Anger after scam-exposing community shut down by Facebook

The Bulldog EstateIn a bizarre and hard-to-understand move, a Facebook page which claims it helped countless Facebook members stay safe online on the social network has been shut down… by Facebook.

The Bulldog Estate is one of a number of different resources on the internet dealing with the subject of Facebook scams, rogue applications, and the like. Other examples include Scam Sniper, FaceCrooks and Sophos’s own Facebook community.

On Monday 18th April, the Facebook page belonging to Scam Sniper was shut down by Facebook authorities:


Scam Sniper

Notice: The Sniper Has Been Shot. Facebook Disables The Admins Of The Facebook Fan Page Scam Sniper. http://goo.gl/RdlVF

Later that day, the same fate befell The Bulldog Estate’s Facebook presence, leading the scam-exposing site to say that Facebook had made a bad PR move:


The BULLDOG Estate

The BULLDOG Estate Facebook Page Has been Closed by Facebook, They Dont Like bad press, Watch… http://goo.gl/fb/K3ODY

The Scam Sniper Facebook page was eventually restored, but Tony Mazan, the owner of The Bulldog Estate, hasn’t had the same luck.

Mazan has been contacting Facebook since Monday attempting to understand why The Bulldog Estate’s Facebook page was closed, and how it might be recovered.

Today Mazan received a standard response from Facebook, which still wasn’t specific about the reasons that The Bulldog Estate’s Facebook presence had been killed off:

"Hi Tony

You created a Page that has violated our Statement of Rights and Responsibilities, and this Page has been removed. Facebook Pages may only be set up for the purpose of promoting a business or other commercial, political, or charitable organization or endeavor (including non-profit organizations, political campaigns, bands and celebrities), and only by an authorized representative of the entity or individual that is the subject of the Facebook Page. By creating a Facebook Page, you represent and warrant that you are authorized to do so by the person or entity that is the subject of the Facebook Page. Among other violations, Pages that are hateful, threatening, or obscene are not allowed. We also take down Pages that attack an individual or group or that promote or glorify violence, intolerance, racism or discrimination. Continued misuse of Facebook's features could result in your account being disabled."

This “explanation” clearly hasn’t satisfied the many fans of The Bulldog Estate, who have created pages urging Facebook to reinstate The Bulldog Estate, and left messages on Facebook’s official safety pages.

Tony Mazan“We helped countless members on Facebook and supported Facebook in trying to help Facebook users stay safe online, We do not advertise or make money from our help, our blog writers are volunteers, and our admins are volunteers,” Tony Mazan of The Bulldog Estate told Naked Security. “What we can not understand is why Facebook removed a real help group and yet there are thousands of rogue applications, thousands of hate filled pages, thousand of fake profiles. We are as real as it gets and get shut down.”

“Is it because Facebook security never gets comments like ‘We Love you’ or ‘thanks for always alerting us on time with user-friendly information’,” continued Mazan. “As one of our supporters said – you may shut the dog outside, but you will never silence the bark.”

Although the language used on The Bulldog Estate’s website doesn’t beat around the bush, it seems clear to me that the content they produce is beneficial and helps Facebook users avoid scams and other attacks.

Maybe Facebook needs to be a little less robotic in its shutdown of this scam-exposing community, and could work a little more closely with Tony Mazan and his colleagues to bring what is a helpful resource for its users?

Update: The Bulldog Estate reports that its Facebook page has now been restored, and that Facebook has apologised for its mistake.

Facebook’s two-factor authentication announcement raises questions

Text message receivedAmid mounting criticism of Facebook’s attitude to its users’ privacy and safety, the social network has announced that it is introducing a two-factor authentication system in an attempt to prevent unauthorised logins to accounts.

The idea is that if you log into your Facebook account from a computer or mobile device that Facebook doesn’t recognise as one that you have used before to access the website, then you’ll have to enter a code to confirm you are who you say you are.

Two factor Facebook authentication announcement

I’m glad to see Facebook introduce what sounds like an additional layer of protection for users, at least for those users who chose to enable the option. Two factor authentication doesn’t address the many other Facebook privacy and safety concerns that are troubling users, but it’s no bad thing.

Unfortunately the short mention of the feature on Facebook’s blog leaves some questions unanswered.

    1. How can users enable the option? My guess is that users will find the option, once it has been rolled out to their accounts, under Account / Account settings / Account security, but it would have been nice if Facebook had told people. None of the Facebook accounts I have checked so far appear to have received the option, so I cannot confirm.

    2. How often will the code change? It would be sensible if the code changed each time someone tries to access your Facebook account from an unknown computer, but Facebook doesn’t say in its blog post.

    3. How will users receive the code? Again, Facebook doesn’t say. But my guess is that Facebook will send you the code via an SMS message to your mobile phone. That means, of course, that you have to trust Facebook with your mobile phone number which privacy-conscious people may be understandably wary of doing.

    The one-time password system announced by Facebook last October also relied upon SMS messages – which raised some valid safety concerns.

So, it sounds like it may be a case of swings and roundabouts. A win for security and privacy on one hand is a loss on the other, as you have to trust Facebook with your phone number.

Remember, Facebook has been wanting your mobile phone number for some time and isn’t been above using scare tactics to get you to hand it over.

Blizzard authentication tokenI, for one, won’t be handing over my mobile phone number to Facebook in exchange for this two-factor authentication system.

I might, however, have considered signing up for a small hardware token that I could keep on my keychain, and rely upon it produce a one-time code that can be entered at login alongside my username and password.

You may have seen such devices being offered by online banks and some of the major online games like World of Warcraft.

Of course, such authentication devices cost money and require infrastructure changes at the website’s end, but – hey! – if Facebook introduced something like that they could potentially charge a small amount of money for those users who want to take a stronger line on their privacy and online safety.

If you’re a member of Facebook don’t forget to join the Sophos Facebook page to stay up-to-date with the latest security news.

Update: Naked Security follower Neil Adam raises the valid point that you probably wouldn’t want a hardware authentication fob for every website you log into. If we did, we’d probably all have very lumpy trouser pockets.

SQL Slammer Worm Regains Momentum

At McAfee Labs every day we monitor millions of intrusion prevention systems (IPS) alerts from our sensors around the world. From these alerts, we often see interesting global data and trends. Recently, ISC noticed a sudden decline of Slammer traffic in the wild, which we also noticed on our sensors.

The infamous Slammer was a rapid-spreading worm that started on January 25, 2003. It targeted Microsoft SQL Server, and the worm traveled over UDP on port 1434, which contributes to its rapid spread. It is incredibly noisy, and it really never went away, even though the worm is eight years old!

To our surprise, the amount of traffic that we detect dropped significantly in early March, and we do not yet know the reason for the decline. What we have noticed, however, was that alerts for Slammer started to reappear early this month.

I guess we will be seeing more Slammer alerts for a while.

Rush Towards Gold Related Spam

On April 20, for the first time ever, gold rose above $1,500 an ounce as worries over the U.S. economic outlook boosted demand for the metal as a haven. Within hours, Symantec observed this spammer’s response: a hit-and-run spam attack with the Subject line “Subject: Is Gold Your Ticket To A Golden Future?”

Hit-and-run spam (or snow-shoe spam) is a threat known for its large volumes of spam messages in short bursts, where domains are quickly rotating and the sending IP hops within a certain /24 IP range.

Key characteristics include:

  • The message is in HTML
  • There is some type of word salad or word obfuscation injected between various tags and/or in the URL by means of multiple directories
  • The message is typically sent within the same /24 IP range
  • Domains are rotated quickly

The call to action for this particular attack is a URL in the message body which directs the recipient to a Web site where the recipient can request a “free” investor kit. In order to receive the investor kit, personal contact information is requested. Certain personalities are used in the image for this spam campaign including Glenn Beck. A Google search reveals an interesting angle about Glenn Beck promoting gold investments. It seems that the spammer did some research in order to know about the association before propagating this spam campaign.

Symantec has known for some time now that spammers stay on top of current events and adapt their economically focused pitches towards the news headlines. In the midst of the economic gloom, for example October 2007, Symantec reported several spam emails with subject lines such as “Looking to sell your house fast?” and “Get the dough out of your house.” This gold-rush spam attack of April 2011 adds more credence to the argument discussed in a blog post published April 2010, which was written to explore whether the focus of spam email could be used as an economic indicator.