This story was first published on October 12, 2012
According to yet another dubious “security alert” on Facebook, users should avoid clicking links couched as requests for profile information from Mitt Romney.
The messages suggest that these requests are the work of “Obama Nation hackers” who can use the replies to hack and block user accounts. The message claims that large numbers of people have already had their accounts compromised in this manner. A second part of the message further warns users not to respond to “security check” messages because they are also sent by hackers.
Alas, like many others of its ilk, this message is simply too vague and confused to have any genuine merit as a security warning. There are no credible security reports about a current phishing or malware attack that uses fake profile requests purporting to be from Mitt Romney. Moreover, the message provides no details about how this supposed “hacker” tactic actually works. Do the links in these alleged hacker messages open a phishing website that tries to trick users into divulging account login information? Or do the links lead to a site that harbours information-stealing malware that can be installed on the victim’s computer? How are the supposed scam messages actually worded? The “alert” does not bother to include any of these important details, nor does it reference any source where users can find more information about the supposed threat.
Rather confusingly, the latter part of the message apparently attempts to describe a second aspect of the “hacker” attack in which people receive bogus “security check” messages. The wording of the alert suggests that such messages may come from the accounts hijacked in the initial “Romney” profile request attacks. Again, the warning message provides no detailed information about how this “security check” attack actually works.
In fact, the “security check” part of the warning may be a garbled reference to a long running criminal tactic by which Facebook users are tricked into divulging their account login details in response to messages that falsely claim to come from “Facebook Security”. These bogus Facebook security messages are often sent out via accounts that have already been hijacked in earlier incarnations of the same type of phishing scam. But, in its current form the above “security alert” is just too confused and lacking in detail to be an effective warning about these Facebook Security phishing scams.
The message finishes by advising people to check their privacy settings. But, it gives no information whatsoever about which settings people should check or how changing privacy settings could help them avoid becoming victims of phishing or malware attacks. Again, the information in the alert is vague to the point of uselessness.
Of course, the underlying generic advice in the message – be cautious of clicking links in unsolicited messages and beware of “security” messages asking you to verify account information – is worth heeding. And scammers often use the promise of news or gossip about current events such as elections and key players such as Obama and Romney as the bait to entice people to click their links. Nevertheless, to have any real validity, computer security alerts must contain accurate, up-to-date information about the perceived threat and provide enough details so that recipients can recognize and avoid the attack described. Vague and garbled security alerts – even those with an underlying grain of truth – are likely to confuse and mislead users and will do nothing to help increase their online safety.
An example of the hoax warning:
Security alert : OBAMA NATION hackers are asking you to click on a ROMNEY request for your profile etc … a large number of our friends accounts have been hacked and blocked , do not respond to their messages for “security” checks .. both requests are hackers : pass it on to your groups and friends : recheck your privacy settings :