The grift – part 1 (Facebook credentials)

Starting yesterday, I began receiving several emails with the subject “<firstname> <lastname> wants to be friends on Facebook.

I knew pretty much as soon as I saw the subject that it was spam. Not because the names were people that I had never heard of, but because I turn off all notification emails from Facebook and Twitter (you should too).

Here is one example of the spam I received yesterday. I received probably 5 or 6 of them yesterday, to different personal email addresses at getwired.com.

There are only two active links on it. The confirm/see all buttons are of course the same URL – the hostname appears to be a unique identifier. Here’s an example:

http://sessionxxxxxxxxxxxxxx.permitds.com/confirm/req/

Where x is an integer. permitds.com is a domain registered very recently through PakNIC, a Pakistan-based registrar (who this domain has been reported to for abuse).

Amusingly, my email addresses were customized in the email, which was well formatted to match Facebook branding. The unsubscribe link was set to a different style visually, but of course it was benign text and didn’t actually do anything.

While I didn’t bother clicking through to the destination, I can only assume that the endgame of this little grift went like this:

  1. See the link.
  2. Click through to see what the heck this was (validating their email address for future spam traffic).
  3. Hit a page that probably asked them to log in (giving up their credentials).
  4. Told them everything was a-ok (it wasn’t – they’d just given up their credentials).
It seems to me that browser manufacturers do not do enough to keep novice users from shooting themselves in the foot by entering their credentials into web pages that are very clearly not the rightful receivers of those credentials. The  approach of using “login images” that asks users to watch for the picture of the teddy bear that they chose quickly while trying to log on to their checking account the first time is flawed.
First, it assumes that users are actually firing on all neurons when they perform every action on their computer. They aren’t. Second, it depends on the user to consciously remember, “if I don’t see the teddy bear, I shouldn’t enter my bank credentials”. I don’t want to infer that users are stupid. But I believe it is a mistake for us as a security community to believe that pictures of teddy bears and dogs will keep users from putting their credentials into a form incorrectly.
Instead, I believe that password managers should be in every operating system by default, and should own the correlation of credentials to sites – if the credentials don’t match the site, don’t put them in there for the user, and tersely tell the user THIS ISN’T YOUR BANK!, or THIS ISN’T FACEBOOK!. Users are far too reliant upon keeping passwords and usernames in their heads, in Word documents or text files, or on coffee-stained legal pads next to their computers. The operating system and browser should work together to protect users from compromising themselves. I’ve got one more blog post in the queue, and then I’ll overview how I believe this should work.

Comments are closed.