A little while ago, I noticed that financial institutions (banks, credit unions, etc.) are creating "Fan" pages on Facebook. I assume this is being used as a marketing tool so "fans" can advertise that they are happy using whichever bank it is they use.
Although this marketing concept LOOKS good on the surface (inexpensive to maintain, broad market coverage, free advertisement, etc.), it has peeked my interest from an information security standpoint.
Any social engineer worth their salt will be quick to exploit the information which is being handed to them on a silver platter. There is no restriction for membership on a bank's fan page, therefore, anyone can become a fan...even someone with a fake profile. From there, it is very easy to access a list of facebook users who use the bank.
Now that the social engineer knows a person's name and what bank they use, it's not long before they find an email address (especially if it is posted to someone's Facebook page). A simple "your account needs updating" email along with a link to what LOOKS like your bank's website, and the social engineer just got handed someone's account number, password, etc...(for example: compare http://www.wellsfargo.com/ to this screen shot of a fake Wells Fargo website; http://cache.gawker.com/assets/images/consumerist/2009/05/051309-004-fake-wells-fargo-site-2.png)
Be sure to check your URLs when you click links, and watch out for those .ru and .cn extensions!
Even someone with a minimal digital footprint can easily make themselves a target if they are not careful on social networking websites. So when utilizing these sites for personal or promotional use, please exercise caution...it really will keep you from becoming a victim.
Has anyone ever attempted to scam you? Did it work? Have you been the victim of identity theft? Feel free to contribute your thoughts, experiences, recommendations, etc!
Thursday, October 22, 2009
Subscribe to:
Posts (Atom)
