Facebook 'ideal' for phishing attacks: researcher

Privacy settings on social networking websites such as Facebook give people a false sense of security that could expose them to phishing attacks, a computer security researcher says.

Facebook and sites like it offer users the opportunity to share varying amounts of information with others on the network, ranging from a restrictive setting that lets only people designated as friends see personal details, to one that lets anyone and everyone read the user's profile.

"This illusion of privacy leads people to be a little freer in their disclosure," Symantec Corp. security researcher Nick Sullivan wrote in a post to the company's security response weblog on Friday.

A quick scan of Facebook profiles confirms his assertion, with a broadrange of information freely offered by the service's users.

The profiles can include e-mail and physical addresses, phone numbers, birthdays, work and education histories and other information that can becompiled intoa comprehensive profile.

"This 'private' information found in many accounts is a treasure trove of contextual information for the determined phisher or identity thief, if they can get to it," Sullivan wrote.

One way to do so is to seize control of the account of someone designated a friendor someone in the same network, he said.

Phishers can easily engineer fake notifications that follow the format of legitimate friend requests e-mailed to Facebook members, for example. A typical e-mail would ask a user to click on a link to confirm that they are friends with an individual requesting addition as a friend on the network.

"Some users are conditioned to follow this process whenever they receive an e-mail of this sort," and almost reflexively log in to a site through a link provided in an e-mail, he noted.

"This simple, clean design is very easy for a phisher to mimic … This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions."