eWeek Security Watch
Advertisement
Advertisement
October 2, 2009 9:31 AM

Facebook Attackers May Have Cracked CAPTCHA



Researchers at AVG Technologies may have uncovered a scheme by attackers to circumvent the CAPTCHA protections on Facebook to create fraudulent accounts.

According to Roger Thompson, chief of research at AVG, the firm discovered a number of Facebook pages whose creation appears to have been automated by attackers. The bogus pages were being used to spam out links leading to sites pushing rogue antivirus.

"The rogues are being created by some central group...and then being re-sold via an affiliate model," he said. "Once it's installed...at a minimum, they get your credit card when you register the software."

If attackers have indeed cracked the CAPTCHA on Facebook, it will hardly be the first such defense to fall. Black hats have made mincemeat of CAPTCHA technologies on Yahoo Mail and other Web mail services in the past. However, officials at Facebook aren't sure that's what happened.

"Based on our investigation and the relatively small number of accounts created, we're almost certain that they were created manually, rather than by a bot," Facebook spokesman Simon Axten said. "We think this actually validates the captchas we use, as well as the various other automated security systems we've implemented, which severely limited the scope of this attack and enabled us to get all evidence of it off the site before people were actually harmed."

Thornton conceded it was possible the accounts were created manually, but he doubted it.

"They might be setting them up manually, but the numbers of accounts seem to be too high for that, and the accounts look automated," he said. "There's no extra data, for example. It's the same each time, and only the name changes."

Either way, Axten said Facebook is working to identify any fake accounts that have been created and disable them. In the meantime, Facebook users are advised to use caution when receiving unsolicited links or messages from people they don't know.

Posted by Brian Prince on October 2, 2009 9:31 AM

| Comments (1) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/18012

Comments (1)

Eirik Iverson :

As I opine in the blog post below, cyber criminals prey on the inclination of social network users to open things they believe are from people they know.

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/worms-virus-trojan-rob-facebook-myspace-social-network-users

Given the never ending vulnerabilities in web browsers...

http://www.blueridgenetworks.com/securitynowblog/web-browser-plug-ins-activex-npapi-vulnerabilities-zero-day-exploit-attacks-indefinitely

Users must supplement their traditional anti-virus/spyware computer protection with a newer technology. But, most users do not know this is needed. Even worse, social engineering approaches can trick users into disabling their security software to install something. There truly is not practical way to determine if something from an unknown source is safe or not. The only prudent thing for users to do is to only install software and plug-ins from reputable sources (ideally, digitally signed software and universally understood indicators would help dramatically). This is a behavior change they must make.

Cheers,

Eirik

Posted by Eirik Iverson | October 9, 2009 3:11 PM

Post a Comment

 
 
RSS Syndication

Security News

Advertisement

Adware

Apple

Applications Whitelisting

AV tools

Backdoor

Blacklisting

Blended attack

Botnets

Browsers

CAG

China

Cisco

click fraud

Corporate espionage

Cyber-war

Data Security

Data securityAdd category

Database security

DDoS

Disaster Planning

eBay

Enterprise security strategy

Ethical hacking

Exploits and Attacks

Facebook

Flaws

Google

Government standards

Hactivism

Identity Theft

iframe

Illegal pharmacies

Infrastructure security

Intrusion Detection/Prevention

ISPs

Malware

Mergers and Acquisitions

Messaging security

Microsoft

Microsoft Windows

Mobile malware

NIST

Online malware

Open Source

Oracle

Patches

Phishing and Fraud

PowerPoint

Privacy

Product Reviews

Products

Regulation

Risk Management

Rogue AV

Rootkits

SaaS

SCADA

Search

SEO

Smartphone security

Social engineering

Social networking

Spam

SQL injection

Trojan attacks

Twitter

video games

Virus and Spyware

Vulnerability Research

Web 2.0

YouTube

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Green IT
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise