In the era of developed digital communication channels, every Internet user is exposed to various attacks from crackers. One such threat is phishing, i.e. identity theft on the web, involving the phishing of personal data - passwords for websites, credit card numbers or passwords to access bank accounts.
An attacker who conducts phishing uses sociological and psychological methods and crafted links to dull the user's alertness and thus steal his data. These methods usually involve impersonating websites, website or organization administrators, and convincing potential victims to provide their password, for example, due to modernization work or security activities.
The first registered use of this method of stealing information is from 1995 when clients of the internet service provider AOL ( A America On-Line) were attacked. Crackers pretended to be employees of the company and asked to "verify their account", asking for the disclosure of the access password. The American giant managed to deal with this problem only after two years, and phishing was already beginning to gain popularity across the entire network.
Phishing is most often done by sending the user a form or message that is reminiscent of the one that could be sent by real site administrators.
Since the emergence of social networking sites, including the largest - Facebook, network criminals have seized the opportunity to take over a huge number of accounts. They are most often used to send malicious spam to other users. Phishing private user accounts is a serious problem, but the high stakes game starts when this phenomenon applies to fan page admin accounts. Fanpage has a much wider range and in a short time can convey content to many users. What happens if the profile of the fan site brand or organization with several hundred thousand fans is taken over? Spam then takes an unimaginably great form! In addition, the site can be easily discredited, for example, by placing obscene content on a fan page.
It just happened a few days ago on the Gazeta Wyborcza fansite. The careless administrator of the fan page let himself be caught on a short, imprecise private message. In the message, the scammer asked for a quote for publication of the photo, which could be viewed at the link. After clicking on the redirect link to the photo, it turned out to see them, you had to log in to Facebook again (of course on a fake website, which looks like a Buy Facebook Followers Canada login panel - the only difference could be found in the address bar). Some administrators, more suspicious, asked why they need to log in to the site again. The cheats' responses had just the hallmarks of psychological methods - it was explained that this was an unknown error that actually hinders and prevents customers from seeing the photo and was suggested not to pay attention to it, but to log in to the website. In this way, criminals got access data, including the administrator account of the fan page of one of the most widely read newspapers in Poland. A vulgar comment was published on the GW fan page about both Wyborcza itself and Prime Minister Donald Tusk, which caused a media storm. Only after a few hours did Facebook representatives regain the account to their rightful owner. The "hacker" himself did not cover all traces behind him and will probably be caught and will be responsible for his actions.
Of course, the issue was not just about the fan page of Gazeta Wyborcza - administrators of other large sites were also victims of the attacks.
We are surprised by two things about this story:
- Why are administrators of fan pages interested in the possibility of publishing advertising content on their fan page? The publication of such advertisements can be purposefully set up for this purpose, but certainly not fan pages of the read newspaper or well-known brand. In our opinion, it is unacceptable for advertising content on a fan page of a company, brand or organization to be different from that of the entity owning the fan page itself.
- Like the administrator of a large fansite that promotes a serious brand that is liked by over 100,000 users, he can be careless and naïve enough to click on the link without checking his address (the link address itself was really suspicious), and even after clicking he does not check the address bar on the new login page. These are elementary principles of online security. The fraudsters carrying out this attack were not technically complicated - some say that phishing is "fishing for the naive" and as it turned out, this definition worked perfectly well. Nothing protects against data loss like common sense and the principle of limited trust on the web.
