A few of my Facebook pals have recently been posting inane garbage on people’s profiles. This garbage often directs the reader to a site that can “enlarge your penis,” or tell you who your “secret crush” is. Here’s an actual post from a friend’s wall:
Ok pay close attention <friend’s name> what I am about to tell you must stay on the low down. Matty has been taking these cok pills now for a while and I found two bottles in his glove compartment. He made me promise that I would not tell anyone that he is on them, cause they changed his whole size and life, he told me if I shut up he would tell me where to get them, so he did, they are on http://checkneed.com and not only that, they are totally guarenteed to work fully or all your green back, every penny. http://checkneed.com
Such posts are clearly spam, and are identified as such by the majority of Facebook users. One thing, though, that they all seem unable to recognize, is that the spam is most likely not the result of hacking.
Mostly, this is just an issue of semantics. Nevertheless, I want to make it clear that if Facebook has actually been hacked (and more than once, to boot), then there are a lot of clever people out there who know something that security professionals do not. To “hack” Facebook, one would have to hack Facebook’s servers, which have, I imagine, very good security. And even if someone did manage to hack Facebook, the infiltration would be noticed and anything the intruder had done would be reverted. It’s also worth noting that if you got admin or root privileges on the Facebook servers, posting spam on people’s walls is probably not something you would care about.
I therefore believe that the people who have had their accounts taken over are not the victims of hacking, but rather of either a phishing scam or a keylogger. Given the victims that I know personally, it is my guess that the culprit is a keylogger. Why? Because they’re not stupid people and phishing scams are pretty easy to spot—particularly if you use Firefox 3 which won’t even load a page if it thinks it’s a scam.
A clever keylogger may get around a weak firewall (viz. Windows Firewall) undetected. But, if you have AVG Free, you should be able to detect such keyloggers and get rid of them before they can do any damage.
There is a slight chance that my victim-friends were just sitting in a T-Mobile hotspot or something, and happened to be there at the same time as a spammer who knows of the cookie-spoofing hack as revealed at Black Hat last year. If this is the case, I’d suggest using an SSH tunnel or encrypted VPN.
