Almost everybody I know has a Facebook account. It’s pretty much like having a cell phone. With so many people using it, it has become a favorite target for wicked, little computer monkeys (phishers, crackers, and other of that ilk). In fact, just today I received an email from somebody trying to steal my Facebook password, and there was an article on the BBC’s website about new attacks on Facebook and its users. Why, you may ask, would these evil monkeys want to mess with my Facebook account? Well here’s a few ideas:
- Getting Your Password – Is your Facebook password the same password that you use for other websites? Your email account? Your bank or credit card? If somebody stole your Facebook password, what else would they be able to access?
- Installing Viruses – Some attackers don’t want anything to do with your Facebook account. They just want to make you think you’re logging in to Facebook in order to gain your trust. This way they can more easily persuade you to install viruses on your computer. They could fool you into installing a program that records everything you type (including passwords as you log in to your bank), or other programs to control your computer.
- Annoying Advertisements – Have you ever seen one of your Facebook friends posting a link to some strange website (Find Your Crush! etc.) and think that it was a little out of character for them? Their account was probably broken in to. Advertisements can also be used to trap other unsuspecting users and steal their passwords.
Of course, now you’re wondering how to protect yourself. The best line of defense on the Web has always been to understand what a URL is and what it does. URL stands for Uniform Resource Locator. It’s the thing in your address bar that determines which website you go to. Things like “http://www.google.com” or “http://en.wikipedia.org/wiki/URL” are two different examples of URLs. The most important part of the URL is the domain name. The domain name is the last part of the URL before the slashes (’/') start, but after the http://. For an example evilmonkey.com is the domain in this URL: http://www.facebook.com.friends.profiles.evilmonkey.com/other/distracting/stuff/. At first glance, you might think this would lead you to a facebook page, but if you look for the domain name, you’ll see that it’s really going to take you to some website controlled by evilmonkey.com. This is the most popular trick used to steal people’s information on the Internet. If more people would look at the real domain name before clicking on a link then the evil computer monkeys would have a lot less success with their nefarious, little attacks.
To complicate things even more, evil monkeys can even make a link look like one thing, but have it take you somewhere completely different. For example, this URL: http://www.facebook.com will also take you to evilmonkey.com. To see the real URL for that link, just hold your mouse cursor over the top of it, and the real URL that it will take you to will appear on your status bar (should be on the bottom-left corner of your window). As a rule, you should always check the domain name in your address bar before you give any sensitive information to a website.
I’m sorry to say that there are more complicated attacks that can make the URL appear one way, but redirect you to an evil monkey’s server anyway. Although possible, you are very unlikely to be the victim of such an attack. I just had to mention it so my tech-savvy friends won’t bug me after reading this article. Just remember to check your URLs!