Facebook attacks are rife again, with cybercriminals looking to lure trusting Facebook users to fake sites, via phishing emails, and obtain personal login data for their own financial gain.
Since the beginning of May, Symantec has observed a new wave of phishing attacks on Facebook users and it seems these attacks are set to continue with a current method of attack that targets a victim's Facebook account having been observed by Symantec this week.
Phishing attackers send a message to a victim's Facebook 'inbox', as well as an e-mail notification with the subject 'Hello' or 'Hi'. The e-mail appears to have come from the victim's friend and includes text asking the user to visit a malicious and fake Facebook login page, where the attacker will then steal the user's login credentials to launch future attacks.
If consumers want to avoid inadvertently sending malicious messages to their trusted circle of Facebook friends, Symantec offers some advice.
Always maintain a level of caution around any messages from within a web site or that appear to be sent by a web site. If a user clicks on a link, double-check the actual domain that is shown at the top of the page. It's best practice to type the direct Web address directly into your address bar rather than rely upon links from a message.
Use complex passwords and unique ones for each site. A few suggestions:
* Use a combination of uppercase and lowercase letters, symbols, and numbers;
* Make sure your passwords are at least eight characters long. The more characters your passwords contain, the more difficult they are to guess
* Try to make your passwords as meaningless and random as possible;
* Use different passwords for each account;
* Change your passwords regularly. Set up a routine, changing your passwords the first of each month or every other payday;
* Never write your passwords down, and never give them out – to anyone;
* Don't use names or numbers associated with you, such as a birth date or nickname;
* Don't use your user name or login name in any form;
* Don't use a derivative of your name, the name of a family member, or the name of a pet;
* Avoid using a solitary word in any language;
* Don't use the word password;
* Avoid using easily-obtained personal information. This includes license plate numbers, telephone numbers, social security numbers, your automobile's make or model, your street address, etc.
* Don't answer yes when prompted to save your password to a particular computer. Instead, rely on a strong password committed to memory or stored in a dependable password management program.
Symantec advises users to maintain an up-to-date browser and operating system. Use security software, such as Norton Internet Security 2009. Check out web safety services such as Norton Safe Web where a community of web users collaborate to report dangerous phishing and malware sites.
And, users chould double check that they've arrived at their destination. When clicking over to Facebook (or any site) make a habit of looking at what appears in the address line. You might not always be able to spot a fake site but in the case of this particular scam, it's obviously not www.facebook.com.
Users must always be suspicious of requests to enter their account name and password.