Sophos, Mashable, ID Guardian and a number of other media outlets have reported today about a scam that is targeting fans of the popular series “Twilight.”

Users are being tricked into “Liking” the scam links, but the ultimate goal is to steal your personal information. By clicking on the “Play Now” button, you will be “clickjacked” and the scam will spread itself virally to all of your other friends on Facebook (not a good thing!).

What to do if you’ve already been hit by this scam? Sophos has created a YouTube video that will show you how to clean up your Facebook account. As we always say, please, please be careful on which links you click, even if they are from a “friend” on Facebook!

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.

In today’s edition of the Daily Shield, Intersections’ Consumer Security Advisor Neal O’Farrell talks about the dangers of social media.

One tweet, one word, one mistake. That’s all it took to not only cost a media executive his job, but also placed the jobs of twenty of his colleagues in jeopardy.

That’s according to a recent story on AP. The first victim to be “twipped up” by the tweeting was the media executive working under contract to Chrysler in Detroit. While stuck and frustrated in traffic clogging the motorway, he used a common expletive in a pretty tame 140 character observation about how bad Michigan drivers really were.

But instead of posting it on his personal twitter feed, it inadvertently made it to Chrysler’s corporate Twitter feed. And the motor city giant was not pleased.

In what some might see as a typical overreaction by an overly sensitive corporate giant, Chrysler went into damage control mode and not only fired the tweeter, but took the entire account away from the media company that employed him.

Which meant twenty of his colleagues also lost their jobs. A very high price to pay for a simple error of judgment. Maybe too high. Certainly this executive’s future in the media business is probably in great doubt, and who knows what damage will be done to the small business that lost such a big account.

But maybe it will backfire on Chrysler too, who may be seen as too sensitive to the small flub and way too insensitive to hardworking locals who may now be joining Michigan’s very, very long unemployment line.

And exactly what was the offending tweet? “I find it ironic that Detroit is known as the #motorcity and yet no one here knows how to (expletive) drive.”

But it does serve as a warning. Nothing you post on social networking is safe or private. Employers are increasingly showing zero tolerance for anything done or said on social networks that might negatively impact their business or reputation.

In September 2010, email security firm Proof Point releases a study that found 20% of companies polled had disciplined employees for social networking mistakes or policy breaches, and 7% had actually fired employees. And in the recent 2011 Javelin Strategy & Research Identity Fraud Survey Report, users of social networks are twice as likely to suffer identity fraud compared to those who do not.

Which may be why more than half the companies polled actually ban the use of Facebook in the workplace, and nearly a third ban LinkedIn.

Want to learn more about identity theft and fraud protection?

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.

In a letter to congress released yesterday, Facebook announced its intention of moving forward with plans to release personal information (phone numbers, email addresses, physical addresses) to 3rd parties. Facebook had actually made this announcement several months earlier, but then backed off implementing the policy amidst public outcry.

The letter from Facebook, written to Reps. Edward Markey (D-Mass.) and Joe Barton (R-Tex.) states, “We have not yet decided when or in what manner we will redeploy the permission for mobile numbers and addresses,” the letter states. “We are evaluating whether and how we can increase the visibility of applications’ request for permission to access user contact information. We are also considering whether additional user education would be helpful.”

The Daily Shield does not want to wait for Facebook to provide that “additional user education.” It’s easy to limit 3rd-party access to your information. Here are our recommendations:

1. In the upper right hand corner of your Facebook profile, click on “Account” and then click on “Privacy Settings”
2. You are now on a page titled “Choose Your Privacy Settings”
3. Under the heading “Sharing on Facebook,” select “Custom.” This allows you to select what information you will share and with whom.
4. Select “Customize Settings”
5. This page allows you to decide who can see and comment on things you share, things on your Wall and things you’re tagged in. At this point, what you share is matter of your own personal choice, but we suggest at a minimum that you select “Only Friends,” for information such as Wall Posts, Relationships, Bio, etc.
6. Scroll down to the bottom of the page and under the Contact Information settings, change the settings for “Mobile Phone,” “Other Phone,” “Address”, “IM Screen Name”, and your email address to “Only Me.”

We at the Daily Shield question the need for even listing information such as your phone number and address on social networks like Facebook. Your real friends already have your contact information, and there is no reason to share that information with the rest of the world. The best defense is not posting your personal information to Facebook at all. The only way to completely eliminate the possibility of 3rd-party applications from accessing your personal information is by not posting personal information to Facebook.

Facebook is a remarkable tool that lets you share information with friends and family. But, it is not a phone book or online directory. Ultimately it all becomes a personal decision. You, and you alone can decide what information you wish to share.

Let’s be perfectly clear. We love Facebook and the power of social networking technology. We at Identity Guard have our own Facebook page, and we use it to pass along information that we consider to be vital for protecting the one thing that makes you uniquely you – your identity. But at the end of the day, each of us has to take responsibility for protecting ourselves. And that protection starts with being constantly vigilant and being careful about the type and amount of information you put out there on the Internet for all to see. Here are some additional tips for staying safe online.

Facebook VP Ellliot Schrage said it best when he commented on a similar privacy uproar last year. He said, “If you don’t want Facebook to share your personal information, don’t share your personal information with Facebook.”

Well said Elliot. We agree. We couldn’t have said it better ourselves.

Want to learn more about identity theft and fraud protection?

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.

Neil O’Farrell, Intersections Consumer Security Adviser is back today with a fascinating article about some of the inner workings of Facebook. It’s worth mentioning upfront to our readers that we at the Daily Shield love social networks. However, we encourage everyone to be very cautious about the amount of information you share, We’ve written about the dangers of sharing too much information on social networks like Facebook. Neal’s article today once again reinforces that point. Enjoy!

Douglas Purdy is Facebook’s Director of Developer Relations, a position just three months old for the company. Part of this new job is to “improve Facebook’s relationship with the community,” and it’s already been a baptism of fire for Purdy, or anyone brave enough to step into this role. In fact, last week on Facebook would challenge any individual simply using this social network.

Their roller coaster week started on January 16 (a Sunday morning) when blogs started to chatter about a new wrinkle in approving applications to your account. Facebook said it was planning to provide application developers with your immediate contact information, specifically your address and mobile phone number, if you wanted to use any of these apps. Considering the number of malicious apps that get through Facebook’s compliance checks and the number of current games accused of violating their Terms of Service, this decision to share such sensitive information stunned a lot of Facebook users, including watchdog groups and media critics.

The new option really couldn’t be fairly described as an option, because as a user you couldn’t choose to “share or not share” your address and phone number. You either allowed the developers access to this information, or you were denied use of their application.

So, while free, the application would come with a price.

The following Monday (January 17), just twenty-four hours later, Facebook announced this new feature was on hold. In a post appearing on Facebook’s developer blog, Purdy announced:

“Over the weekend, we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and we are making changes to help ensure you only share this information when you intend to do so. We’ll be working to launch these updates as soon as possible, and will be temporarily disabling this feature until those changes are ready. We look forward to re-enabling this improved feature in the next few weeks.”

So exactly what will these changes be? That remains to be seen. Will the feature have an opt-out that still allows the application access to your Facebook account? Will the permission’s verbiage be reworded? Will Facebook reconsider the option on a whole? Only time will tell. And while no one outside of Facebook knows for certain, the decision to not implement this authorization was an encouraging gesture, especially considering that Facebook has received criticism over the years in their regards to users’ privacy.

Facebook has always emphasized the “social” aspects of their social network as a rebuttal to privacy criticisms, which is why this retracting of this option comes as a surprise. Maybe it’s a sign of a new Facebook for the new year. Perhaps the sharing site reconsidered this option in light of the criticism. Perhaps it was a step towards a more privacy-sensitive social network.

Then came January 18. Perhaps not.

Matt Cutts, head of Google’s anti-spam team, blogged about an alarming discovery he made concerning Facebook’s top advertisers. As reported by AdAge and Comscore, the top five advertisers on Facebook were:

• AT&T
• Match.com
• Make-My-Baby.com
• Verizon
• Google

While the top two and bottom two advertisers are familiar brands to most people, the advertiser holding Slot #3 was a newcomer., Make-My-Baby. A start-up, buying 1.75 billion ad impressions? Something didn’t sound right to Cutts so he paid Make-My-Baby.com a visit.

Make-My-Baby.com, on the surface, is a “paper doll site” where you place various hats, glasses, and silly accessories on a baby’s face. But to any visitors to their site, what appeared to be a harmless game became much more sinister when the site asked visitors to “install a browser plug-in to present an enhanced experience” before they can play. If you ever visited that site, on agreeing to the terms of the plug-in your browser’s default search engine and homepage would be automatically switched to Bing, Microsoft’s own search engine; and a portion of any revenue generated by search ads goes to another unknown firm called Zugo, creator of Make-My-Baby.com.

In the first 24 hours that this story broke on Read, Write, Web, the fallout has been interesting to say the least:

• Make-My-Baby.com is no longer online. (You are re-routed to PredictMyBaby.com instead.)
• Comscore denies they made any such report. (AdAge provided to Read, Write, Web the Comscore chart that AdAge was referring.)
• Bing has terminated their relationship with the developers of Make-My-Baby.com

Perhaps the most interesting reaction is from Facebook:

“Make-My-Baby is not an advertiser at all on Facebook and any affiliates that try to push people there we would shut down. Those ads would not be allowed as part of our policy.”

In other words, Facebook is denying that they do business with a company that purchased nearly 2 billion advertising impressions.

These three days, once again, brings Facebook under scrutiny as to exactly how they are running their business. On one hand, the social networking superstar is listening to the criticism, seeming to want change in their public perception of users’ privacy. On the other hand, it seems to be business as usual.

So which is it?

What we as users of social networking sites must keep in mind through all this that when we use a service that is “free” it really isn’t. We may not be paying to use and enjoy Facebook, but we still make money for Facebook – in the ads that appear on individual pages and in the data users are compelled to share. Simply keeping you information offline may not be the absolute answer (while you can police yourself, who will police your friends?), but it is a start.

We must give ourselves limits not only in what we share, but what we are willing to accept. If Facebook is not compliant with your desires of privacy, a terrific solution is to curb your use of the service. Generic updates. No pictures. Limiting profile information. Your relationship with Facebook is only as personal as you choose to make it. And if you decide not to use Facebook, for whatever reason, it’s no big deal.

Remember that when it comes to social connections and contacts, Facebook does not have the final say. You do. You hold the power in what is shared and how much is shared. The final decision is yours. Now that’s the real power of social networking.

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety online and offline. Join our Facebook group.

The Daily Shield welcomes Intersections Consumer Security Adviser Neal O’Farrell as he writes a follow up to post about a Facebook scam that he reported on last November.

This week, I thought I’d revisit a case I talked about a few months ago, in part because the accused actually plead guilty and so we can talk about the case in more detail. But also because it was such a troubling case and one that revealed that Facebook scams and hacks can be far more sinister than we imagine.

This particular case highlights a growing threat, where your Facebook profile is simply the means to some dark end. According to California’s newly appointed Attorney General, 23-year-old George Bronk recently plead guilty to a variety of charges that should send him to prison for many years. And his crime spree took advantage of a very obvious loophole in Facebook – one created by users.

According to the indictment, Bronk would trawl Facebook pages looking very specifically for the profiles of women that included their email address. No matter how many times we’ve cautioned against it, many Facebook users still make their email address open to everyone.

Once he found a Facebook profile that included an email address, his next step was to contact the email provider, pretend to be that user, and get access to their email account. But in order to do that he would have to answer the security questions selected by the legitimate user.

And where did he find those answers? He found them in the Facebook profiles of his victims, of course. Not only were his victims sharing their email addresses with complete strangers, they were also innocently revealing the answers to their email security questions by simply talking too much on Facebook.

According to the indictment the common security questions posed by e-mail providers included, “What is your high school mascot?” “What is your father’s middle name?” “What is your favorite food?” and “What is your favorite color?” Bronk was apparently able to find most of the answers in the victim’s own Facebook comments.

Once he was able to access a victim’s email account, he could then change the password and lock them out. And because he now had control over the victim’s email account, he was also able to access their Facebook pages. All he needed to reset their Facebook password was to have a new password sent to their email address. The very email address he now controlled.

And with that email control, his motives became more apparent. What he was really after was not their email communications or personal information, but very specific content that he knew many email users might keep – nude, semi-nude, or otherwise embarrassing photos that the victim might have emailed to other people.

Armed with these embarrassing photos, Bronk would then launch the next phase of his attack – extortion. He would contact the women whose embarrassing photos he had managed to access, and would demand they send him even more explicit photos in exchange for a promise not to publish these photos or send them to the victim’s entire email list; a list which could obviously include parents and other family members, employers, customers and many others. And that threat appeared frightening enough for at least 46 victims to comply with his demands.

Over a period of a little more than a year, Bronk is believed to have targeted women in 17 states and even in England. When police raided his home, they found more than 170 files containing explicit images, as well as the personal email addresses of more than 3,000 women whom he had either been researching or already had targeted.

This seedy case highlights how the basic hacking of email and Facebook accounts can be a simple precursor to far more serious crimes – in this case sexual extortion. And it’s such an easy crime to pull off, I can’t imagine the damage it might do to a young teenager who may not take security and privacy very seriously, might not exercise good judgment in the types of photos he or she might keep on Facebook or exchange by email or by phone, and might be more easily persuaded into complying with the sick demands of a criminal like this rather than risk having their parents or classmates find out about these images.

It also shows just how easy it still is to spoof Facebook and email providers, especially when we’re still relying on the answers to simple questions that in an age of global connectivity, just about anybody can find the answers to.

The California Attorney General’s office did offer some useful advice, like picking security questions and answers that are not public knowledge. But as users, we rarely get the option to “create” the security questions we’re asked.

But the most important option you have to protect your identity is to minimize the amount of personal information that we post about ourselves, anywhere.

Read the full warning about identity theft from California Attorney General Kamala D. Harris

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.

The Daily Shield is once again pleased to publish this article by Intersections’ Consumer Security Advisor, Neal O’Farrell.

If you’re still not convinced that it really is a bad idea to post any  suggestive images or videos of yourself on Facebook or any other  online site, or even just email them to friends, maybe this tangled tale  will help change your mind.

A hacker was recently arrested in California after the FBI, California  Highway Patrol and many other agencies concluded their  investigation into a very strange case that included hacking,  impersonation, extortion, and even child pornography.

The accused hacker started his attack by simply trawling Facebook pages looking for women he could target. Once he had identified his targets, and engaged them in online conversation, he approached their email service providers, pretending to be his victims, and guessing the answers to the security questions was able to access their email accounts, change their passwords and lock out the victims from their own accounts.

Now he had complete access to all their email messages and everything the victims had ever sent or received. And apparently in many cases that included nude or semi nude photographs and videos the victims had previously exchanged with friends.

Armed with this treasure trove of potentially embarrassing information, the hacker began the process of threatening and humiliating his victims in complying with his sordid demands. Because he had access to their email accounts, the hacker sent the images to everyone in the victim’s email address book and threatened to post the images more widely – unless the victims agreed to send him even more explicit images of themselves.

A number of victims are believed to have complied with his demands, and in some cases the hacker even posted the stolen images on public web sites, including Facebook. When he was arrested, investigators found more than 3,000 email profiles on his computer, suggesting that the hacker was planning a very large and long campaign of extortion. By the time of his arrest he had already targeted an estimated 170 victims. Investigators also discovered more than 1,000 images and 50 child pornography videos on his computer.

This case is by no means unique and should be a clear reminder that if you ever take very personal photographs or videos of yourself, don’t assume that it’s ever safe to post them on Facebook (or anywhere else online) or send them by email.

It’s also a reminder of just how easy it can be for a complete stranger to guess the answer to your secret questions, take over your email account, and wreak havoc on your life.

Keep informed about the latest threats to your safety. Join our Facebook group.

Take the first step. Learn more about the flexible and innovative solutions from IDENTITY GUARD®.