Fortinet Blog | News and Threat Research

When Facebook broke all records with its $100 billion IPO, security experts wondered if the news would make it an even bigger target for hackers.

But let’s face it, with the world’s largest social network climbing toward a billion users—around one seventh of the global population—it’s a pretty safe bet that it was already wearing a big red X on its back.

According to popularity service Alexa.com, Facebook is the second most visited site, after Google and before YouTube, putting it prominently in the line of fire for cybercriminals.

And as such, malware authors, script kiddies and other miscreants have a variety of tricks up their sleeves when going after Facebook. Here are a just a few examples, provided by Karine de Ponteves, Fortinet antivirus analyst for the EMEA threat response team.

CSRF Attacks: As with other applications, cybercriminals exploit a wide variety of vulnerabilities hidden on the social networking site, including CSRF attacks (Cross-Site Request Forgery, aka one-click attack), a type of Web exploit in which authentication mechanisms are fooled to allow the transmission of commands from an unauthorized user.

During a CSRF attack, cybercriminals trick the user’s browser into accessing the targeted Website by relying on existing authentication mechanisms and then redirecting it to action-performing links.

“It is important to mention that CSRF attacks are considered ‘a shot in the dark,’ since the attacking Website can’t see or analyze the response of the target Website…. until recently,” de Ponteves said.

XSS Exploits: True to form, cybercriminals will undoubtedly leverage any kind of cross-site scripting flaw in popular Websites in order to execute attacks. Conversely to CSRF attack, cross-site scripting vulnerabilities allow malicious attackers to take control of the interaction between a user and a Website by exploiting the trust a user has in the legitimacy of that site, de Ponteves said.

Specifically, XSS is a special form of code injection, which prompts the Internet browser to execute malicious injected script on the victim’s computer once they open an infected page or click on a malicious link.

When executed on social networks, the malicious code can be designed to propagate itself across multiple accounts, becoming a worm that requires little interaction from the victim, de Ponteves maintained.

Once an exploit is fully launched, the bad guys have the green light to do just about anything they want on a victim’s machine. And some of the more insidious shenanigans include sending a private message to all the victims’ friends to ensure attack proliferation, publishing private messages on the victim’s wall, making the victim’s profile visible to anyone or erasing all of their status updates and photos.

Social Engineering: Finally, social engineering scams tend to round out an attacker’s bag of tricks. In general, these scams take full advantage of viral distribution, especially after a high profile event garners world news headlines, such as the deaths of Osama bin Laden and Steve Jobs.

Social engineering ploys are particularly successful on social networking sites, in part because they leverage the inherent trust that users have in their Facebook “friends.” Many times the scams will appear to come from someone the victim knows—or even someone on their friends list—and subsequently reel them in with offers to view “exclusive” photographs or “rare” video footage, de Ponteves said.

“Of course, the images or videos are fake and lure the victim into installing malware on their computer. It will also infect their Facebook profile and post messages on behalf of the victim.

And once attackers access the victim’s profile, they pretty much have carte blanche to steal personal information for identity theft schemes or commit some other kind of click-jacking fraud.

So, given that the many of the world’s Internet users are on Facebook, what can they do to protect themselves from encountering any one of these kinds of attacks? While it might seem users are at the mercy of whatever is thrown their way, there are a few best practices they can apply in order to reduce the chance of falling prey to an attack on Facebook or any other social networking site, according to de Ponteves.

·   When installing an application, pay attention to the information the application wants to access.

·   Requests for password or credit card information, especially unsolicited requests, should set off alarm bells. Research before you plunge.

·   Be very wary of links that either lead to applications or external Websites.

·   Pop-up messages that advise users to download or install an additional application could indicate the presence of malware.

·    Google is your friend: typing the name of a video in Google or YouTube can help users determine whether that application or link is connected to a scam.

·   Avoid using permissive browsers.

·   Disable scripting on the browser.