Nov 032009

Take a look at a very sophisticated phishing attack that I almost stumbled into on Facebook. I included some screen shots so you can see how I was almost duped. Normally, my company shuts down all access to Social Media sites. However, I need it for all the business sites I run and am like most CEOs, I demand an exception be made for me.

The larger issue here is that knowledge management, social media, collaboration, whatever we want to call it – is prevalent and security teams need to know how to deal with it. This Phishing attack slipped right through my Spam filter which is surprising because we have use Sonicwall one of the best products on the market. I had my administrator white list Facebook; so as a result, advanced security we had invested in was bypassed.

Take a few moments to read through my comments below and the screen shots I produced. get into the details:

I received three Facebook emails this morning from:
1. An Analyst Organization that I subscribe to and enjoy reading
2. My Brother in Law
3. Facebook Team ** (the evil one)

These 3 Facebook emails I received this morning looked valid and legitimate at first glance.

Since I had just reviewed a hack site to look at how hackers are exploiting Facebook vulnerabilities, I was tuned into the fact that this was an issue for Facebook and that they might try to fix this. I have included an interesting link of a video demonstration of how to hack indentities on Facebook. Youtube demonstration

When I received the Facebook Team email it really looked like an honest to goodness attempt by Facebook to secure their systems. What was disturbingly similar was that for all three Facebook emails there was that all three punched out to a log in page that looked like this:


However, the main difference was that the hack site wanted you to download a 150k .exe file and also what prompted me to pause is asking myself the question, “why would Facebook need a client applet to secure their site?”
The evil part is that after I downloaded the file and tested the page launch again it didn’t prompt me to download the file again.  This meant that the hack site knew I had downloaded the file and was prepared to move into silent mode.

I never executed the file, but I know not to do this, but do your users? When I looked at the URL you can see the .EU extension which made me question why a US company would use .EU?
Bad Facebook:
Good Facebook:

I never needed McAfee running on my laptop because I didn’t click the download executable that ended up on my machine, but I realized that security vulnerabilities with Twitter and Facebook are fast moving.

Network edge protection is certainly important, but client side protection is equally important. Make sure untethered users not only have Anti-virus / Anti- Malware protection turned on, but it is auto-updating as well.

Facebook and Twitter are being used for business and personal use. The Lines are blurring as to people needing access to them.  Definitely measure ‘twice’ and cut ‘once’ when building social media security policy.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>