Welcome to Apple iCloud phishing attacks

August 27, 2011 by  
Filed under Security News

When a Naked Security reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.

 

The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.

 

Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).

 

Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.

 

icloud phish3 Welcome to Apple iCloud phishing attacks

Subject:

Welcome to iCLOUD

Message body:

Important information for MobileMe members.

Dear MobileMe member,

Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.

Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.

Click here to update iCLOUD

Sincerely,

The Apple store Team

 

If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.

 

apple phishing3 Welcome to Apple iCloud phishing attacks

 

Yes, it’s a phishing website.

 

And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.

 

Crumbs! Imagine the harm a fraudster could cause with all that information.

 

Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.

 

By Graham Cluley @ nakedsecurity.sophos.com


Facebook changes privacy settings for millions of users – facial recognition is enabled

June 9, 2011 by  
Filed under Security News

When Facebook revealed last year it was introducing facial recognition technology to help users tag their friends in photographs, they gave the functionality to North American users only.

 

Most of the rest of us found the option in our privacy settings was “not yet available”, which meant we could neither enable or disable it. We simply had to wait until Facebook decided to roll it out to our account.

 

Well, now might be a good time to check your Facebook privacy settings as many Facebook users are reporting that the site has enabled the option in the last few days without giving users any notice.

 

There are billions of photographs on Facebook’s servers. As your Facebook friends upload their albums, Facebook will try to determine if any of the pictures look like you. And if they find what they believe to be a match, they may well urge one of your Facebook friends to tag it with your name.

 

The tagging is still done by your friends, not by Facebook, but rather creepily Facebook is now pushing your friends to go ahead and tag you.

 

Remember, Facebook does not give you any right to pre-approve tags. Instead the onus is on you to untag yourself in any photo a friend has tagged you in. After the fact.

 

If this is something you’re uncomfortable with, disable “Suggest photos of me to friends” now.

 

Here’s how you do it.

 

* Go to your Facebook account’s privacy settings.

 

* Click on “Customise settings”.

 

* Under “Things others share” you should see an option titled “Suggest photos of me to friends. When photos look like me, suggest my name”.

 

* Unfortunately at this point you can’t tell whether Facebook has enabled the setting or not, you have to dig deeper..

 

* Click on “Edit settings”.

 

facial facebook 11 Facebook changes privacy settings for millions of users   facial recognition is enabled

 

* If Facebook has enabled auto-suggestion of photo tags you will find the option says “Enabled”.

 

facial facebook 21 Facebook changes privacy settings for millions of users   facial recognition is enabled

 

* Change it to “Disabled” if you don’t want Facebook to work that way.

 

* Press “OK”.

 

Earlier this year, Sophos wrote an open letter to Facebook. Amongst other things, we asked for “privacy by default” – meaning that there should be no more sharing of information without users’ express agreement (OPT-IN).

 

Unfortunately, once again, Facebook seems to be sharing personal information by default. Many people feel distinctly uncomfortable about a site like Facebook learning what they look like, and using that information without their permission.

 

Most Facebook users still don’t know how to set their privacy options safely, finding the whole system confusing. It’s even harder though to keep control when Facebook changes the settings without your knowledge.

 

The onus should not be on Facebook users having to “opt-out” of the facial recognition feature, but instead on users having to “opt-in”.

 

Yet again, it feels like Facebook is eroding the online privacy of its users by stealth.

 

If you are on Facebook and want to keep yourself informed about the latest news from the world of internet security and privacy you could do a lot worse than join the Sophos Facebook page where we regularly discuss these issues and best practice.

 

You should also take some time to read our step-by-step advice on how best to configure your Facebook privacy settings.

 

 

By Graham Cluley @ http://nakedsecurity.sophos.com/

 


Facebook flaw allowed websites to steal users’ personal data without consent

February 2, 2011 by  
Filed under Security News

A couple of weeks ago two students conducting security research contacted me about a vulnerability which they believed they had found with Facebook.

 

Rui Wang and Zhou Li said that they had found a vulnerability which allowed malicious websites to access a Facebook user’s private data without permission. According to Rui and Zhou, it was possible for any website to impersonate other sites which had been authorised to access users’ data such as name, gender and date of birth.

 

Furthermore, the researchers found a way to publish content on the visiting users’ Facebook wall (under the guise of legitimate websites) – a potential way to spread malware and phishing attacks.

 

Read more

Rogue Facebook apps can now access your home address and mobile phone number

January 16, 2011 by  
Filed under Security News

In a move that could herald a new level of danger for Facebook users, third party application developers are now able to access your home address and mobile phone number.

 

Facebook has announced that developers of Facebook apps can now gather personal contact information from their users.

 

84459f6deeccbc449edca00d6854629b Rogue Facebook apps can now access your home address and mobile phone number

I realise that Facebook users will only be allowing apps to access this personal information if they “allow” the app to do so, but there are just too many attacks happening on a daily basis which trick users into doing precisely this.

 

Facebook is already plagued by rogue applications that post spam links to users’ walls, and point users to survey scams that earn them commission – and even sometimes trick users into handing over their cellphone numbers to sign them up for a premium rate service.

 

Now, shady app developers will find it easier than ever before to gather even more personal information from users.

 

You have to ask yourself – is Facebook putting the safety of its 500+ million users as a top priority with this move?

 

Wouldn’t it better if only app developers who had been approved by Facebook were allowed to gather this information? Or – should the information be necessary for the application – wouldn’t it be more acceptable for the app to request it from users, specifically, rather than automatically grabbing it?

 

It won’t be take for scammers to take advantage of this new facility.

 

My advice to you is simple: Remove your home address and mobile phone number from your Facebook profile now. While you’re at it, go through our step-by-step guide for how to make your Facebook profile more private.

 

By Graham Cluley @ nakedsecurity.sophos.com