Phishers harvest Facebook passwords for profit
Identity thieves that hit Facebook last week with a new round of phishing attacks are harvesting passwords for profit, a security researcher said today.
"It's not surprising that they're targeting Facebook," said Kevin Haley, a director on Symantec's security response team. "Facebook has, what, 200 million-plus users? The bad guys always go where's there's a lot of people."
The newest Facebook attacks resemble previous phishing rounds in their tactics: A compromised account sends a malicious link to friends. That link leads to a site that mimics the legitimate log-in page. But users duped into entering their usernames and passwords are likely giving away more than just their Facebook credentials, said Haley.
"Certainly this isn't new," he said, "but we think that what you're seeing is an attempt to shake out every last dollar they can get."
The criminals are operating on the assumption that the Facebook password they acquire from any given user has a good chance of being the same password that person uses on other sites, such as online shopping services or even bank accounts.
"Get one password for the right person and it's like having their wallet handed over," Symantec researcher Marian Merritt in the post to Symantec's security response blog said on Friday.
Although Symantec has no statistics on the percentage of users who rely on just a single password for multiple online services or activities -- Haley called the evidence "anecdotal" -- it's an assumption that both criminals and researchers make. "When you talk to users, that's what they tell you they do," he said.
Facebook has acknowledged the attack, and said it has reset passwords of compromised accounts and eliminated the phishing messages when it has found them.
"It's not like this is some great new virus technology," Haley said, noting that the newest attacks are unlike worm-based attempts to infect Facebook accounts with the Koobface worm. This is straight con job. "Cons have been known from the beginning of time," Haley continued. "But now we're seeing them coming a little faster and more furious."
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
phishing
Powered by Twitter
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Multiplicity, Complexity, Motivation
You should never use the same password for multiple sites or accounts. Make the passwords all as different and as complex as you can. It is also definitely an excellent idea to change your passwords often, no matter how much of a bother it seems to be to do so.replica bags
Tourism can relax one's body and mind .People choose to go out at the National Day Holiday .Many of them will go abroad ,Franch 、England may be their first choice ,as these countries have many classical buildings replica handbags .And Franch is the mother country of fashion.