot my real account a message. Web Of Trust immediately shows Red meaning other users have rated as unsafe. I have the web address highlighted with my mouse(shown at bottom of screenshot) This link leads to a site off of Facebook, what happens there is the browser exploit is installed into your browser without you ever seeing anything, it quickly redirects you to install friend expose if you're the user without it.

This app is in essence a very very very well made scam, it cleverly disguises itself as a friendly question app when in reality it's really infecting all of your friends. The app also allows you to do surveys or use paypal to buy more credits to unlock the answers to your questions. I kept asking questions until I had 50 credits. Unlocked a question and it told me that my real account answered the question.

Reality is, it just picked a random person from my fake accounts friends list, and since I'm the only friend on it, it picked me. My real account doesn't have the app and therefore CAN'T answer the questions on the app.

Thus a fraud to steal money exploit web browsers and spam the crap out of everyones Facebook walls.

What to do if you fell for this scam?
Remove Friend Expose from your Facebook account.
The Browser Exploit will still be there, but your account won't have the app anymore. Next you must  reinstall your browser or switch web browsers. I recommended using Google Chrome or Mozilla Firefox. I highly suggest against Internet Explorer.

Let your friends know, link this article to your friends that appear to have been affected by this malicious app.

Tuesday, April 5, 2011

Web Of Trust - 1 easy way to protect yourself against scams and bad sites on the web.

There's a great tool out there that you may have heard of, it's called Web Of Trust. Web of Trust is a free browser add-on that shows an indicator on the reputation of a website, if the reputation for a site is poor the indicator will show red as well as pop up a message as soon as you pull up the site, letting you know, it's not a safe site and asking you if you would like to stay on the site.

Even for advanced computer users who can spot scams almost immediately, Web Of Trust is still useful.
Users can report sites that they believe to be suspicious, as well as give the site ratings.

Web of Trust also has begun protecting you on places like Facebook and Twitter. Whenever you see a link that leads off of Facebook you will see an indicator icon near the link to tell you the ratings on the site.

I highly reccomend this addon to everyone.

Click here for an example of the detailed ratings on a site you get from Web Of Trust(WOT for short)

Click here to go to the Web Of Trust Website

I cant believe that you can see who is viewing your profile! - OpenMouthed

You may start seeing a scam referred to as OpenMouthed spreading virally throughout your friends.

If your friends fall for the scam their Facebook account will begin to post news feed messages
With one of these two messages:
LOL !! Me cant believe that you can see who is viewing your profile! I can see the TOP 10 people and I am really OPENMOUTHED that my EX is still checking me every hour. You can also see WH0 CHECKS YOUR PR0FILE here-> [LINK]
or
I cant believe that you can see who is viewing your profile! I can see the TOP 10 people and I am really OPENMOUTHED that my EX is still checking me every hour.You can also see WH0 CHECKS YOUR PR0FILE here @ [LINK] 
Screenshot courtesy of Sophos

Since this is a viral APP it could potentially start posting different messages when the hacker/developer updates it. 

Note: another way to tell if a message is from this app is by the name. What I mean is under the post it will say "8 minutes ago via Profile Scannerz" in grey below the message.

The app name can change however so if you see the above message or similar, it's probably not safe.

Also no app can check who looks at your profile, it's not possible, that app would have to have planted code on your facebook profile outside of an apps wall. No app has the ability to do that, only Facebook can do that.

Whatever you do do not click the link in the message when you see it posted, likely the link will be a shortened URL from bit.ly, This link will try to give the app permission to post to your wall, and view some of your information. 
Screenshot courtesy of Sophos

If by chance you've clicked the link, gave the app permissions(probably thinking that it will give you the ability to see who looks at your profile). The app will take you to a group of surveys, but it doesn't outright say they're surveys, they say they're tests to make sure you are who you say you are. Surveys are how the hacker/dev makes money off of this scam. 


If you fell for the scam you can stop the app from posting on your behalf and erase messages it posted. 
Here's how:

Video Courtesy of Sophos


Saturday, April 2, 2011

Who blocked you from his friend list?


I appologize for this screenshot being so messed up, I was using the snipping tool for it to hide the names of infected people and it got really buggy.



If you get an invite to this "event" don't even bother opening it, it's a scam. Just like the "Nastiest Girl" scam it it redirects your browser a few times takes you to install a malicious app.
This app grabs your profile info and asks for the permission to create events on your behalf.
one of the malicious apps that this event links to, look at the permissions it asks for.
What this app then does is spam your friends with these fake events until all of your friends finally fall for the scam and this app spreads virally filling everyones event inbox's with complete junk. It is unknown what the app does with your personal information, it may store it somewhere, sell it, or be used for other scams.

OMG Watch the Nastiest Girl Fight Video Ever

A Scam has popped up now taking advantage of people who don't realize the difference between apps and Events on Facebook. This scam spreads by people "attending" and inviting others to attend the event. This event spreads virally just like all of the other scams I've reviewed.

The Event page looks like this:
As pictured the profile picture for this event displays a picture of a girl with a play button over her. This is not a real video, it is simply just a picture on the event page. Users fall prey to the scam by clicking the link posted in the description of the event. Installing and giving a malicious app permissions over their account.

Some users, not all, claim that they do see a video after clicking the link. These people may be trolls, they also may be fake accounts created by the scammer to try to convince people to click the link.

If someone were really trying to show you some nasty video, they would show it to you on youtube or another popular online video service. Don't fall for these scams.

Thursday, March 31, 2011

Scammed and I didn't even realize it.

I normally don't get scammed, heck this blog is mostly about internet scams. I have to give credit to the people who created this one.

Alright so here's how things went down.
One of my friends got one of those apps that creates a picture then tags everyone of your friends in the photo. Well, the app is fake-sort of, it creates a real picture and really posts it, the issue however is the app itself posts a link in your news feed supposedly to your the photo, it even shows a thumbnail of the photo, it says "you were tagged in such and such's photo" . The link goes to this web address http://apps.facebook.com/lancashiregrqbo/ I didn't make this a link because it's not safe. DO NOT GO TO THAT ADDRESS.
This same scam app posts
The web address is to an app on facebook, which quickly breaks out of it's iframe on facebook and redirects you a few times, causing you to give it permission to post to your wall as well as other permissions resulting in one of the worst viral apps there is.

I don't know the full extent to what it does except that it's a viral fishing scam that spreads rapidly and undetected by most users but I've gotten more information that it shows up in multiple forms

If you see the following avoid clicking on them and also report it to your infected friend.

Also the app mimics the "Fun in your name" facebook app, pretending to create those photos and placing "click here to see the photo" sort of links in your feed. Thus spreading it to your friends.


I'd post how to solve the issue after you've already fallen for it but unfortunately the only thing I know you can do is remove the message that it posts on your wall immediately after clicking the link. I couldn't find it as an installed app, it's an exploit. Unfortunately if you gave them any information after clicking the link you can't delete it off their system. (I fell for this exploit but didn't fall for the phishing scam.) 

Thursday, March 24, 2011

"hacking" vs h4cking vs hacking

This is something I've always found irritating. Y'know when a friend leaves his Facebook on and his friend goes and posts something stupid as his status? People now days refer to that as hacking. When some jerk literally just guesses your password or finds where you wrote it down and uses it, people refer to it as hacking.

When people are playing video games and someone does something out of the rules of the game such as teleporting when the game doesn't allow it, people generally refer to it as hacking. Honestly though the truest meaning of hacking is what the programmer did making the scripts so that the A-hats who want to cheat can cheat. This missuse of the term hacking I'm fine with, because actual hacking did occur down the line.

The situation I mentioned of a person simply guessing someone else's password is not hacking unless that person actually broke into a database or system where that password was located, OR if they used a program/made a program to automatically figure out the password. That is simply called password stealing or account stealing. Throwing the term hacking out there doesn't make you sound cool it makes you sound retarded.

Now that that's out of the way, hacking isn't always a bad thing. For example: Pwn2Own is a hackers convention/contest basically. The goal of the event is for companies to submit their products with a prize and have hackers compete to hack the product. Why would a company want people to do this? The answer is simple. If these hackers find a new vulnerability in the software the company will be able to patch that hole in their security before bad hackers get their hands on it. There are several types of hackers but the most common two names we use for hackers are white hat hackers and black hat hackers. White hat hackers are generally good hackers, they generally use their skills in order to help fix security issues in all sorts of software.
These guys are very skilled and can work their way into almost any network or system quickly and virtually undetected. These are the guys who generally go to Pwn2Own for competitions, earning around 15-50 grand for each exploit they uncover. Black hat hackers are the bad guys you generally think of when you hear the term hacker. They create viruses, worms, trojans, malware, all that fun stuff, they steal bank account info, if they want to hurt someone and do it badly they can use the internet to destroy the person. Black hat hackers are equally smart as white hat hackers, the only difference is their morals.

Also to answer a quick question I hear a lot "Why do hackers create viruses?". Black hat hackers create malware like viruses and worms as a bragging thing really. Many black hat hackers are very egotistical. People often think of hackers as complete geeks who never get out of the house, that may be true in some cases but hackers generally have the urge to show off their skills and try to 1 up each-other.  It's like with sports only not very mature.


Thank you for reading I hope I've taught you a little something.


White = good hackers
black = bad hackers

Don't think you'll forget that tid bit of info.

Best Friend Detector/BFF finder/Who are your best friends?

This is a fairly new trend of app. What this app does is claim that if you use it, it will attempt to identify your best friends. Now right off the bat you know it's not going to be accurate because they can't read your mind. But most of these apps are actually viral apps that don't do anything more than pull a random amount of friends from your list of friends and spit them out claiming them as your best friends.

The "good" best friend apps are ones that actually take wall posts and other things into account. Unfortunately though most of them don't.

So.... they're sort of fake apps.... they're poor quality.

So why would I post about em since again everyone knows they're not psychic?
Because these apps tend to ask for rediculous permissions from you such as access to your email, access to your friends information(beyond just their names and profile pic) they ask for your non basic information, the right to post on your wall and the ability to access your data without you being logged in. These apps shouldn't need as much as they ask for. All they should need is your basic information which includes friend names and their profile photos. Some request access to view your wall, that's a reasonable request because some of them actually use your wall data to weigh who are your better friends, to make them more accurate than just random guesses. Don't expect much out of them still.

tl;dr: Best Friend apps tend to ask for ridiculous permissions. Check em before you install.

Wednesday, March 23, 2011

You give apps a lot of power over your information and your friends and you probably don't even realize it



When you install an app to your Facebook account do you read over what the permissions that app asks for?

If you're like most users you instinctively click allow without reading what the app wants.
The above is an example permissions page. Many apps now days request permission to post to your wall, some request permission to view posts on your wall, some request  permission to access your profile information at any time of their choosing. Some request access to your friends information.

What you don't realize is not only did you just give a company or person all of your personal information photos videos, access to your profiles wall(which your friends and apps have posted to) but you gave them access to your friends profiles. You gave them access to post messages on your behalf.

You gave all of that away for free.
Just for an app where you get to have your own little virtual cafe where every type of food you make shockingly takes more than a few hours to make causing you to come back to facebook every day just to make sure you cook this virtual food to your virtual customers for your virtual currency which you can spend to make more virtual food for your virtual customers.
So does that mean you can't install tons of fun cool apps and games? not at all. Here's what you need to do. Think about what is necessary for the game to run.
Generally Games ask for permission to view who your friends are and your basic personal information(gender, name, etc.). Facebook throws all of that under "Basic Information".
Why do games want to know who your friends are? Easy, that way they can get you to invite your friends so they can "help" you in the game. It's also common for games to request permission to post to your wall. Unless you really want ads to be posted on your wall, I suggest either not adding this app or as soon as you install it disable the posting to wall feature.

tl;dr: Lesson: Read the permissions you give apps before you install them. Otherwise you're probably giving them more than you realize.

Thanks for reading! :)

Facebook Dislike button scam

This one's pretty old but it still comes back every now and again so I feel it's important to put out there.
Facebook has a like button but no Dislike button. Many people including myself think a dislike button would be cool and kinda funny too. Unfortunately Facebook didn't create one because they felt that the dislike button would be abused and used at bad times. Here are some fake examples of when the dislike button would be used causing many upset people.
My Mom just fund out she no longer has cancer - dislike
Just got a new dog - dislike
 We have a new addition to the family today, a new baby BOY!!! - dislike

 Scammers took advantage of the fact many people wanted a dislike button on Facebook. They started creating groups, pages, and even apps that would say "like this" to get access to the dislike button.
All of these are fake, liking their pages won't enable anything except support the scam.

Now even though I just said that these are a scam, there is actually one way you can have your dislike button, legitimately

The only way to have a dislike button without Facebook creating one. Is to use a browser extension, greasemonkey script or add-on.

There is a catch though. only people with the same add-on as you can see your dislikes. This is due to the fact that the dislikes are stored in the addon creators servers and not the facebook servers.
Here is a link to the Mozilla Firefox Dislike button add-on:
https://addons.mozilla.org/en-us/firefox/addon/facebook-dislike/.
 
 

See who looks at your profile/how many times has your profile been viewed?

There has been a scam around lately where supposedly if you added an app it would let you view who looks at your Facebook profile.

Some apps even claim if you add their app you can see how many times your profile has been viewed.

These are complete scams. The only people who could tell you that information is Facebook. Why? because the code required to count as well as see who's looking at your profile, has to be on your profile since it's creation. That code is not there. Before Facebook revamped their profile pages again you used to see thousands of apps with crap all over your page. Those apps still could not identify which friends visited your page, they could however count how many page visits you got, they were incredibly inaccurate though. Facebook no longer has that same system though. No apps can count how many friends view your profile or which ones are doing it.

These scams are usually survey scams and are viral, they tend to post messages to your wall without you knowing.

Girl killed herself, after her dad posted this to her wall -scam app

This is probably the worst of all of the Facebook scams I've seen. You may have actually seen this one floating around Fbook yourself. Basically the app uses phrases like "Girl killed herself, after her dad posted this to her wall". The app posts to users walls sentences like that in hopes of getting someone to click the link. Once you click the link there are a few things that will happen, they will try to trick you into liking their page, get you to fill out a survey(it earns them money), collect your personal information, as well as exploit Facebook Connect, One friend I've seen has had the malicious exploit send messages to all of his friends. Now all of his friends have the same problem. You can fix this issue however.
One of the Facebook pages it tries to get you to "like"

If you or a friend fell prey to this scam you can fix the problem. Unfortunately though if you gave them your personal info, they will still have it(there is no way to change that). This video provided by Sophos will teach you how to fix the issue.

Welcome to Safebook

I'm just getting going but I think this site will help many many people. The focus of this blog is security on the web. Facebook is one site I plan to talk about a lot, seeing how every week I see a new scam show up on Facebook. I plan to teach you how to spot scams on the internet, as well as spot malicious Facebook apps.

In-fact on the right side of this blog there's a ticker for malicious Facebook apps. The goal is, if you see it mentioned here, you wont add it on Facebook. You can also check whether an app is malicious by visiting this site.

I plan to have a simple way for you to submit apps for review for this list but for now, it's up to me.