Customer loyalty cards: Permission to get creepy?

These loyalty cards save me a lot of money, but there's a dark side to them.
These loyalty cards save me a lot of money, but there’s a dark side to them.

Like many other people, I keep loyalty cards to my favorite stores on my key ring. They save me a metric pantload of money, but I ran into the darker side the other day.

I got a phone call from the New Orleans-based Reily food company telling me that a chili mix I bought at such-and-such a store has been recalled. Seems it has traces of peanuts and/or almonds and can bring me a nasty allergic reaction.

Ooo-eee-ooo.

Then I went shopping and saw another warning on my sales slip from that grocery store. I later checked and I still have that chili mix on hand waiting for my kitchen magic. No mention of peanuts in the ingredients. Reily Foods said in a statement that at least one of the spices the company gets from a third-party supplier contains undeclared nut allergens. Undeclared meaning, it was thrown in there without telling them.

I understand the peanut risk. I have a few friends who have this allergy, and I guess a reaction can be fatal. I don’t have that problem, so I’m going to use the chili mix anyway. I appreciate the fact the grocer and food manufacturer are looking out for me.

But still … how do they know?

Ahh, yes. That loyalty card.

Basically, when you get one of those cards you give the store permission  to track your purchases and tailor their advertising to your known buying patterns in exchange for deep discounts. That’s nice. I like deep discounts, and I like getting dollars-off coupons for products I actually use.

I shop for Dad and myself, and the receipt will tell me how much I’ve saved on my purchases by using the card: Usually around $20 for a purchase of a little less than $100. Not half bad.

But let’s flip this on its head, shall we? If I opt out of the loyalty program, I give the store permission to overcharge me by about $20. That’s the story once you strip away the gee-whiz you’re-saving-money verbiage.

Tracking, tracking everywhere!

But the tracking part is interesting. Of course you can forget about privacy in the Internet age. Somebody, somewhere sees every Website you visit, every Google search and every purchase you make.

None of this is new. Casinos have been tracking customers for years, again via a loyalty card. You get all sorts of swag, comps and maybe some bonus payouts when you win. The casino then knows how much you bet, how much you lose and which games are your favorites. Get right down to it, the casino knows way too much about you.

As if the phone call wasn't enough ... I appreciate it, but it still creeps me out.
As if the phone call wasn’t enough … I appreciate it, but it still creeps me out.

Amazon’s like that too. I love Amazon. They’re my #1 publisher (which gets me a monthly royalty from them), and I buy a lot from that company. Of course I’m gonna get targeted advertising based on what I’ve purchased. That’s just plain smart marketing even if it is creepy.

Noted whistleblower Edward Snowden recently aired his Amazon fears via video link at a Cato Institute symposium. Here’s a highlight:

“Wherever you’re at, wherever that jurisdiction is, they can see what books you’re looking at. This is morally irresponsible, and as a business it’s problematic to allow this to continue when we know for a fact that they have the capability to provide for secure communications because as soon as you go to purchase that book, as soon as money’s involved, they turn it over to encryption.”

Got that? According to a story in The Passive Voice, Amazon encrypts the really vital stuff like your credit card numbers. But your searches are in plain text, readable by anyone.

Okay. I sound like one of those off-the-road paranoid conspiracy types, a candidate for increased medication and maybe one of those canvas blazers with wraparound arms. But bear with me as I offer some evidence:


Tres creepy, no?

Now, let’s get back to customer loyalty cards. This extracted information is good for the company. The consumer (hopefully) knows it’s a trade for lower prices or some good swag. But does the information stay in-house? That’s where things get messy. There’s just no guarantee.

How do you know that customer list or mailing list your on doesn’t get sold to someone else? How do you know a real bad criminal organization, like say, the federal government, won’t get its hands on the data?

All it takes is a little suspicion and a subpoena for Big Brother to peek at your buying/searching habits. And that’s if everything is done above board. What guarantee is there that Uncle Sam observes even these rules?

So what’s a guy to do?

I’m torn. I like the savings and bonuses that come with a loyalty card. Long as I don’t go out of my head when buying — like case lots of whatever it is that they use to make bombs or street drugs — I’m probably all right. Right now the only really telling information one can get from my buying habits is my raging addiction to Cafe Bustelo coffee.

But to live a totally invasion-free life I’ll have to throw my computer out the window, get bound books at a used bookstore, pay cash for everything, stay off all public streets, communicate via carrier pigeon and/or tin cans with string, pay the higher price at the grocery store and wrap my head in tinfoil before going out.

Welcome to the modern world. Dont’cha love it?

###

Share

Scam alert: If you get an email from the IRS, it’s not them

If you get a note from the IRS (Eternal Revenue Service), it’s usually not a good thing unless it comes with a check. But if you get an email from the IRS, you should really pay attention. It might not be them.

I got a strange one in my email box the other day, and it was a genuine head-scratcher:

* * *

Gmail Team mail-noreply@google.com
Jun 2 (5 days ago) 

to me

The message “Your Federal tax report #ID9837” from Internal Revenue Service (customer.service@irs.gov) contained a virus or a suspicious attachment. It was therefore not fetched from your account editor@ericpulsifer.com and has been left on the server.

If you wish to write to Internal, just hit reply and send Internal a message.
Thanks,

The Gmail Team

 

* * *

OK. Here’s the deal. Whoever it was sent it to my business email address, which hasn’t existed very long. See, all my emails feed directly into my gmail box, making it easier to keep track of stuff and handle all my addresses without having to log in and out and in and out. Email addresses are cheap.

Anyway, I went to my business email box:

* * *

Your Federal tax report #ID***7
From : “Internal Revenue Service” <customer.service@irs.gov>
To :
editor@ericpulsifer.com
Received :

06-02-2012 10:18 PM

Tax Refund,

The analysis of the last annual calculations of your fiscal activity has indicated that
you are entitled to receive a tax refund of $382.34
Please submit a request of the tax refund and a processing of the request will take 7-14 days.
A tax refund can be delayed by different reasons.
For instance submission of invalid records or sending after the deadline.

Please find the form of your tax refund attached and fill out it and send a report.

Yours sincerely,
Internal Revenue Service.

* * *

That’s the email, and it’s pure horse dung. I didn’t even bother to open the attachment. But as far as phishing/information mining/scamming goes, it’s an oldie but goodie.

Here’s what I got from the Internet from the Internet Crime Complaint Center:

* * *

Intelligence Note  Prepared by the Internet Crime
Complaint Center (IC3)
December 1, 2005
E-mail disguised as the Internal Revenue Service (IRS) phishing for personal information
The FBI
has become aware of a spam email claiming the recipient is eligible to receive a
tax refund for $571.94. The email purports to be from tax-returns@irs.gov
with the subject line of “IRS
Tax Refund.” A link is provided in the email to access a form required
to be completed in order to receive the refund. The link appears to connect to the
true IRS website. However, the recipient is redirected to
http://www.porterfam.org/2005/, where personal data, including credit
card information, is captured.
This e-mail is a hoax. Do not follow the provided link.
Be cautious when responding to requests or special offers delivered through unsolicited
email:  Guard your personal information as well as your account information carefully. Keep a list of all your credit cards and account information along with the card
issuer’s contact information. If your monthly statement looks suspicious or you
lose your card(s), contact the issuer immediately.
If you have received this, or a similar hoax, please file a complaint at
www.IC3.gov.

* * *

Looking a little further, I checked from the jackass’ mouth itself, going straight to the IRS website. I pasted it directly in here, so it may look funky.

The upshot is, they’re not going to use email or social media to contact you:

* * *

The IRS does not initiate contact with taxpayers by email or any social media tools to request personal or financial information

What is phishing?
Phishing is a scam typically carried out by unsolicited email and/or websites that pose as legitimate sites and lure unsuspecting victims to provide personal and financial information. 

All unsolicited email claiming to be from either the IRS or any other IRS-related components such as the Office of Professional Responsibility or EFTPS, should be reported to phishing@irs.gov.

However, if you have experienced monetary losses due to an IRS-related incident please file a complaint with the Federal Trade Commission through their Complaint Assistant to make that information available to investigators.

What to do if you receive a suspicious IRS-related communication

If

Then

You receive an email claiming to be from the IRS that contains a request for personal information …
  1. Do not reply.
  2. Do not open any attachments. Attachments may contain malicious code that will infect your computer.
  3. Do not click on any links.
    If you clicked on links in a suspicious email or phishing website and entered confidential information, visit our identity protection page.
  4. Forward the email as-is, to us at phishing@irs.gov.
  5. After you forward the email and/or header information to us, delete the original email message you received.

Note:
Please forward the full original email to us at phishing@irs.gov. Do not forward scanned images of printed emails as that strips the email of valuable information only available in the electronic copy.

You discover a website on the Internet that claims to be the IRS but you suspect it is bogus … send the URL of the suspicious site to phishing@irs.gov. Please add in the subject line of the email, ‘Suspicious website’.
You receive a phone call or paper letter via mail from an individual claiming to be the IRS but you suspect they are not an IRS employee … Phone call: 

  1. Ask for a call back number and employee badge number.
  2. Contact the IRS to determine if the caller is an IRS employee with a legitimate need to contact you.
  3. If you determine the person calling you is an IRS employee with a legitimate need to contact you, call them back.

Letter or notice via paper mail:

  1. Contact the IRS to determine if the mail is a legitimate IRS letter.
  2. If it is a legitimate IRS letter, reply if needed.

If caller or party that sent the paper letter is not legitimate, contact the Treasury Inspector General for Tax Administration at 1.800.366.4484.

You receive an unsolicited e-mail or fax, involving a stock or share purchase … and you are a U.S. citizen located in the United States or its territories or a U.S. citizen living abroad. 

  1. Complete the appropriate complaint form with the U.S. Securities and Exchange Commission.
  2. Forward email to phishing@irs.gov.
    Please add in the subject line of the email, ‘Stock’.
  3. If you are a victim of monetary or identity theft, you may submit a complaint through the FTC Complaint Assistant.

… and you are not a U.S. citizen and reside outside the United States.

  1. Complete the appropriate complaint form with the U.S. Securities and Exchange Commission.
  2. Contact your securities regulator and file a complaint.
  3. Forward email to phishing@irs.gov.
    Please add in the subject line of the e-mail, ‘Stock’.
  4. If you are a victim of monetary or identity theft, you may report your complaint to econsumer.gov.
You receive an unsolicited fax (such as Form W8-BEN) claiming to be from the IRS, requesting personal information … Contact the IRS to determine if the fax is from the IRS. 

  • If you learn the fax is not from the IRS, please send us the information via email at phishing@irs.gov. In the subject line of the email, please type the word ‘FAX’.
You have a tax-related question …Note: Do not submit tax-related questions to phishing@irs.gov. If you have a tax-related question, unrelated to phishing or identity theft, please contact the IRS.

How to identify phishing email scams claiming to be from the IRS and bogus IRS websites


The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.

The IRS does not …

… request detailed personal information through email.
… send any communication requesting your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.


What to do if you receive a suspicious email message that does not claim to be from the IRS

If

Then

You receive a suspicious phishing email not claiming to be from the IRS … Forward the email as-is to reportphishing@antiphishing.org.
You receive an email you suspect contains malicious code or a malicious attachment and you HAVE clicked on the link or downloaded the attachment … Visit OnGuardOnline.gov to learn what to do if you suspect you have malware on your computer.
You receive an email you suspect contains malicious code or a malicious attachment and you HAVE NOT clicked on the link or downloaded the attachment … Forward the email to your Internet Service Provider’s abuse department and/or to spam@uce.gov.

* * *

If you’re into links, here’s the IRS announcement.

So I’m not going to open this attachment. I’m not going to bother.

I know they don’t owe me a refund, and if they did they’re not going to tell me unless I ask. What do I think they are, stupid?

(Don’t answer that!)

So if you get an email from the IRS, forget it. It’s not them.

###

 

 

 

Share

The ol’ tried-and-true Facebook worms are still around

Watch out for Facebook weirdness.

From what I get, ol’ Koobface is still around.

An anagram of a popular social media site, this multi-platform computer worm is still hanging around in all its variants and wreaking havoc after all these years.

There are plenty of hoaxes and urban legends circulating around this piece of malware (like the hoary tale that it’ll burn up your hard drive), but there’s enough truth that shows what a contentious bugger Koobface really is.

In a rare show of anger against the folks who produce malware and security threats, the Facebook folks even calling the Koobface gang out. Naming names, all that good stuff.

But Koobface is still around, as you can see by checking the comment dates in this McAfee post. Some things, like pyramid schemes and chain letters, are not going away anytime soon ’cause they’re successful, right?

This came to my attention about a week ago when a friend got word of this creature through his Facebook account. What he got was a link to the Snopes site, and when he forwarded it to me (at my request) I had a look at it and immediately recognized the M.O.

For those who forgot, you might get a provocative-looking picture on your Facebook feed. When you click on it, you’ll be asked to download a viewer for the accompanying video because the one you have is allegedly out of date.

When you click on that, the fun begins.

I experienced something like this a couple of years ago. Like an idiot I clicked on a picture that showed up in my timeline via a friend, a picture that this friend never would have put up in a zillion years. Got the opportunity to download some program called flvdirect.exe — which triggered all sorts of weirdness:

  • The video was automatically sent to many people on my friends’ list.
  • The .exe file to the viewer sat in my /home/download file. I noted the name and ran a Google search. The program in question, flvdirect.exe, is billed as something that would help download torrents but is actually spyware. It’ll do all sorts of nefarious things on your hard drive and it monitors your surfing habits.
  • For the next hour or so, I heated up my high-speed Internet line. Running Google searches on the offending software. Firing instant messages back and forth with a Facebook (actually a real) friend who also got the video — from me. Posting my findings on Facebook. I finally got to bed at 2 a.m., exhausted.
  • My conclusion: Spreading malware sure is hard work.

Myself being the impulsive type, I shut down my Facebook account and started looking for other ways to communicate. It wasn’t until a year ago that I opened another account.

I’m a lot more cautious these days, steadfastly saying no to all those app requests. Third-party applications are the fastest way to screw up your Facebook experience, so I’m keeping my account an app-free one. Every so often when the app requests get heavy I’ll put up an announcement to this fact — a rude one, but not as rude as some I’ve seen:

I stole this off a friend's Facebook timeline; hope she doesn't mind.

With that thought in mind, enjoy your social media. It’s fun, a great time waster and all that. But there’s no reason to let it take your computer over.

Watch out for bugs.

###

 

 

 

 

 

Share

How much does the Internet know about you? (besides a lot)

How much does the Internet know about you?

Probably enough.

You’re surfing your favorite sites, and the ads seem to be for places that are awfully close to where you live, and for products/services you are interested in.

Like the man said about the Thermos bottle that keeps your coffee hot or your sweet tea cold, “how do it know?”

It’s almost accurate to say the Internet is stalking you. It sees you when you’re sleeping, it knows when you’re awake. It probably knows what sites you surf, and what you’re using to surf these sites.

Check out these graphics, and tell me they don’t creep you out:

(Signs by Danasoft – Get Your Sign)

These goofy graphics aren’t anything new. I had these up for a long time on my old blog, and I’ve been meaning to put them up here for some time. Now’s my chance.

Syndicated tech columnist Kim Komando recently ran a piece on this, along with a link to a site that is powered by ip2location.com. When you click on the button below, it’ll bring you to the site with some really interesting information. OK, the linked site has the Kim Komando brand all over it, but … well, admit it, she’s not half bad to look at.

Anyway, click this graphic to find out all the gory details:

See What They Know

I copied/pasted the results from when I ran this test myself. For the record, I was using the wireless Internet system from my day job, running my Acer Aspire One with Bodhi Linux and Google Chrome:

* * *

Here’s what They Know

Your location as guessed from your IP Address

As I linked this into a social media site (Google+), I saw some of the values in the above box change. I don’t know if it will keep my information or read back yours. Probably the latter.

* * *

Below is from my own readout, and I excised some information that y’all probably didn’t need to know:

CHARACTER SET
ISO-8859-1,utf-8;q=0.7,*;q=0.3
LANGUAGE
en-US,en;q=0.8
REFERRER (who told you to come to this page)
http://privacycheck.komando.com/?utm_medium=nl&utm_source=notd&utm_content=2011-01-11-article&utm_campaign=end-c
OPERATING SYSTEM
unknown
BROWSER
Default Browser 0
YOUR TIME
Mon Jan 09 2012 13:18:36 GMT-0500 (EST)

Sites you’ve visited

Hmmm… We were not able to detect any social networking sites that you’ve visited recently.

Sites must exploit a Web feature to see your history. By default, browsers display links you’ve visited in a different color. And sites can see how a page looks on your computer. If a link changes color, the site knows you’ve visited that link. Using special code, a site can check more than 25,000 links per second!

This page only checks to see if you’ve visited a handful of sites. If nothing is listed above, you haven’t visited one of the sites we checked (or you recently cleared your browsing history).

* * *

If you check the ip2location site itself, you might also find it quite interesting.

I saw that Net Speed entry on my readout (it says DSL) and this probably explains a bit. The wireless connection at work is really poky. But it’s a decent fringe benefit.

I will take the rest of the Komando readout to mean my computer is more secure than most. Unknown operating system, default browser, no history of sites browsed. Very good. Excellent, in fact. The more “unknowns” your readout has, the better.

You put enough of your business out there as it is.

###

 

Share

From ZDNet: Is your smart phone being tracked?

So which phones and networks use the Carrier IQ software to track you?

http://www.zdnet.com/blog/btl/which-phones-networks-run-carrier-iq-mobile-tracking-software/64500

This seems to be the new smart phone scare. I noticed in the Android Market (http://market.android.com) there are a few apps designed to sniff out/disable Carrier IQ.

Uhh, I’d wait at least until folks stop panicking before I install any of those apps.

###

 

 

TDFPDTG5WFAE

Share

Zombie invasion? CDC has some emergency procedures for you

They come out at night …

… in search of brains …

… and the Center For Disease Control wants you to know what to do in the event of a zombie invasion.

Maybe the whole idea came from all those pepperoni pizzas washed down with way too much Mountain Dew, but the CDC put out a blurb outlining preparedness steps when the undead come a-calling.

Seriously. Check it out. Here’s the link.

“The rise of zombies in pop culture has given credence to the idea that a zombie apocalypse could happen.” wrote CDC official Ali Khan. “In such a scenario zombies would take over entire countries, roaming city streets eating anything living that got in their way. The proliferation of this idea has led many people to wonder ‘How do I prepare for a zombie apocalypse?’ “

One of the first things I think of immediately is that the CDC is a governmental function, and they’re screwing off on taxpayer time. But this CDC announcement may actually make more sense than just about any other governmental release. Well, kinda sorta.

“Well, we’re here to answer that question for you, and hopefully share a few tips about preparing for real emergencies too,” Khan continues.

OK. Now we’re cooking. Khan then outlines some preparedness procedures that could serve you well in a pandemic, a hurricane, or zombie invasion.

Craziness aside, what I get from my reading is that it’s hard to sell preparedness to the public. Hurricanes are not sexy enough. Earthquakes don’t have that “it” factor. Even a multi-angled event such as a Katrina (featuring disasters such as a hurricane, massive flooding, societal breakdown and FEMA) and Japan’s recent earthquake/tsunami/nuclear trifecta aren’t enough to sway the populace in the semi-civilized world.

The CDC rationale, it seems, is to come up with something really over the top to garner public attention — such as a zombie takeover. It is unbelievably tempting for me to say something about how the zombies already took over several years ago and were the difference-maker in the 2008 Presidential election, but I’m not gonna say it. I’m not gonna say it.

Later with these pedestrian hurricanies, tsunami, nuclear mutant monsters from Japan, and even space aliens. All of these have been done to death, and in our ADHD culture, you’ve got to hit the public hard, frequently, and from a variety of angles.

I can understand that complacency, somewhat. I grew up in California, the place where visitors and new arrivals get scared because of earthquakes. Well, there are a lot of other scary things about California, but right now I’m just going to key on earthquakes. To a new arrival, any shaking of the ground is enough to trigger a full-blown panic attack. However, it takes a Richter Scale hit of at least six-something to move the longtime resident. Don’t pester me over a little trembling; if dishes fly out of the cupboards, then call me.

As far as construction goes, whole metro areas are built along earthquake fault lines. The Inland Empire, which for decades saw the fastest growth of any area in California, is nestled along the San Andreas and San Jacinto Faults. The San Jac passed underneath the a) the freeway interchange of I-10 and I-215 that had some pretty big skyhooks, b) the men’s department of Fedco, and c) the San Bernardino Valley College campus. Did I worry about getting caught in the mother of all earthquakes during my classes at Valley? Not at all. If it happens, it happens. If it doesn’t, it doesn’t.

I now live near Charleston, South Carolina, known to outsiders as hurricane country. Every year we go through the same drill here — pick up a hurricane tracking map at the Piggly Wiggly, and make noises about putting together a plan. Which usually never comes off. Here, life goes on. We watch the hurricanes develop in the Atlantic, note that for a moment Charleston is named the primary target, then relax when the hurricane takes its usual dogleg right turn. We do have an evacuation every decade or so, but the last hurricane of any real consequence to hit the Lowcountry was Hugo in 1989. Since then the wreckage was cleared out, the sea islands were built back up, and everything went back to normal.

For the record, I do have a skeletal emergency plan in case the Son Of Hugo blows the roof off my mobile home. I have a backpack loaded with clothing sleeping bag, rope and tarp, plus some prepackaged rations I’m starting to collect. This is really in anticipation of a hike I’m planning, but if something weird happens before then (fire? Flood? The PC Police knocking at my door?) it’s nice to know I’m somewhat prepared.

Standard survival items, straight from the CDC, include:

* Water (1 gallon per person per day)
* Food (stock up on non-perishable items that you eat regularly)
* Medications (this includes prescription and non-prescription meds)
* Tools and Supplies (utility knife, duct tape, battery powered radio, etc.)
* Sanitation and Hygiene (household bleach, soap, towels, etc.)
* Clothing and Bedding (a change of clothes for each family member and blankets)
* Important documents (copies of your driver’s license, passport, and birth certificate to name a few)
* First Aid supplies (although you’re a goner if a zombie bites you, you can use these supplies to treat basic cuts and lacerations that you might get during a tornado or hurricane)

Gee, I think I have room in my backpack for the best defense against zombies: A shotgun. Gotta be prepared for anything.

###
Share

Support your local TSA (or not)

Got these courtesy of talk show host Neal Boortz. Check ’em out — they’re a real hoot.

Remember, though: No laughing in the airport pat-down line. No levity whatsoever. (I found this last part out the hard way while boarding from Kona Airport, but that was too long ago to go into.)
###
Share

Air show: Not the same old base

I love air shows, and I was seriously considering going to the one at the Charleston Air Force Base Saturday.

Thought about it, but I believe I’ll pass.

You know it’s not the same old air force base, not with post-9/11 Homeland Security being a fact of life. You can’t just go onto the base without a search.

I got this from the Air Expo website, and this gives me an idea of what to expect:

Prohibited items include:

  • Coolers
  • Backpacks
  • Gym Bags
  • Glass Bottles
  • Alcohol
  • Knives
  • Fire Arms
  • Car alarms must be disabled for the duration of the air show


Again, not the same old base.

Back in my pre-9/11 taxi driving days, I used to cut through the base as a shortcut. Make up a name at the gate, and no one was the wiser. “I’m here to pick up Airman Mingus and Lt. Coltrane,” I used to say, and no one minded.

Now, without military ID you can’t even go on that base.

OK. Fact of life.

Executive decision: I’m going to watch it from the convenience of my front yard. This is the one time I consider myself lucky to live underneath a landing approach pattern.

###
Share

Does Facebook need its own anti-malware service?

I got this from ReadWriteWeb, and am running it in its entirety. It’s interesting, even though the writers were too kind to Facebook. This, by the way, was a sponsored post–meaning it’s pretty suspect. My comments are interjected below.

Does Facebook Need Its Own Anti-Malware Service?: “

Does Facebook need to run its own anti-virus and anti-malware security system? That’s a question that may need to be addressed in the near future as the now almost 500 million users on the social networking service are facing regular attacks from rogue applications, phishing attempts and other sorts of hacks, not to mention the onslaught of viral, but often completely inaccurate reposted status messages that spread around the network like modern-day chain letters. These messages warn users about some supposed threat occurring on site, but are often either misguided or out-and-out lies.

Out and out lies, my butt. I spent about an hour chasing down something that a) sent random weird messages to my Facebook friends and b) was identified as malware by several excellent sources. This missive smacks of spin control to me.

Is it time for Facebook to step in and do more to protect its network and its users from threats like these?


Rogue Facebook Apps Top Rogue Anti-Spyware During Busy Weekend



The latest threat to make the rounds on Facebook is a rogue application dubbed ‘Distracting Beach Babes.’ The app compromised the security of thousands of users’ accounts by way of status messages that appear to be from friends. But when the users click through on the tantalizing link, they’re asked to give an application permission to run. The app then tells users they must update their ‘FLV player’ before they can see the video. Those that attempt to do so are sent off-site to another page where malware is installed on their computer.




This is hardly the first rogue application to take advantage of Facebook’s automated app approval systems. In fact, only days ago, a similar attack was underway. This one was a link to what was purportedly the ‘sexiest video ever!’ (Those hackers sure know how to entice, don’t they?)


Shoot, this wasn’t even the first attack involving the FLV player. If y’all haven’t read the sordid tale yet, do so


This particular application led to a very busy weekend for anti-virus firms, indicating a major push by rogue Facebook apps, says AVG’s chief research officer, Roger Thompson. Via the AVG website, Thompson reported that from midnight to 9 a.m. on May 15, its anti-malware software blocked more than 30,000 rogue Facebook applications, more than three times the rate of rogue anti-spyware.



In other words, the new anti-malware wave won’t be coming from email, IM or other random websites users are tricked into visiting. It will come from your Facebook friends… or so it will seem.



Thompson acknowledged that Facebook’s security team was ‘very responsive’ in identifying and removing these sorts of rogue applications, but Facebook’s by-default viral nature allowed them to spread rapidly and affect large numbers of users before the apps could be removed. ‘This attack was actually stunning in terms of scale,’ he said.


“Very responsive?” I’ll bite. This issue came to my attention May 2. If they were “very responsive,” this would be a dead issue and no more needs to be said or written. 


Oh. I forgot. It was a different video this time. That’ll throw ’em every time. Silly me.

Rogue Apps, Phishing, Scams and More



Other recent Facebook-related malware attacks have included fake Facebook password reset emails, the seemingly never-ending spread of the Koobface worm, the ‘stalk my profile’ scam (a rogue app with 25 variations, claiming it could tell you who visited your profile), the rogue ‘like’ app (which borrows the infamous like icon), and many others. Other unpatched attack vectors pop up everyday, like this security hole which researcher Joey Tyson (a.k.a theharmonyguy) describes as a ‘dream situation for phishing.’ This vulnerability is especially troubling as it enables a hacker to present a convincing Facebook login page that actually contains the term ‘facebook.com’ within its URL. (See it action here. Can you tell that’s not the real Facebook.com?)


The situation has gotten so bad that users, in an attempt to be helpful, end up spreading around messages about various threats. Unfortunately, the threats they report are often false or are simply harmless bugs that Facebook is fixing, adding to the confusion. Case in point is the warning that anyone who received ‘tons of friend suggestions’ was infected with a virus. The reality, ironically, involved a widespread misunderstanding of the actual Facebook friend suggestion feature. The situation is so out of control that people are now spreading jokes poking fun at the trend itself.

See my above comment. If this was a bug Facebook was fixing, this would not be an issue. Next question …?


Facebook’s Security Efforts to Date



For what it’s worth, earlier this year, Facebook implemented virus-scanning for the PCs of compromised users after they had fallen victim to an attack. The company also runs its own Security Page, which serves as a warning system of sorts. The page now has over 1.8 million fans (or in the new lingo, ‘people who like this’). But on a network of nearly 500 million, this is the equivalent of a drop in the bucket. And it may not be enough to combat this ever-growing threat.

Ohh, yeah. Online virus scanning of the end user’s computer. There are a few services that offer this; you will see their ads popping up every once in a while. Unfortunately, these are the kind of “services” that ad a whole different breed of malware to your computer. I’ll pass on that.


And Facebook implementing this virus scanning? The way they totally don’t give a rip about user security, I’d pass on that too. And if you have half a brain, you’ll likewise pass.

Sophos security researcher Graham Cluley recently pondered this same question, asking, ‘Isn’t it time that Facebook set up an early warning system on their network, through which they can alert their… users about breaking threats as they happen?’ The impact of such a feature could be dramatic, he explains. ‘Imagine just how many people could have been protected if a simple message had appeared on all users’ screens warning them of the outbreak.’



Whether an early warning system is actually needed is debatable. Another option would be for Facebook to more closely monitor the applications submitted to its platform. As the New York Times recently reported, ‘Facebook’s automated system for application developers leaves a door open to the creation and distribution of abusive applications,’ even if the apps’ ability to spread is short-lived.



But apps that only live for a few hours can still have thousands of victims. Maybe it’s time for Facebook to make sure they never get to live at all?



Image credits in original article: Facebook; Sophos


Bottom line: Facebook has not earned my trust. There’s no way on this earth I’d trust them to do anything with my computer. I won’t even let them wipe the dust off my screen. And now this?


###

Share