Sms Phishing Targets Facebook Users

Discussion in 'Computers and The Internet' started by raysun, Aug 27, 2014.

  1. raysun

    raysun D4N73_666 4861786f72

    Messages:
    931
    Likes Received:
    10
  2. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    Doesn't surprise me one bit, people have always been after user credentials.

    Something like facebook is just one place that a lot of people hang out and have no idea what they're really doing on their keyboards .... Reusing those credentials on other sites .. Plus phishing a facebook account already gives one a TON of data if the person uses all of their real info .. Which correct me if I'm wrong (I don't use Facebook) but FB is pushing toward having users enter more credible information and verifying it and all that

    Facebook is huge in the game of big data
     
  3. raysun

    raysun D4N73_666 4861786f72

    Messages:
    931
    Likes Received:
    10
    @ ace_k
    Facebook is huge in the game of big data
    indeed that is true they do targeted profiling of user behaviour among other things
     
  4. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    people must probably trust an SMS message, since they "don't usually see that" even though its just as easy to spoof one and turn an auto-mailer script onto a list of mobile numbers, and a "fake SMS" is probably even harder to verify the legitamacy than a "fake email".

    i got a paypal phishing email the other day. i forwarded it to spoof@paypal.com. it appeared very legitamate, but it seemed like someone had reversed engineered the paypal API app interface to do the logging in, along with not using SSL. Really gotta be careful what information you give out, and to whom where you give it out.

    the MAIL FROM part of an email is set by the client when it's send, it really has nothing to do with where it actually originated from, more of a return address type feature. Phone calls, and SMS are quite the same also. there are quite a few really old RFCs that describe the format of email messages.

    Here's RFC 2822, there are older RFCs describing this, but i think this one describes it pretty well, but i'm in a hurry:http://www.rfc-editor.org/rfc/rfc2822.txt.
    Also see RFC 822.
     
  5. ultravio1et

    ultravio1et Members

    Messages:
    49
    Likes Received:
    5
    you can permently safeguard from these type of attacks: go into your settings and click on the 'deactivate account'.... done :)
     
    1 person likes this.
  6. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    Here's a book I've thought might be a good buy:
    http://www.amazon.com/Privacy-Age-Big-Data-Recognizing/dp/1442225459

    It's called "Privacy in the Age of Big Data". This is indeed that age .. big data .. big BIG data.

    I like this advice, facebook is crap for the most part IMO. I think if more people actually read their TOS before clicking "I agree" they might see this for closer to what it really is. And that's a problem, people are conditioned to NEVER EVER READ A TOS AGREEMENT .. ur signing away your right to privacy, and don't even know what you're agreeing to!! WAKE THE FUCK UP PPL!

    Interestingly enough, their TOS is not *that* cryptic either (at least when i read it back in .. idk 2010 or so) .. it's pretty fuckin clear that their main source of revenue IS YOUR DATA.
     
  7. Tyrsonswood

    Tyrsonswood Senior Moment Lifetime Supporter

    Messages:
    34,218
    Likes Received:
    26,293
    And everything you had on that account remains... It's facebook property. All of it.
     
  8. ultravio1et

    ultravio1et Members

    Messages:
    49
    Likes Received:
    5
    just delete everything first
     
  9. ultravio1et

    ultravio1et Members

    Messages:
    49
    Likes Received:
    5
    you need to watch a documentery called: 'Terms and Conditions May Aply' , scary stuff
     
    1 person likes this.
  10. Tyrsonswood

    Tyrsonswood Senior Moment Lifetime Supporter

    Messages:
    34,218
    Likes Received:
    26,293
    They don't allow that anymore...
     
  11. ultravio1et

    ultravio1et Members

    Messages:
    49
    Likes Received:
    5
    that is crazy!

    glad i'm not on it

    can't you do it peace by peace?
     
  12. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    probably but what good would it do, with the type of data mining they do I'm sure they track the changes to profiles just as much if not more than the information originally given when u first made the account.

    I wouldn't really worry about it too much, people worry so much about this type of thing (and really it come down to general principles kindof) but don't really think about other entities like utility companies, and other such services where information is given out and the internet isn't involved. I'll just hint at the fact that there's very concerning flaws in the way a lot of companies authorize a person to make changes to an account over the phone, and exactly what information links an account. Just next time ur on the phone with one of these companies pay attention to how their system works. I may have talked to the risk operation department one time about something like this (I'm not gonna name the company) and they assured me that it's I fact not a security risk at all, and at the same time explained how the accounts work (facepalm) and why it's not a security risk ... but IT IS. Maybe not absolutely directly, but definitely a privacy risk, and with privacy risks come security risks.. It works like that. Sometimes I curious and find out things, I'm sure there's other curious people that have devious intentions. Social engineering and that type of thing ..

    But yes, piece by piece you can obtain information .. but you gotta have at least one or two pieces to start with, then the rest of it only a matter of time if someone is determined,
     
  13. TheGhost

    TheGhost Auuhhhhmm ...

    Messages:
    4,487
    Likes Received:
    649
    I would. People post so much private information on Facebook it's like an exhibitionist convention.

    Social engineering is only one of the things that come to mind.
     
  14. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    Yeah, I would definitely worry about that. I was more referring to the fact that u can't really delete the account. That I wouldn't lose sleep over, nothing u could do about it anyway. What people can change tho is their behavior NOW and be more careful. But really, if u post a bunch of private information online anywhere, and then someone puts a few pieces together and you get screwed over for that reason then it's not really FBs fault in that case. Maybe FB is a catalyst but there's another issue, and it's poor privacy practices.

    I really can say no more about FaceBook specifically as a service right now as I'm not a user of that service, and am not sure exactly how the site works today, I remember how it used to work tho, and phishing was incredibly easy. Phishing isn't that difficult anyway in general, banks and such use various forms of phishing protection like 2 factor authentication but one of the things that makes facebook so easy and also a great phishing target for criminals is that it's not a bank account or anything lime that, so people don't tend to take it a seriously as they would, say logging into a bank account. Ironically tho, it's probably easier for the criminal to phish ur Facebook acct for exactly this reason, and then just use the information they can obtain that way to get access to ur bank account, or at least a dozen steps closer to that goal. I remember the Facebook apps, a lot of those are dangerous too to your privacy because anyone make them and get actual private messages and things even.

    I do actually think facebook is probably more secure today than it was years ago, maybe harder to impersonate accounts, at least I would hope. Of course this requires that you enter even more Information probably in order to verify the legitimacy of the rest of it. Not exactly a win-win situation.
     
  15. TheGhost

    TheGhost Auuhhhhmm ...

    Messages:
    4,487
    Likes Received:
    649
    Sure. People are stupid. Nothing you can do about that. Remember Anthony "The Wiener Guy" Weiner?

    And let's not get started with the iCloud mess last week.




    Sure, 2-step verification goes in the right direction (Apple just announced that) but in any case there are very few things you can't hack. These days 12-year-olds break into government servers. I think everyone needs to take a step back and breath calmly for a day or two and think about this.
    Adobe is offering cloud services where professional digital artists store their work online, work that is worth thousands of dollars, maybe hundreds of thousands in some some cases.

    You know what would happen to the guy who shot Brad & Angelinas wedding if he stored the images in the cloud and his account got hacked? Mr. & Mrs. Smith's lawyers would cut his balls off.

    I work with digital images, video, web design. My working computer does not connect to the internet. Ever.
     
  16. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    theghost:
    I agree with everything ur saying here. anything can be beaten by someone determined enough. 2-FA can be VERY secure tho, some types more than others if it's used correctly. 2-FA codes are based on cryptography and are only valid for a short period of time or one use.

    People in general need to become more aware I think of how an attack may be carried out, that way they avoid making themselves an easy target. I know my wireless network isn't infallable, even with no ssid broadcast, MAC address whitelisting and generally the most secure i believe this particular box can be configured it could be done, sure u can still find the network because if there's only 12 channels and if u listen on all channels you will see the activity, and then know that it exists and use tools like aerodump-ng, and then spoof the MAC of an authenticated device after they de-auth it but here's how I see it: there's about 50 or so other networks in the same area, most of them probably with the default configuration or maybe even less secure configs so which do u pIck? Do u take the easy road, or the hard road?

    One of the first steps I planning any type of "hacking" type security exploitation is to obtain some information, and then craft it based around that. In the wifi network example that would be SSIDs, channel numbers, essids, MAC addresses .. So in this case these are the type of things you want to obfuscate. Without this information you really can't hack it, so the best way to keep things as secure as possible is to not have anything obviously exploitable, and if u discover it, fix it if possible and of course, don't leak more information than necessary with more people or other hosts that don't need this information. Using multiple layers of security helps too, make it as difficult as possible.

    You trade security for convenience, in most cases. One type of 2 factor auth I believe to be highly secure is the paper codes method, a list of paper codes is generated cryptographically and printed on paper, which are each only good for one use, and must be used in the correct order or they are invalid. This way the keys are completely offline from any networks and one would need physical access.
     
  17. TheGhost

    TheGhost Auuhhhhmm ...

    Messages:
    4,487
    Likes Received:
    649
    Most people want to trade convenience for security though. [​IMG]
     
  18. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    U really gotta wonder whether some of these people are just ignorant of the risk, don't take it seriously, or just too lazy to be bothered with security?

    Expired or "UN trusted" SSL certificate is a lot better than no SSL certificate, too bad the implementation in browsers sucks which makes it seem to most that it's the other way around. I do understand it tho, if a banking website is not using a "trusted" valid certificate then well... It's probably not really the real banks website;) the certificate "itself" isn't the issue but who's using it the way I understand it. Login forms should use SSL tho.

    .. And yes, I'm subtly hinting at something with that last paragraph ;)
     
  19. TheGhost

    TheGhost Auuhhhhmm ...

    Messages:
    4,487
    Likes Received:
    649
    Both. Most people are actually very ignorant about how computers and the internet work. I certainly don't have the detailed knowledge that you do for example but I can imagine things quite easily. Operating systems are becoming more complex under the hood and slick and polished up top. Most things are automated. You don't even have to open, say, Outlook anymore to find out if you have mail. Now you have notifications.

    Computers needed to become easier so they could sell them to more people. And internet access is now required if you want to buy software from the Appstore, for example. And of course you need a credit card for that. And if can't remember all your passwords, don't worry.

    There's an app for that.
     
  20. AceK

    AceK Scientia Potentia Est

    Messages:
    7,824
    Likes Received:
    958
    There's "good" hackers and "bad" hackers. The good hackers are the ones that get paid to test software and hopefully find that 0day exploit before anyone else so that some other hackers can develop a patch to fix it and hopefully release it as an update as soon as possible ;)

    This is why running old versions of software is in most cases not the best idea, eventually these exploits get discovered by the wrong people and releases into the wild then that certain version becomes a target.

    I've never been a fan of cloud stuff either for the most part. I usually don't see a need for every piece of information on every device I own to get synced to every other device and have apthat many copies of certain things. What happens when ur iPad gets stolen? the pin that u can set is only good for very casual use, all that has to be done is out the iDevice into recovery mode, which does wipe some apps and stuff but you can easily sync them back from the cloud;)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice