Cluley about a friend who was contacted by a scammer looking for money with this tactic. Fortunately, Cluley's friend was clever enough to recognize the scam and managed to trick the criminal into visiting a personal web site he maintains and ultimately captured his IP address. It turns out, as predicted, the person on the other end was at a computer in Nigeria, not Paris.
Sean Sullivan, a security advisor in the F-Secure Corp. security labs, said most of these attacks are the result of a compromised username and password. Sullivan recently criticized Facebook for their security questions protocol, which he thinks use out-dated questions such as mother's maiden name, and said he thinks they should consider having users choose their own security questions.
"Perhaps when the college kids that created Facebook designed it, they never thought any one would be able to guess their father's name," said Sullivan. "But I actually have my father in my network. It wouldn't be too hard to figure that out."
OMG! Did you see this picture of you? Both Facebook and Twitter have been plagued by several phishing scams that involve a question that piques the user's interest and then directs them to a fake login screen. Typically, the user receives a message, such as "Did you see this picture?" with a link also included. The user clicks the link, and it prompts them to enter log-in credentials on a fake log in screen.
On Facebook, for example, members might receive a message in their inbox, or a message on their wall, that directs them to another site which looks identical to the Facebook log-in page. Just last week, Twitter users recently began receiving tweets that asked "OMG! Is it true what they said about you in this blog?" The link directed the user to a screen that looked just like the Twitter log-in page, but was instead a phishing site. Of course, once you've entered your user name and password into one of these fake sites, the criminals engineering the con have easy access to your account. Sullivan said another recent version of this scheme included messages requesting users update account information, which then took them to fake log-in screens.