Facebook Attacks X's and O's

If the Internet is God's gift to espionage, Facebook is like a cruel joke. And it appears the latest Facebook fix is in, an attack referred to by experts as social engineering.

Most if not all of us who reside on Facebook join what are called "fan pages." Fan pages come in many forms and are meant to exhibit devotion to a particular brand, person, sports team, musician or political stance. Fan pages can be posted for just about anything. For example, if you're part of a company looking to increase its social media presence, you can build a fan page. In fact, Facebook recently increased the use of fan pages by linking people's listed activities, interests, music, books, movies and television preferences directly to fan pages. So while you might have never visited a fan page on your own, if you want to declare your allegiance to any particular interest, you inevitably end up peddling the fan page.

Attackers meanwhile are crafting new attacks that use or abuse various interfaces on Facebook, according to our friends at the Internet Storm Center, which uncovered one of the latest attacks this week. The way this attack works is the fan page promises to reveal "The Truth" about text messaging. I'm still not entirely sure what it's supposed to mean, but people are buying in. There's a small link that reads "Become a Fan to see the TRUTH!" Once a person navigates to the link, a special screen appears to reveal a bunch of obfuscated JavaScript , which the user is asked to copy and paste into a browser address bar. If I came across this, I would hope to be smart enough to realize it's an attack. But the problem is many people who use Facebook don't associate it with the dangers they might with traditional Web surfing. Put simply, they believe Facebook is a safer medium. I have news for them: It's not.

If a user copies the malicious javascript into a browser, the attacker modifies the application's HTML, selects the person's contacts and invites all of his or her friends to the group so that the malicious page continues to get passed along. While this particular attack didn't have malicious code appended to the back end, others just might. And being that these attacks have the ability to get very big in a very short period of time, future attacks could be devastating. In fact, word's been floating around that the "TRUTH" fan page had more than 100,000 fans before it got shut down.

Let this be a lesson for Facebook safety.