Posted tagged ‘myspace’

The Quiet Attack

February 4, 2011

One of the most troubling things about clickjacking attacks isn’t that they can activate your computer’s video camera, or that they can trick you into buying items that you don’t want, or even that they spread themselves by posting unauthorized updates to your facebook wall. The biggest concern is that clickjacking can do all of these things without setting off any alarms. It is a quiet sort of attack that you might never notice.

When that happens, individuals can become repeat victims without realizing. A person who doesn’t know he or she is being victimized will never do anything about the problem. They don’t even know that a problem exists.

What can you do, then, to protect yourself from clickjacking attacks. After all, you might figure, anything that can bypass your antivirus software is probably going to fool you every time.

Not necessarily.

Antivirus software focuses on detecting problems within programs. If someone were to hide a virus in, for instance, a screen saver, then your antivirus software would probably find it. Clickjacking, however, occurs within  a web browser. It doesn’t usually involve programs that infiltrate your computer.

That means you can potentially spot problems that your antivirus software doesn’t even look for.

Pay closer attention to your  facebook wall, or Myspace profile, and look for posts that you did not authorize. Also, look for applications that you did not ask for. If you find them, then delete them from your profile.

Checking your credit card and PayPal accounts will also help you stop clickjacking attacks shortly after they occur. If you notice unauthorized charges, then contact your bank, or PayPal, to report the problem. That way you can stop payment before the hackers receive any money from you.

Advertisements

Top Five Internet Security Misconceptions

November 19, 2010

Just a couple days ago, Kindsight, a company that focuses on issues such as identity theft, published a blog post explaining the top five internet security misconceptions that they have found amongst casual internet users. One of those misconceptions is that “Facebook is safe enough; no need to worry.”

Apparently, those people don’t read this blog, or the countless others discussing security issues spread through social networking sites.

To a large extent, Facebook itself is fairly safe. But it is used to push people towards compromised content. This is most often accomplished with clickjacking attacks. When hackers make clickjacking attacks, they often publicize the sites by posting the URLs on Facebook, Myspace, and other popular social networking sites. They usually include a statement that will entice the average user into following the link. Popular topics focus on busty girls and Justin Beiber, although I’m pretty sure that there is connection there.

When users follow the tempting link, they are taken to a page that has invisible elements. Click on the page, and you’ve just launched a potentially malicious piece of software that can infect your computer.

Facebook’s safety was listed as the number five misconception. The others include,

  1. Internet users are safe from identity theft as long as they don’t shop online
  2. Anti-virus protection means internet users are safe
  3. Using secure websites means that you will never encounter security problems
  4. Hacked websites are easy to identify and avoid

Unfortunately, none of these statements are true. You can read the entire article, and view video clips, at the Kindsight Blog.

Making Facebook more secure and fun

October 26, 2010

Facebook isn’t a whole lot of fun when you’re constantly worried about likejacked links that could endanger your computer’s security. Until recently, though, there hasn’t been a whole lot that Facebook members could do to avoid clickjacked links on Facebook. The best strategies were to pay attention and pray.

As Facebook and other social networking sites have become more dangerous to casual computer users, security organizations have looked for ways to stop clickjackers from stealing the fun from the internet. BitDefender, though, recently released software that can make Facebook safer and more fun.

The app is called SafeGo. It has been specifically designed to protect Facebook users from clickjacking attacks. When you use SafeGo, it alerts you to potential security alerts and highlights compromised links. It even manages to make computer security lighthearted and fun. When you install the SafeGo app, it asks you to take a brief quiz designed to estimate your security risk. Most of the questions, however, are outlandish.If you are a fan of the surreal, then you’ll enjoy taking the quiz.

After completing the quiz, SafeGo will show you compromised links from your friends. This gives you the opportunity to alert your friends about the security risks.

In order to take advantage of BitDefender’s new application, you are going to have to trust the company a bit. The SafeGo app needs access to your computer that you typically wouldn’t give most programs. So far, there aren’t any reports of the company misusing the security pass, but there is always the chance that they, or someone with access to their information, could use SafeGo to bypass your security efforts for nefarious purposes. Chances are that you will be safe. Still, you should always know that there is a risk potential.

Many internet users still unaware of clickjacking

October 19, 2010

Despite the risk that clickjacking poses for just about everyone who uses the internet, it would seem that some people are still unaware of what it is and what type of threat it poses. That’s the only explanation I have for continued news coverage referring to likejacked pages as the “newest” threat online.

I check Google’s news results for clickjacking every few days, and I’m constantly surprised by news reporters who continue to write about this issue as if it’s a brand new problem. Sure, the popularity of social networking sites have led to a larger number of clickjacked sites than we had a couple years ago, but the threat hasn’t suddenly appeared out of nowhere.

What’s the big deal, you might wonder, with reporters showing up a little late in the game? After all, the information is there for anyone who wants to find it.

That’s true, but clickjacking and ignorance are linked. If we ignore what this scam does, then we become patsies perpetuating the problem by sharing clickjacked links. Also, an ignorant group of people don’t know what types of security options to demand from websites like Facebook and Myspace. These sites aren’t going to drastically alter their approach to security because a few specialists complain. They’ll only make real changes when the vast majority of their users start to ask why the sites aren’t doing more to protect them.

Obviously there are a lot of internet users who don’t know much, or anything, about the threat of clickjacking. And obviously it’s a good thing that reporters are telling these people to watch out. But it’s a shame that so many reporters have ignored the issue up to this point. The very fact that we still need articles about clickjacking is disturbing because it shows how far away we are from solving this problem and alerting the average computer user.

Spreading distrust throughout the virtual land

September 7, 2010

How pervasive are clickjacks on Facebook?

You probably hear about people who have fallen for stupid clickjacking attacks. Certainly you would never fall for them though. Don’t be so certain.

Clickjacking that occurs on social networking sites intentionally take advantage of the trust we give our friends. You assume that your best friends are intelligent people who would never fall for a ridiculous scheme. The problem is that everyone thinks this. Yet there are still lots of successful clickjacking attacks.

Obviously, we need to rethink our idea of trust when it comes to socializing on the internet.

We extend trust to online friends just as we do in real life. Say, for instance, you’re out at a club and you ask a friend to watch your drink while you go to the restroom. Hopefully you can trust that person to make sure that no one takes your drink, or slips something into it.

Imagine, however, if your friend put that same trust in another person, who put that trust in someone else, and so on and so on.

Eventually, one of those people is going to fail big time. They might mean to, or they might not. It’s hard to say. The end result, however, is that you come back from the restroom only to find that everyone in the club has been drugged with roofies. They can’t make wise decisions, and they can’t seem to keep their mouths shut about how awesome the drinks are.

This is essentially the scenario that we see at social networking sites. It’s a bunch of people who may or may not have control over themselves telling you that you absolutely have to follow their advice. Whether you decide to drink the punch isn’t just your decision, though. Once you’ve imbibed, you’re going to turn around and do the exact same thing to your friends.

A complete lack of control: that’s the reality of clickjacking and that’s why you have to remain distrustful of everything you encounter on Myspace, Facebook, and other networking sites.

Clickjacking without the click

May 25, 2010

Demonstrations debuted at this year’s Black Hat Europe conference in Barcelona, Spain have revealed that clickjacking techniques don’t necessarily have to rely on mouse clicks to trick victims into participating in unknown activities. Instead, new clickjacking attacks focus on Java’s drag and drop capabilities. This allows clickjack attackers to steal information from text forms.

Even though these new clickjacking techniques don’t rely on mouse clicks, they still use invisible iFrames to trick internet users. In these instances, however, the invisible frames are placed on top of blank text forms. When a user fills out the form, they are contributing information unknowingly in another frame that they cannot see.

Drag and drop functions even make it possible for clickjacking attacks to steal information from entire sessions, not just individual forms. This presents a serious information security threat to both individuals and organizations who have private passwords, account numbers, and other bits of information that could help criminals commit theft or fraud.

Most recently updated web browsers can prevent invisible frames, but they rely on the website’s X-FRAME-OPTIONS: DENY tag. Websites that don’t include this tag, therefore, don’t offer protection from next generation clickjacking attacks.

Large sites like Facebook and Myspace have committed themselves to included frame busting tags and other security techniques to protect users. The mobile versions of these sites, however, do not usually offer as much protection as the Web versions, so users should be careful when using mobile devices to access their accounts.

You can read a summary of Paul Stone’s Next Generation Clickjacking demo at blackhat.com.

The Basics of Clickjacking

March 11, 2010

Clickjacking is a method that cybercriminals often use to trick internet users into revealing confidential information by creating transparent web pages over those that look legitimate.

Clickjacking, as it was coined by Robert Hansen and Jeremiah Grossman of BlackHat Security, is also known as UI redressing. Even though it did not receive its popular name until 2008, web browse vendors have known about the problem since about 2002.

The Clickjacking Technique

Clickjacking takes advantage of a common vulnerability in many web browsers that allows programmers to embed code that tricks the user into believing that an object on the page performs one task when it really does something completely different.

It’s a rather sophisticated technique, and many web browsers are still acutely susceptible to methods used by tech-savvy clickjackers.

Common Clickjacking Examples

An innovative web designer with coding experience can use clickjacking techniques in a variety of ways. Any clickable object on the page can, theoretically, become hijacked by cybercriminals.

Some of the most common examples of clickjacking include

  • Redirecting links away from their intended targets.
  • Buttons that sign individuals up to follow Twitter accounts without their knowledge.
  • Tricking members of social networking sites like Facebook and Myspace to reveal their login information.

Learning about Clickjacking Threats

This blog will follow the continued efforts of web browser vendors to combat clickjacking in an attempt to educate internet users about the threats that clickjacking poses. I will also offer information about the latest clickjacking techniques that cybercriminals use to trick us into doing things without our knowledge.

Clickjacking is a serious problem that continues to plague the internet even as browsers search for ways to prevent cybercriminals from using the technique.

This blog will also provide everyone with a place to discuss their experiences with clickjacking. Thousands of people have fallen victim to this fraud. I admit that even I have had some experience as a clickjacking victim myself. As we delve into specific instances of clickjacking, I think that all of us will learn important lessons that will offer improved online protection.