Facebook users are being urged to be wary about what Facebook applications they accept and what links they click as cyber criminals increasingly target the popular social networking site.
In the past week, several new variants of the Koobface worm, which targets Facebook users, and a number of "rogue applications" have been reported on the site, the internet security firm Trend Micro reported.
As of Tuesday afternoon, Facebook had not returned interview requests from CBCNews.ca.
However, both Trend Micro and Facebook are urging people to take care when they use the site, which contains reams of valuable personal information about the site's 175 million users, including, in some cases, their birthdate, their favourite movies and photos from their latest vacation. Criminals gain access to that information by stealing a user's Facebook login using malicious code such as worms or rogue applications.
Facebook's current popularity makes it increasingly attractive to criminals, said Jamz Yaneza, threat researcher at Trend Micro.
"You will normally target the biggest animal on the block," he said. "I personally think they are targeting Facebook more."
He said attacks in the past had been targeted at sites such as MySpace that were more popular at the time, but attacks on Facebook began gaining six months ago.
"It's ramped up from then," he said, adding that the attacks have increased in number, types and sophistication.
On Facebook, users can install applications that allow them to play videos or online games, send each other "gifts" or share reviews of movies, books and music. Such applications can be made by programmers using a set of tools supplied by Facebook.
No mandatory screening for apps
Recently, including over the weekend, malicious applications pretending to be warnings from Facebook have cropped up on the site.
For example, one says a friend has reported them for violating Facebook's terms of service and urges them to ask Facebook to look into what has happened by clicking on a link. If the user does so, he provides the application with access to his profile. However, Facebook has said that no application, legitimate or rogue, can ever gain access to sensitive information such as a user's contact information.
Yaneza acknowledged that Facebook dealt with the latest rogue application quickly. He added that the site recently began a program to verify the safety of applications.
"The problem is it's opt in," he said.
Facebook's development tools will be open to abuse until the site requires all application developers to take part, he added.
"I think that's what needs to be done," Yaneza said.
Even if screening begins, it won't stop worms like Koobface, which masquerades as someone on the user's contact list and sends an email asking them to click on a link to a video or other content. That brings the user to an external site, where the user inadvertently downloads the worm. The program sends saved login information for Facebook and other social networking sites from the user's browser to another site, allowing the site to log in as the user.
Facebook posts descriptions of threats
Facebook keeps a page with security tips for users. It is constantly updated with descriptions of threats, as well as information about what to do if an account has been compromised. On Monday, the site posted a new photo of a third type of threat — sites that pretend to be Facebook and lure users into entering login information.
Both Trend Micro and Facebook say the number of Facebook users affected by such security issues is small at the moment, but both have provided tips to help users keep their profiles safe.
Here are some of their suggestions:
- Be judicious about installing applications. David Perry, global director of education for Trend Micro, said the safest is not to install any. "I don't throw snowballs... I don't have an aquarium. I don't do any of those things."
- When you do install an app, check its reputation first. Check Facebook's application list and scan the reviews, said Yaneza. "Read before you install. Look before you leap."
- If a link or message seems weird, don't click on it. If it seems to be from a friend, let them know, as someone may be pretending to be them, Facebook says.
- Make sure information you post on Facebook isn't something that could be used to verify your identity. Perry said users should be careful what they reveal in a popular Facebook game in which they share 25 random facts about themselves with their friends. "Don't give away your mother's maiden name or your pet's name or anything you would use as a personal question," he said, adding those are becoming increasingly valuable.
- Add a security question to your account. That way, you can prove your identity to Facebook if your account gets stolen, the site says.
- Report spam or abuse you see on discussion boards and walls. Facebook provides links that allow you to report such problems.
- Watch out for sites that imitate Facebook. Don't enter your password unless you're sure you're entering it on the real Facebook site.
- Guard your password. Don't use the same password on Facebook that you use on other sites, and don't share the password with anyone.
- Don't use Facebook? Create a profile anyway. That will help discourage other people from masquerading as you, Yaneza said.