They couldn’t have planned it any better. When questions came up about Dennis Yu and Shoemoney and what kinds of activity they were engaging in on Facebook, a post by ShoeMoney about Dennis Yu succeeded magnificently in taking people’s eyes off the ball. People have stopped thinking about the substance of what Dennis Yu was alleging and offering and instead continue to write about Dennis Yu and Shoemoney.
I fell for the trap at first, too, until Michael Webster who runs http://www.bizop.ca pointed out the fact potential significance of information Dennis Yu was willing to share.
Now, what Dennis Yu has shared publicly to date about shady Facebook tactics has been pretty mundane, but he did at one time offer to provide more interesting details privately.
Well, let’s get back to the substance.
Even though it’s still pretty basic, Bob Sullivan at MSNBC wrote a great article here on June 2, 2009 giving the framework that scammers operate out of and gives insight into scamming on FaceBook has been so successful.
At the time of article, Sullivan notes that FaceBook had one practice that is amazingly disturbing from a security standpoint:
“Worse yet, some of the techniques Facebook employs fly directly in the face of accepted security practices. Facebook regularly sends e-mail to users with links in the message. “To follow the comment thread, follow the link below,” reads a typical note. Clicking on the link then prompts users to log in.”
What’s most amazing about this, is the scammers don’t need to use the slightly more sophisticated technique of gaining control of FaceBook accounts via stealing users’ cookies.
Admittedly, the information Dennis Yu covered in his TechCrunch article involves more sophisticated scamming than what Bob Sullivan covered, but what you may NOT realized is there is yet another level of potential scamming on FaceBook that is significantly more sophisticated than what either Bob Sullivan or Dennis Yu discuss…
For example, DarkNet.org.uk announced “FBController – the ultimate utility to control FaceBook accounts) on 5/12/2009 and noted this impressive feat of the creator(s):
“There are many APIs available to write apps and 3rd party Tools for FB in Java, Perl, .NET, etc….FBConTroller was entirely written without knowing any of Facebook’s Dev API’s.”
I couldn’t determine if FBController was ever successfully used to scam FaceBook members, and according to this CNET article:
“Facebook spokesman Barry Schnitt said the company is aware of the tool and that it does not impact the firm’s ability to detect potentially malicious behavior.”
The creator of FBController, Azim Poonawala (QuakerDoomer) stated, “His intention in creating FBController was not to allow control of multiple accounts, although “it can definitely be misused by bad guys to achieve that since it is free.”
However, it’s still interesting to note that one security expert identified a security weakness that could be used to steal cookies “which dictates that browsers must allow subdomains (think www.google.com) to set and read cookies for their parent (google.com). The specification also states that if a cookie for a subdomain doesn’t already exist, the browser should use the cookie belonging to the parent instead.” – geeks can read this about RC2965.
Not long after that, Dan Goodin, the author of that article wrote another article in titled “Major IE8 flaw makes ‘safe’ sites unsafe” in which he stated “The latest version of Microsoft’s Internet Explorer browser contains a bug that can enable serious security attacks against websites that are otherwise safe.”
What might be the ultimate wake-up call to the dangers of FaceBook and other social networks is the fact that according to this article in The Guardian “Mikko Hyppönen, who regularly works with Scotland Yard, the FBI, the US National Security Agency and Interpol” refuses to use FaceBook.
Recent FaceBook scams and vulnerabilities:
- 12/4/2009 – New Phishing Scam Spreading via FaceBook
- 11/20/2009 – Major IE8 flaw makes ‘safe’ sites unsafe
- 11/4/2009 – Newfangled cookie attack steals/poisons website creds – Google, Facebook risk
- 9/15/2009 - FBController – The Ultimate Utility to Control Facebook accounts without the
Password. - 5/12/2009 – FBController announced at Darknet
- 4/30/2009 – FBConTroller [ FACEBOOK CONTROLLER ] – The Ultimate Facebook Controller (without the Password)
Related: