Fun with Facebook Video and Casey Anthony

The bad guys are wasting no time exploiting Facebook’s new video chat, not to mention the name Casey Anthony.

This morning’s news is full of details on the latest social engineering tactics to hit the Facebook universe. Here’s one story from the IDG news network:

If you see a post on Facebook about a Casey Anthony confession, or a link to download the video chat app, run away. These two new Facebook scams demonstrate why the social network is such fertile ground for attackers to target.

Malware attacks frequently use social engineering to spread and current events as bait. With the recent unveiling of Facebook’s partnership with Skype to deliver video chat from within the social network, and the public outrage over the acquittal of Casey Anthony, attackers have the key ingredients they need to dupe victims into installing malware.

The Sophos NakedSecurity blog cautions, “If you see a wall post referencing “Enable video calls.”, don’t click it! Send your friend a message that they have been tricked.”

There is a right way to enable the Facebook Video Chat service, and it does not involve installing a third-party app. This malware asks for permission to access your information, post on your wall, access posts in your news feed, and even continue to access any of this information even when you are not actively using the app.

Hopefully, that would set off some red flags for most users. Why would a video chat utility need to access my news feed or post on my wall–especially when the video chat tool isn’t even in use? Users who lack that sixth sense and “Allow” this app will end up spamming all of their Facebook connections and lead them to an online survey site that generates traffic and referral fees for the attackers.

Casey Anthony is the OJ Simpson of this decade–the tabloid media circus murder trial where the public is sure she is guilty, yet somehow she was inexplicably acquitted. The shock and outrage over the result of the trial make perfect fodder for a Facebook scam.

If you happen to see a message on Facebook proclaiming “BREAKING NEWS–Leaked Video of Casey Anthony CONFESSING to Lawyer!”, don’t believe the hype. Please. Don’t say I didn’t warn you.

–Tony Bradley

We’ve covered social engineering as it relates to social networking at great length here, and this might be a good time for a little refresher course. To that end, I’d like to direct you to these articles:

Seven Deadly Sins of Social Networking Security

To users of LinkedIn, Facebook, Myspace, Twitter or other social networking sites: Are you guilty of one of these security mistakes?

Social Media Risks: The Basics

Social media sites unfortunately pose many security risks for the unwary. Here’s a guide to avoiding scams of all sorts.

Social Engineering: The Basics

What is social engineering? What are the most common and current tactics? And how can your organization prevent these scams? A guide on how to stop social engineering.

Social Engineering: Eight Common Tactics

Stealing your company’s hold music, spoofing caller ID, pumping up penny stocks – social engineers blend old and new methods to grab passwords or profits. Being aware of their tactics is the first line of defense.

Everyone will fall for social engineering scams at some point. We’re not always at our sharpest when we’re on Facebook or Twitter. I figure the more we can do to raise awareness, the better.

–Bill Brenner