Thursday, March 31, 2011

Scammed and I didn't even realize it.

I normally don't get scammed, heck this blog is mostly about internet scams. I have to give credit to the people who created this one.

Alright so here's how things went down.
One of my friends got one of those apps that creates a picture then tags everyone of your friends in the photo. Well, the app is fake-sort of, it creates a real picture and really posts it, the issue however is the app itself posts a link in your news feed supposedly to your the photo, it even shows a thumbnail of the photo, it says "you were tagged in such and such's photo" . The link goes to this web address http://apps.facebook.com/lancashiregrqbo/ I didn't make this a link because it's not safe. DO NOT GO TO THAT ADDRESS.
This same scam app posts
The web address is to an app on facebook, which quickly breaks out of it's iframe on facebook and redirects you a few times, causing you to give it permission to post to your wall as well as other permissions resulting in one of the worst viral apps there is.

I don't know the full extent to what it does except that it's a viral fishing scam that spreads rapidly and undetected by most users but I've gotten more information that it shows up in multiple forms

If you see the following avoid clicking on them and also report it to your infected friend.

Also the app mimics the "Fun in your name" facebook app, pretending to create those photos and placing "click here to see the photo" sort of links in your feed. Thus spreading it to your friends.


I'd post how to solve the issue after you've already fallen for it but unfortunately the only thing I know you can do is remove the message that it posts on your wall immediately after clicking the link. I couldn't find it as an installed app, it's an exploit. Unfortunately if you gave them any information after clicking the link you can't delete it off their system. (I fell for this exploit but didn't fall for the phishing scam.) 

Thursday, March 24, 2011

"hacking" vs h4cking vs hacking

This is something I've always found irritating. Y'know when a friend leaves his Facebook on and his friend goes and posts something stupid as his status? People now days refer to that as hacking. When some jerk literally just guesses your password or finds where you wrote it down and uses it, people refer to it as hacking.

When people are playing video games and someone does something out of the rules of the game such as teleporting when the game doesn't allow it, people generally refer to it as hacking. Honestly though the truest meaning of hacking is what the programmer did making the scripts so that the A-hats who want to cheat can cheat. This missuse of the term hacking I'm fine with, because actual hacking did occur down the line.

The situation I mentioned of a person simply guessing someone else's password is not hacking unless that person actually broke into a database or system where that password was located, OR if they used a program/made a program to automatically figure out the password. That is simply called password stealing or account stealing. Throwing the term hacking out there doesn't make you sound cool it makes you sound retarded.

Now that that's out of the way, hacking isn't always a bad thing. For example: Pwn2Own is a hackers convention/contest basically. The goal of the event is for companies to submit their products with a prize and have hackers compete to hack the product. Why would a company want people to do this? The answer is simple. If these hackers find a new vulnerability in the software the company will be able to patch that hole in their security before bad hackers get their hands on it. There are several types of hackers but the most common two names we use for hackers are white hat hackers and black hat hackers. White hat hackers are generally good hackers, they generally use their skills in order to help fix security issues in all sorts of software.
These guys are very skilled and can work their way into almost any network or system quickly and virtually undetected. These are the guys who generally go to Pwn2Own for competitions, earning around 15-50 grand for each exploit they uncover. Black hat hackers are the bad guys you generally think of when you hear the term hacker. They create viruses, worms, trojans, malware, all that fun stuff, they steal bank account info, if they want to hurt someone and do it badly they can use the internet to destroy the person. Black hat hackers are equally smart as white hat hackers, the only difference is their morals.

Also to answer a quick question I hear a lot "Why do hackers create viruses?". Black hat hackers create malware like viruses and worms as a bragging thing really. Many black hat hackers are very egotistical. People often think of hackers as complete geeks who never get out of the house, that may be true in some cases but hackers generally have the urge to show off their skills and try to 1 up each-other.  It's like with sports only not very mature.


Thank you for reading I hope I've taught you a little something.


White = good hackers
black = bad hackers

Don't think you'll forget that tid bit of info.

Best Friend Detector/BFF finder/Who are your best friends?

This is a fairly new trend of app. What this app does is claim that if you use it, it will attempt to identify your best friends. Now right off the bat you know it's not going to be accurate because they can't read your mind. But most of these apps are actually viral apps that don't do anything more than pull a random amount of friends from your list of friends and spit them out claiming them as your best friends.

The "good" best friend apps are ones that actually take wall posts and other things into account. Unfortunately though most of them don't.

So.... they're sort of fake apps.... they're poor quality.

So why would I post about em since again everyone knows they're not psychic?
Because these apps tend to ask for rediculous permissions from you such as access to your email, access to your friends information(beyond just their names and profile pic) they ask for your non basic information, the right to post on your wall and the ability to access your data without you being logged in. These apps shouldn't need as much as they ask for. All they should need is your basic information which includes friend names and their profile photos. Some request access to view your wall, that's a reasonable request because some of them actually use your wall data to weigh who are your better friends, to make them more accurate than just random guesses. Don't expect much out of them still.

tl;dr: Best Friend apps tend to ask for ridiculous permissions. Check em before you install.

Wednesday, March 23, 2011

You give apps a lot of power over your information and your friends and you probably don't even realize it



When you install an app to your Facebook account do you read over what the permissions that app asks for?

If you're like most users you instinctively click allow without reading what the app wants.
The above is an example permissions page. Many apps now days request permission to post to your wall, some request permission to view posts on your wall, some request  permission to access your profile information at any time of their choosing. Some request access to your friends information.

What you don't realize is not only did you just give a company or person all of your personal information photos videos, access to your profiles wall(which your friends and apps have posted to) but you gave them access to your friends profiles. You gave them access to post messages on your behalf.

You gave all of that away for free.
Just for an app where you get to have your own little virtual cafe where every type of food you make shockingly takes more than a few hours to make causing you to come back to facebook every day just to make sure you cook this virtual food to your virtual customers for your virtual currency which you can spend to make more virtual food for your virtual customers.
So does that mean you can't install tons of fun cool apps and games? not at all. Here's what you need to do. Think about what is necessary for the game to run.
Generally Games ask for permission to view who your friends are and your basic personal information(gender, name, etc.). Facebook throws all of that under "Basic Information".
Why do games want to know who your friends are? Easy, that way they can get you to invite your friends so they can "help" you in the game. It's also common for games to request permission to post to your wall. Unless you really want ads to be posted on your wall, I suggest either not adding this app or as soon as you install it disable the posting to wall feature.

tl;dr: Lesson: Read the permissions you give apps before you install them. Otherwise you're probably giving them more than you realize.

Thanks for reading! :)

Facebook Dislike button scam

This one's pretty old but it still comes back every now and again so I feel it's important to put out there.
Facebook has a like button but no Dislike button. Many people including myself think a dislike button would be cool and kinda funny too. Unfortunately Facebook didn't create one because they felt that the dislike button would be abused and used at bad times. Here are some fake examples of when the dislike button would be used causing many upset people.
My Mom just fund out she no longer has cancer - dislike
Just got a new dog - dislike
 We have a new addition to the family today, a new baby BOY!!! - dislike

 Scammers took advantage of the fact many people wanted a dislike button on Facebook. They started creating groups, pages, and even apps that would say "like this" to get access to the dislike button.
All of these are fake, liking their pages won't enable anything except support the scam.

Now even though I just said that these are a scam, there is actually one way you can have your dislike button, legitimately

The only way to have a dislike button without Facebook creating one. Is to use a browser extension, greasemonkey script or add-on.

There is a catch though. only people with the same add-on as you can see your dislikes. This is due to the fact that the dislikes are stored in the addon creators servers and not the facebook servers.
Here is a link to the Mozilla Firefox Dislike button add-on:
https://addons.mozilla.org/en-us/firefox/addon/facebook-dislike/.
 
 

See who looks at your profile/how many times has your profile been viewed?

There has been a scam around lately where supposedly if you added an app it would let you view who looks at your Facebook profile.

Some apps even claim if you add their app you can see how many times your profile has been viewed.

These are complete scams. The only people who could tell you that information is Facebook. Why? because the code required to count as well as see who's looking at your profile, has to be on your profile since it's creation. That code is not there. Before Facebook revamped their profile pages again you used to see thousands of apps with crap all over your page. Those apps still could not identify which friends visited your page, they could however count how many page visits you got, they were incredibly inaccurate though. Facebook no longer has that same system though. No apps can count how many friends view your profile or which ones are doing it.

These scams are usually survey scams and are viral, they tend to post messages to your wall without you knowing.

Girl killed herself, after her dad posted this to her wall -scam app

This is probably the worst of all of the Facebook scams I've seen. You may have actually seen this one floating around Fbook yourself. Basically the app uses phrases like "Girl killed herself, after her dad posted this to her wall". The app posts to users walls sentences like that in hopes of getting someone to click the link. Once you click the link there are a few things that will happen, they will try to trick you into liking their page, get you to fill out a survey(it earns them money), collect your personal information, as well as exploit Facebook Connect, One friend I've seen has had the malicious exploit send messages to all of his friends. Now all of his friends have the same problem. You can fix this issue however.
One of the Facebook pages it tries to get you to "like"

If you or a friend fell prey to this scam you can fix the problem. Unfortunately though if you gave them your personal info, they will still have it(there is no way to change that). This video provided by Sophos will teach you how to fix the issue.

Welcome to Safebook

I'm just getting going but I think this site will help many many people. The focus of this blog is security on the web. Facebook is one site I plan to talk about a lot, seeing how every week I see a new scam show up on Facebook. I plan to teach you how to spot scams on the internet, as well as spot malicious Facebook apps.

In-fact on the right side of this blog there's a ticker for malicious Facebook apps. The goal is, if you see it mentioned here, you wont add it on Facebook. You can also check whether an app is malicious by visiting this site.

I plan to have a simple way for you to submit apps for review for this list but for now, it's up to me.