If your Facebook news feed has been polluted with some extremely graphic and unpleasant imagery lately, well, our condolences. But it’s probably not your actual Facebook friends who are posting it there. At least not on purpose. A massive wave of this kind of imagery has been appearing as a result of a directed attack on the social networking site.
Facebook says the problem is now under control and that suspects have been identified but this relatively new kind of attack is one we might be seeing a lot more of in the near future. It’s described by Facebook as a “self cross-scripted attack.”
Chester Wisniewski of the security firm Sophos decodes that term for us. He says, “in essence, it means that people are being tricked into putting computer code directly into their own web browsers to spread these messages.”
Often, these attacks get started by someone getting lured in by a salacious headline, says Wisniewski. “We’ve seen things like this happen in the past on Facebook. The last major one we saw was one purporting to be pictures of the dead Osama bin Laden and you need to paste this special code into your computer to see the pictures. We’ve also seen things like gift card lures, like we’ve seen recently on Facebook where people are promised a $25 Starbucks gift card if they fill out a form, but instead of filling out the form the page says, ‘We can shortcut the process and you can just insert this special code into your computer and it will automatically sign you up for the free gift card.'”
You might wonder what’s the difference between pasting in code as opposed to simply clicking on a link. A browser generally has a mechanism that detects something funky happening elsewhere in the session and it will stop one site from controlling another. When you paste in the code, however, that protection is gone. In that case, says, Wisniewski, “Certainly you can surrender access to whatever website you’re operating on at the time. So if you’re on Facebook, then in theory by pasting this code in, the attackers would be able to take over your Facebook profile, and instruct your Facebook to do whatever they wanted. It could also be used to take all your photos and do just anything you can do as a human on Facebook. And even more scary to think about if you were to do this while you were logged into your bank, they could potentially transfer funds or transfer your account.”
As for what you can do about it, Wisniewski repeats the same advice you should be following already in this age: “Good practices are one, always make sure your software is up-to-date. Run the latest version of whichever your favorite web browser is and make sure it’s up to date. And two, if you don’t understand something and it looks like a bunch of gibberish, you probably shouldn’t paste it into your browser.”
Also on this program, if you’re tired of politicians robocalling you, now you can call them back just as robotically. It’s called Reverse Robocall.