Here we go again. Radware’s threat research group recently announced that more than 40,000 Facebook users were duped into downloading a “Relieve Stress Paint” application, via a crafty phishing email, that stole their login credentials and browser cookies while they pretend-painted in the app. Worse, the attack was clever enough to avoid being flagged by a typical antivirus app.
So, how can you keep your data safe in these instances? Let’s review.
Don’t download bullshit apps
Seriously. Since you’re an astute Lifehacker reader, you probably have a pretty good Spidey Sense when you see an website that looks like this, which asks you to download an app that sounds a little weird:
That is, in fact, a screenshot of the website where these phishing emails directed less-savvy recipients. The site is also available via a Google search, if you somehow create a weird enough of a query to cause it to pop up in your results.
In both instances, the malware creators use Unicode to make the website’s URL appear on the email (or listing) as something much more innocent: aol.net or, in my case, picc.com. Hover over the link, or view the address bar when you click through, and you’ll see something much different: xn — p1aca6f.com, for example.
I digress. Rule number one of not getting suckered by a piece of malware is to not download things that look or sound completely bogus. I realise this advice can’t apply to everyone — your not-so-tech-inclined parents, your click-happy children, or your pet that walks all over your keyboard and mouse when you’re asleep.
For them, consider using a browser extension or app (like OpenDNS) to whitelist a handful of sites they are allowed to visit. You can even whitelist apps directly in Windows and macOS, which can help keep your friends and loved ones from running apps they shouldn’t — which will save them even more stress in the long run.
But if you still get duped anyway…
It happens. If you later learn that something you downloaded might have exposed your Facebook credentials to a bunch of hackers or spammers, you have a few options. (And we’re assuming you’ve already deleted the malware / scanned your system with a strong antivirus and malware-removal app / nuked your computer from orbit.)
First, change your Facebook password — that’s the easiest one. Make it a good, strong password (or passphrase) while you’re at it. This won’t protect your data from being shared around the web, but it will at least others won’t be able to log in as you anymore. This is the best and most important step you can do.
Second, enable two-factor authentication for your account. This might not have helped you in this most recent malware attack, as Ars Technica’s Dan Goodin notes, but it’s still an important security measure:
“It’s always a good idea to protect accounts with multifactor authentication, but it’s not yet clear if that protection would have prevented attackers in this campaign from accessing compromised accounts. Because the malware stole both passwords and cookies, it’s possible the cookies allowed the attackers to bypass the protection.”
Third, use that same page (Facebook’s Security and Login settings page) to enable alerts about unrecognised logins. Then, click on “See more” under “Where You’re Logged In.” If you don’t recognise any systems on this list, or if you see an entry of a system from some foreign country you didn’t visit, say, yesterday, then you’ve been compromised. While you’re here, scroll to the bottom of the expanded list to find the “Log Out Of All Sessions” link. Click that.
Fourth, this is a great time to let friends and loved ones know about the “See recent emails from Facebook” option. If they receive an email from the social network that appears dubious, they can check to see if it’s an authentic email from Facebook in this section. We doubt Facebook would ever ask someone to install, say, a stress-relief application, but there are definitely more clever spoofs of legitimate Facebook emails that might convince a more gullible user to “log in” to a fake Facebook site.
Finally, hit up Facebook’s Payments screen, found on the left sidebar of its Settings page. Click on Account Settings. If you’ve entered one of your credit or debit cards into Facebook for any kind of payment processing, like in-app purchases, consider removing it if you’re no longer using it. If someone does gain access to your account, they won’t be able to make any payments on your behalf or create bogus advertisements to spread the malware even more.