Many Facebook users were surprised to find graphic pornographic and violent images in their news feeds this week, following a widespread spam attack. The company said that it now has the issue under control.
The company cited a “browser vulnerability” that allowed hackers to post the images to users accounts. Judging from Facebook’s statement, however, the heart of the problem is that people were somehow tricked into copying and pasting a line of malicious code into their browser bars.
Facebook said that it has identified the hackers and is working harder to educate its users even as it strengthens its own systems. Here are some details of the attack and what you can do to protect yourself.
What happened?: Facebook hasn’t been particularly forthcoming with the details, saying only that a spam attack essentially tricked users into sharing the offensive images without their knowledge. The attack also apparently exploited the “browser vulnerability” that appears to have helped the attack spread more widely.
In the past, scammers have used this sort of trick by offering fake gift cards or discounts, said Chester Wisniewski of the security firm Sophos. Scammers tell customers they can get the deal by pasting a line of code into their browser bars. That code often hides a line of programming that lets hackers unlock that user’s profile.
Most of the time hackers use this method for their own ends, often to get users to go to fraudulent sites. Wisniewski said the strange thing about this attack is that it doesn’t seem to be generating any sort of benefit for the scammers other than generating outrage from Facebook users.
What is Facebook doing?: Facebook said Tuesday that it has working on its back-end to stop the spam attack and has the situation mostly under control. In a Wednesday statement, the company also said that it has identified the hackers and is working with its legal department to pursue them.
The company is also setting up “educational checkpoints” to make sure that users know how to identify potential scams.
How has it dealt with this sort of thing in the past?: Facebook has successfully prosecuted spammers using its network to Harris users in the past. In August, the Justice Department announced that it had indicted the Facebook “spam king” Sanford Wallace for accessing more than 500,000 Facebook accounts and sending more than 27 million spam messages. A judge had previously ordered him to pay $711 million.
What can I do?: To avoid being taken in by scams such as this one, there are a few common sense things you can do to protect yourself.
One is simply not to click on suspicious things. Whether it’s an offer for a free cup of coffee or a free iPad, be extremely wary about what you agree to like or join. And never paste lines of code into your browser bars, no matter how great the offer seems.
Second, if you get a message about an offer from a friend that requires you to click on a link, double-check with your friend to make sure they know they sent it. Generally, it’s a good practice not to follow through on these sorts of offers, since most of them are scams.
Finally, consider turning https browsing on in your Facebook settings. It limits your access to some content and can be a bit annoying but it’s worth it to avoid getting taken in by spammers. To do this, head to your Account settings, then to the security section. “Secure Browsing” should be the first option in the menu; tick the checkbox to enable the setting.
(The Washington Post Co.’s chairman and chief executive, Donald E. Graham, is a member of Facebook’s board of directors.)