Five new online security threats to avoid

Three of the five new threats target Facebook users.

I don't spend a lot of time on Facebook, so when I got an e-mail from the social networking site telling me "you haven't been back to Facebook recently" and here are some messages you missed, it didn't seem odd. I clicked on the link, wondering what one of my friends was doing.

Oops. I was a victim of a hacking technique called "clickjacking." If it hadn't been for security measures built into Firefox, I might have been in trouble, because rather than going to Facebook, I was headed for

That site might have simply been an ad for cut-rate, Canadian pills - an annoying, but harmless detour. But it also could have been a site loaded with malware, include rogue applications designed to steal key personal information from me and people in my address book.

Facebook, with its hundreds of millions of users, has become the target of hackers, spammers, and just plain crooks. They're trying to lure you in via scam surveys, fake applications and poisoned links, according to a report by Sophos Security.

Unfortunately, Facebook is far from the only popular Web site being compromised these days. Amazon, the giant e-tailing site, inadvertently left a door open that hackers could use to steal your password and get access to your credit card info.

And no matter what you've read about those evil Russian hacker rings, it turns out no country is the origin of more cyber attacks than the United States, according to Akamai's quarterly "State of the Internet" report.

Here are five new threats, including three that target Facebook users:

1. Clickjacking: Sophos Security says this is one of the most common attacks hitting Facebook users. These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different. Often sharing or "liking" the content in question sends the attack out to contacts through news feeds and status updates, propagating the scam.

In my case, I'm a bit embarrassed to admit, I could have avoided the scam page by simply noticing that the address of the e-mail allegedly sent by Facebook was obviously phony. The lesson here is obvious: When you get an e-mail with a link, notice the return address. If it seems odd, delete it. Additionally, keep your browsers up to date; all are doing a better job screening out dangerous stuff, and since they're free, why not take advantage of that protection.

2. Fake surveys: This scam is related to clickjacking since it attempts to make you click on something dangerous via a misleading message. Typically, the scam starts with a provocative (sexual or otherwise) message. Here's one that Sophos highlighted recently: "OMG! Look What this Kid did to his School after being Expelled! After this 11 year old child was expelled from his school he went berserk." Well, that's intriguing.

However, you have to "like" the page and fill out a quick survey before reading the story. Whoops: you just gave scammers a commission for filling out the survey, and helped the scam spread by sending it to all your friends. The survey earns money for the scammers; they get a commission for every survey completed. And that's why they're spreading this message virally across Facebook.

3. Rogue applications: More perniciously, the fake survey can lead to rogue applications. Sometimes the applications will look for your address book and send the fake surveys to everyone in it, hoping to make money. Other rogue applications can hijack data by installing key loggers (apps that record and pass on key strokes) or other malware. Other fake applications can turn your computer into a zombie used to broadcast malware for the bad guys.

4. Amazon vulnerability: A security flaw apparently allows the company's servers to accept passwords that are nearly - but not entirely - correct. Fortunately, the flaw only appears to affect older passwords.

The flaw lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive. That flaw erases the advantage of a longer password, making passwords much easier to crack via software. This was first noticed by users over at reddit and has been picked up and verified by a number of reputable groups, including Wired.

In any case, it does appear that newer passwords are not affected, but it isn't clear what the date cutoff is. In any case, you can simply change your Amazon password. If you like, change it back to the same password, but it will still be a new one as far as the server is concerned, and be safe. Amazon has not responded to my query on this topic, or any anyone else's that I've seen.

5. Spearphishing: This is more likely to occur via regular e-mail; but you may also be hit by a spear through a Facebook or Twitter message. Spearphishing (or spear phishing) works like this. You'll get an e-mail or message that seems quite personal, it may appear to be from a person or company with whom you normally communicate. But it will lead you to a poisoned site. Yes, this sounds like the "phishing" scams you've been warned about. In those you might get a message from your e-mail provider saying your inbox is full or you have to verify your identity and so on. Spear phishing takes that a step further by adding personalized information to lull your suspicions.

"Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient's own company and generally someone in a position of authority," according to the Sophos Web site.

San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at

Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from on Twitter @CIOonline.

Read more about security in CIO's Security Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Technology Topics | SecuritysecurityscamsTechnology TopicsinternetmalwarethreatsFacebooksophos

More about Akamai TechnologiesAmazon Web ServicesBilleBayFacebookPayPalSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bill Snyder

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place