Facebook Malware Goes Viral

← Back to Stories (view on slashdot.org)

Posted by samzenpus on Sunday February 5, 2012 @05:12PM from the spreading-the-bad-news dept.

itwbennett writes "Just a few hours after a fake CNN news report appeared on Facebook Friday, more than 60,000 users had gone to the spoofed, malware bearing page according to Sophos Senior Security Advisor Chester Wisniewski. Facebook didn't respond to IDG News Service's request for information on 'how widespread the problem was or whether its own security had been breached, but Wisniewski said that there are a number of ways that status updates could appear without users' knowledge.'"

30 of 123 comments (clear)

Hopefully lots of stuff of value was lost by Khyber · 2012-02-05 17:14 · Score: 5, Insightful

Maybe that'll teach people to be more wary about random links they see.

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
1. Re:Hopefully lots of stuff of value was lost by bogaboga · 2012-02-05 17:26 · Score: 5, Insightful
  
  Maybe that'll teach people to be more wary about random links they see.
  Some people might call you a sadist, unfortunately. In my case though, I hope Slashdot will not 'force' us to use Facebook login...or whatever they call it.
  This is because I do not have a Facebook account and do not intend to get one. Do not call me weird. People at work have called me names for not having a Facebook account.
  Here is my reason for not having one: Having a Facebook account adds no value to me at all, save for inviting unwanted folks I have always loved to avoid into my life. Besides, I am too busy for Face-book anyway.
2. Re:Hopefully lots of stuff of value was lost by mikeburke · 2012-02-05 17:36 · Score: 5, Insightful
  
  Besides, I am too busy for Face-book anyway.
  Yes, these posts on Slashdot will wait for no man... can't these people see I'm busy?
3. Re:Hopefully lots of stuff of value was lost by mlts · 2012-02-05 17:46 · Score: 4, Interesting
  
  When I was in the job market, I lost potential jobs for not having a FB account.
  With the fact that there is concern about deleted stuff not really being deleted, people searching profiles for anything (where a bad joke reposted can get someone flagged as a racist or gun nut for 7 years), using FB as a communication tool for anything other than the latest cat meme is out of the question.
  I sometimes wonder about someone coming up with a paid membership site (so the subscribers are the true customers) for social networking where only the parties involved (and possibly LEOs) are the only ones privy to information posted and shared. Combine that, plus having data erased after a forensically apt period of time (30 days after it was deleted by the user), and this would be an actually useful service.
4. Re:Hopefully lots of stuff of value was lost by tlhIngan · 2012-02-05 18:39 · Score: 5, Insightful
  
  When I was in the job market, I lost potential jobs for not having a FB account.
  With the fact that there is concern about deleted stuff not really being deleted, people searching profiles for anything (where a bad joke reposted can get someone flagged as a racist or gun nut for 7 years), using FB as a communication tool for anything other than the latest cat meme is out of the question.
  So use Facebook as I use it - very carefully.
  I put up a very minimal profile (Facebook may ask for a ton of information, but they require very little). Put up a neutral profile pic, and don't bother uploading any more photos.
  Then accept friends with caution. There is no law saying you have to friend every real life friend on Facebook. I don't - in fact, I have probably 8-10 people on my "requesting to friend you" list. They are people I know in real life, but to whom I don't really care about. No one said you have to have a million "friends" in your friend list, or accept every invitation.
  I also set all the controls so my friends can't do anything like tag me or such. And I don't post my every whim/though/status update there. Actually, I don't bother posting at all - it's just a token account I use to control my online identity. (I also don't spend more than a few minutes every few months).
  There's no reason one can't have a facebook account, nor any law requiring one spend hours on the site - just set up a minimal profile, carefully choose your friends, and watch what you post (remember that everything you post online the entire world can see, regardless of privacy settings - so treat every post as a public blog post or comment on a website that everyone can see).
  The real challenge though is the dancing pigs problem, which most people on facebook seem vulnerable to.
5. Re:Hopefully lots of stuff of value was lost by debiankicksass · 2012-02-05 18:58 · Score: 2
  
  I prefer real friends myself and therefore do not have a facebook either.
6. Re:Hopefully lots of stuff of value was lost by rhook · 2012-02-05 19:26 · Score: 5, Funny
  
  I have a bridge for sale in Brooklyn that they might be interested in. Cheap.
7. Re:Hopefully lots of stuff of value was lost by Anonymous Coward · 2012-02-05 20:36 · Score: 5, Insightful
  
  Maybe that'll teach people to be more wary about random links they see.
  Not really directed at you, as such, but... When did we accept that clicking on a link is a dangerous operation? I mean, sure, there's a risk you might end up at goatse or whatnot, but are browsers and web devs really so utterly incompetent that simply fetching a page from a dubious domain counts as head-slapping user error? It's really not that long since browsing the web was fairly safe, at least to the extent that if you didn't download and run random .exes it wouldn't break your computer. Most users expect that it still is and, frankly, they're right to have that expectation.
  Or, to put it another way: the user can bork your security model just by clicking on a link, the problem is with the security model rather than with the user.
8. Re:Hopefully lots of stuff of value was lost by hairyfeet · 2012-02-05 20:43 · Score: 3, Insightful
  
  Maybe it will also teach them to have a browser that actually blocks that crap like Comodo Dragon, along with having a good free AV like Avast or Comodo that will sandbox and try to minimize their own rampant stupidity?
  Just another example of what I predict all malware of the future will be, simple social engineering to exploit the PEBKAC for personal gain. Frankly here at the shop i can't even remember the last time i saw a malware driveby bug, even on XP, its all PEBKAC trolling now. The truly sad part is no matter how many times you warn them there are a percentage that will ignore you or even be downright hostile to you if you try to keep them from getting infected if it involves them not getting the real or imagined cookie the malware writers offer. I have seen this myself when i threatened to call the cops and had to throw a guy out of my shop for wanting his PC fixed for free after he got infected not 24 hours after getting it from me. What did I do wrong to cause such a short turnaround? not a damned thing, after i told the guy that Limewire had been shut down by the feds years ago and anything calling itself "the new limewire" would just be a virus he went home and when his AV wouldn't let him have his "New limewire" he first tried disabling it and then uninstalled it, all so he could have a fake limewire that was nothing but a trojan delivery package.
  When you are dealing with THAT level of stupid selfcenteredness frankly it doesn't matter if it is Windows or Linux, if its Android or iOS, all you have to do is dangle the right cookie in front of their faces and they will be downright hostile to anything that tries to keep them from their goal, no matter how many time you expressly warn them that the only cookie they'll be getting is some malware writer blowing his cookies all over their computer. But as long as the user has the rights to control his system you will be dealing with a section of them that don't think, a section of them that are downright greedy and will fall for anything that appeals to that greed, a section of them that only think with the little head that will happily do anything you want as long as your offer includes their fetish, and finally a section of users that are just DUMB, stupid ignorant, clueless and have no intention of learning shit, just good old fashioned idiots.
  this is a perfect example, how many times have we seen this exact same shit pulled? How many times has FB warned them about just clicking on random shit that asks them to install anything? yet here we are, thousands of machines pwned by people so fucking retarded they probably shouldn't have been on them in the first place.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:Hopefully lots of stuff of value was lost by flimflammer · 2012-02-05 21:36 · Score: 4, Interesting
  
  If you lost potential jobs by not having a facebook account, then you did not want to work there anyway. They just wanted you to do their research for them by divulging every detail of your life on facebook so they could go through it and nitpick every little comment and picture in your account.
10. Re:Hopefully lots of stuff of value was lost by Lumpy · 2012-02-05 23:36 · Score: 4, Funny
  
  "Maybe that'll teach people to be more wary about random links they see."
  No, no it wont. I have worked in IT for 12 years and was happy to escape it 6 years ago. I still see that even today, the average user gleefully clicks on any link they see. I think most users think the internet is a giant game of whack a mole.
  
  --
  Do not look at laser with remaining good eye.
11. Re:Hopefully lots of stuff of value was lost by MysteriousPreacher · 2012-02-06 00:35 · Score: 3, Insightful
  
  Or it's their preferred medium for contact/managing relationships. Another possibility is that it's just be one an expectation - like having an email address, website, business card or fax number would have been.
  I personally don't like this. Facebook for me is a personal thing, not something I'd like to use for business. If they ask Facebook, I'd have to ask why? If its for contact, then use email, phone or LinkedIn, or smoke signals for all I care. Thry may just as well be asking for my girlfrirnd's mobile number.
  
  --
  -- Using the preview button since 2005
12. Re:Hopefully lots of stuff of value was lost by azalin · 2012-02-06 01:29 · Score: 2
  
  Amen. If just clicking a link (compared to "do you really want to install this potentially dangerous software") results in an infection there is something deeply wrong. Browsers (or even the Fb API) should shield users from something like this, or be considered defective.
  I have seen parts of the internet where normal eye bleach wouldn't have helped anymore, but if we couldn't just go out and explore, the web wouldn't be the same anymore.
  Of course once users carelessly click through the warnings, it's time for the iron cluebat.
13. Re:Hopefully lots of stuff of value was lost by operagost · 2012-02-06 05:00 · Score: 2
  
  Why the hell would a redneck use the word "infrastructure"? And having the safety on while cleaning your gun is like putting your car in park before you remove the transmission.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
Windows malware doesn't go viral by dgharmon · 2012-02-05 17:26 · Score: 2

Technically speaking malware can't go viral, as in malware requires action by the enduser. It should be pointed out that only users of Facebook and 'Adobe Flash` running on Microsoft are suseptable to this vulnerability.

--
AccountKiller
1. Re:Windows malware doesn't go viral by Anonymous Coward · 2012-02-05 17:28 · Score: 2, Insightful
  
  does a viral video not also require some action by the end-user?
2. Re:Windows malware doesn't go viral by bmo · 2012-02-05 18:03 · Score: 5, Insightful
  
  >It should be pointed out that only users of Facebook and 'Adobe Flash` running on Microsoft are suseptable to this vulnerability.
  Actually, it's the people in the Windows world who have been taught by the likes of Adobe and such that the normal way to install software is when you encounter a site that requires some special codec, that you install it straight away without question.
  Flash itself is not the problem, it's the behavior of users who have been taught wrong in the Windows universe.
  In sane environments, you look for trusted sources for software before blindly clicking on a web page. The Free Software world teaches people to look in the trusted repositories first (bsd ports system, debian packages, gentoo portage, etc) before downloading random binary code and running it willy-nilly.
  --
  BMO
Clicking links! by sd4f · 2012-02-05 17:32 · Score: 2

It would be terribly ironic if the links in the post went to said malware sites. Getting more and more happier that i don't use facebook anyway. The problem i have though, a lot of malware is obvious that it's malware, usually by disabling you from doing certain things, like viewing hidden files, or even letting you run process explorer (which has helped me overcome virus' in the past, enough so that i could backup stuff and reinstall the OS) but what i'm worried about are the virus' which don't show themselves, considering the bad virus' i've gotten in the past have ranged from suspect sites, to trusted sites that became hacked and had the malware loaded on.
It must be hell out there, with that weather... by SeaFox · 2012-02-05 17:38 · Score: 5, Funny

Was anyone else amused the news article is titled "U.S. Attacks Iran and Saudi Arabia", but the video thumbnail shows tanks driving through snow?
1. Re:It must be hell out there, with that weather... by Anonymous Coward · 2012-02-05 18:15 · Score: 5, Funny
  
  It's not snow but rather, cocaine. Explains the madness going on in those countries.
Bad advice in article by Nebulo · 2012-02-05 17:39 · Score: 5, Insightful

The article states, "Of course there is no such Flash update. You should always download Flash from a genuine Adobe site."
This is poor advice. I would suggest, "Flash should never be installed on anyone's computer, ever."
nebulo
1. Re:Bad advice in article by perryizgr8 · 2012-02-05 20:12 · Score: 2
  
  and youtube can go fuck itself, right?? because the html5 player still can't play shit, even on chrome.
  
  --
  Wealth is the gift that keeps on giving.
2. Re:Bad advice in article by satuon · 2012-02-05 23:12 · Score: 2
  
  Actually that's not true. At least on Chrome, Youtube's HTML5 has true fullscreen (finally). I had been expecting them to do it since they own both Youtube and Chrome, so they can work on both sides of the equation. Now when you click the fullscreen button, the browser also goes fullscreen (as if you also hit F11). This makes HTML5 for all practical purposes equivalent to Flash, now.
Those wily fb links by tkprit · 2012-02-05 17:50 · Score: 5, Insightful

Bitches are getting good! If I see an interesting link on FB that hasn't popped up in my reader, I go to the source site and try to find the linked article myself because, well, it's FB. But I noticed a crazy-sounding headline from The Washington Post, went to the wp site, never found it, went back to fb and hovered over the link, ready to warn the friend that they'd clicked the wrong link — hoverlink pointed to trove.fb.xxxxxxx (one of those apps for "social sharing" every 'article' you read in the app). I didn't allow the app, of course, but the headline being on the WP bugged me; back on wp.com, I finally found a barely-related article that had a sentence buried deep inside it that alluded to the sensationalistic headline linked on fb. I should have known: the Post dumbs down the articles for fb (why would anyone want to admit to reading the dumbed-down versions?).
.
These apps are hell! Why not just go to the WP and read the whole article there? It's like AOL came back from the 90s, bigger and badder (content not served to you; you have to beg for it by approving each 'app', and then you just get a morsel instead of the whole content). And ppl want this?!
Fine; let em have it. I now officially support these fb malware apps — funny to watch in action, and maybe enough of them will teach people not to use these 'apps'. And booyah on the Post for succumbing to the dumbing down of content to feed the masses.
1. Re:Those wily fb links by k6mfw · 2012-02-05 18:45 · Score: 2
  
  > It's like AOL came back from the 90s, bigger and badder
  At least AOL sent 3.5" disks that could be used storage (tape write-protect hole) or as coasters for beverages.
  But seriously, "alpha hotels" can post dangerous wily links and with zillion people on FB, all it takes is 0.001% to fall for it and there will be large numbers of computers will be inflicted. This has potential to spread and cause havoc.
  I use one computer for online stuff, other machines ain't know way ever connect them to the 'net. Did you know Windows XP will never crash as long as you don't connect it to the internet. And also don't load it with a bunch of crapola programs. I know of one system that is running for years (at work for a special application and only three machines are networked together). Damn thing keeps running.
  
  --
  mfwright@batnet.com
Not me by kheldan · 2012-02-05 18:17 · Score: 3, Informative

Apparently I picked a good month to decide I'm sick and tired of all the Failbook bullshit and delete my account.

Instructions on how to permanently delete your Facebook account

--
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
1. Re:Not me by satuon · 2012-02-05 23:19 · Score: 2
  
  Even if they actually did delete it from all their servers and backups, some of it could still have been harvested by who knows how many site grabbers and bots. And you can't delete that.
Not a solution by happyhamster · 2012-02-05 19:59 · Score: 3, Insightful

Why should I have to set up an account at a private website just to get a job? This is ridiculous. No matter how little info one has to divulge, why? By what right? I know that the companies doing this are stupid and I would not want to work for them under normal circumstances. But the economy is in the gutter, and sometimes you have to grab the first job coming (regardless of some jokers here claiming that "there are plenty of dev jobs out there"). Hiring has become so ridiculous lately that the government needs to step in and freaking regulate the process! Just have a standardized process. All the stupid gotcha interviews, dick measuring contests, "puzzle" bs, and now having to have a freaking facebook account are utterly ridiculous. The business has clearly shown they cannot act as adults and cannot be trusted. Government should step in and set some sensible rules.
1. Re:Not a solution by flappinbooger · 2012-02-06 01:18 · Score: 2
  
  Welcome to 2012. The people who are potentially hiring you are too lazy or stupid to do things "the old fashioned way" so they want to see if you are also stupid; stupid enough to post pictures of yourself wasted with sharpie outlines of genitalia on your face.
  
  The problem comes with the phenomenon of "tagging" where if someone ELSE who has abovementioned sharpie pictures of you can post them, tag YOU, and then they end up on YOUR page.
  
  Like I said, welcome to 2012.
  
  --
  Flappinbooger isn't my real name
2. Re:Not a solution by kingturkey · 2012-02-06 05:23 · Score: 2
  
  Unless of course you set your settings to not allow tagging or just simply remove the unwanted tags. Or you could even request that the owner take down the photo if it's so embarrassing, and assuming they're not an adolescent they'd probably do it.
  The hatred for Facebook here on Slashdot is really quite absurd, and not just a little ironic as well, given that people here usually criticize others for not understanding technology.
  You can set the privacy settings how you want, sure they have defaulted to public in the past, but who here uses the default settings on anything without looking at the other options first anyway (and with government attention now they probably won't be making the same mistakes again)?
  Certainly it can be a source of problems, but that's really only if you're stupid enough to share things that shouldn't be shared with a wider audience than appropriate. Think about what you share and who you share it with (normally a mantra for the /. crowd!) and you won't have any problems.
  What you will have is a platform to connect with people you otherwise would be interested in but may not have the time/inclination to reach out to, a more efficient way of keeping up with those who you would have contacted by other means and an interesting way to pass time when you don't have anything to do/are procrastinating.
  As for the "you are the product" people, well there's not much to do about them. You are correct, but also paranoid, egocentric and absurd. That's how the internet provides you with free content: ads. Targeted ads are more valuable so Google, Facebook etc collect data about you in order to provide you with ads.
  What they don't do is sell your information, nor does anybody read it. Nobody gives a shit that you looked at looked at example.com or did a search for abc, or 'liked' a particular page. Nobody is sitting in a server room at Facebook jerking off to your "private" (read: incredibly mundane) data, you thinking that is just egotistical. The only thing that cares about it is their ad-targeting algorithms.