Facebook: Beware of getting mugged by a friend

Posted 13.48 / By The Brandals in Info

Being on Facebook reminds me of the time I was headbutted by a sailor in the kitchen at a friend's party. Really.

I was a student, among student friends. And we were doing student things (I think I was trying on nail varnish. It was a long time ago; the mind plays tricks.)

Suddenly I noticed that I was talking to three men who were clearly not students. (I think the navy uniforms, anchor tattoos and absence of Flock of Seagulls haircuts gave them away.) Somehow my nail varnish-wearing friends had disappeared into another room.

These guys were clearly gatecrashers, but hey, I didn't mind, right up until one of them jerked his head forward until it met my aquiline nose. Lots of blood.

So what has this got to do with Facebook? Well, apart from those three men not being among my Facebook buddies, ever, not a lot. But my point is this: Our guard is down on Facebook because we're among friends. But that won't necessarily stop you getting mugged.

You'll know, possibly, what I'm talking about if this has happened to you: If you've received a message from a friend via Facebook -- usually via the chat feature, so it appears at the bottom of your browser window -- suggesting that they've escaped debt through some service or other. In the message is a link which they invite you to click on:

"Hey! this really works! I am completely debt free thanks to this website!", a Facebook friend will supposedly message you. I've had at least two of my Facebook buddies infected in this way. Both of them rich as houses and not known for using exclamation marks.

This may sound familiar; a few months back I wrote about a slightly similar scam taking place on Facebook but this approach is different, and illustrates how bad guys can come at you from different directions.

Here's how it works, and how to protect yourself.

First off, I should point out that we don't always know exactly how these scams operate. The good guys try to figure it out, but usually a bit late, and so don't be too alarmed if you can't figure out yourself how these things happen.

They're like card tricks. They work well once or twice. But then everyone figures out how they work and the tricksters have to find a new ploy.

So, bad guy tries to get spyware onto a victim's computer. This could be done any number of ways -- via an infected website, a trojan that climbs through the computer's defenses inside an email attachment, say.

Once aboard these bits of spyware do a number of things. Remember: Bad guys, these days, aren't just pranksters. They're in it for the money, so they've got several goals. And probably several paymasters.

One objective is to infect as many computers as possible. The more computers that they can get access to -- what are called zombies -- then the more spam they can send, say, or the more attacks they can launch on other users.

Another thing they want are passwords. So the bad guy will install a piece of software that will see what the user is typing and then note anything that looks like a user name and a password. A clue might be, for example, if the user visits a banking website.

But banks are getting smarter. They're issuing these little keychain dongles that pump out six-digit passwords. Bad guys don't like these, because the number keeps changing. So unless they can get the dongle they're not in luck.

Which is why the bad guys are turning to places like Facebook. Facebook passwords are easier to grab, because there's no dongle.

The other good thing about Facebook -- from a bad guy's point of view -- is that it's a trusted environment. If I receive an email from someone I might be a bit suspicious if I don't know the person, and am unlikely to click on any link inside it unless I do.

Likewise, email is now pretty carefully patrolled by spam filters -- which account for maybe 90 percent of all email traffic these days -- and virus blockers. So email isn't such a useful vector -- a means of distribution -- for bad guys these days.

But Facebook is. If a bad guy can get into Facebook he can send stuff to all the people in that person's address book -- while pretending to be that person. So not only can he get lots of useful information about people, but he can also impersonate a trusted friend.

This makes Facebook a surprisingly dangerous environment. It's like that party I mentioned at the beginning. When you're among friends you let your guard down. You think everyone's your friend. Until the digital equivalent of a headbutt.

So how do we avoid this?

Well, first off, if you get a message from someone that looks suspicious, don't click on the link. Send the person an email -- not via Facebook -- to inform them their account has been compromised.

If you think your account has been compromised, then you need to do a number of things (thanks to Graham Cluely of UK-based Internet security company Sophos for guidance on this): Change your password immediately.

Then change all your other passwords. They may have been compromised too. If you're doing online banking and you don't have one of those digital tokens or another extra layer of security beyond a password, you need to alert your bank and change your passwords.

Then run a virus scanner on your computer. Your computer may be (probably is) infected.

Run a trojan remover to make sure. I'd recommend this one: http://is.gd/76vN

Remember: if you get any messages saying there's possibly an infection, you need to back up all your data and consider reinstalling all your software. If in doubt, consult a specialist.

Oh yes, and be wary about allowing unknown sailors into your party. Especially if you're wearing nail varnish.

Jeremy Wagstaff is a commentator on technology and appears regularly on the BBC World Service. He can be found online at jeremywagstaff.com or via email at jeremy@loose-wire.com.

Dolies is the founder and editor in chief of Lascha.com ,a blog on Blogger tips ,tricks ,designer resources and many premium wordpress templates for free use.