Facebook Captchas broken?

Computerworld - Hackers have apparently found a way to automate the creation of new Facebook profiles by breaking the challenge-response mechanism used by the site to ensure that only humans sign up for the service.

Security researcher Roger Thompson of AVG Technologies today said his company recently discovered numerous Facebook pages that were clearly created in an automated fashion using malware programs. The pages are being used to spam links pointing to malicious sites. Users who click on the links are prompted to install rogue anti-spyware tools on their systems, he said.

So far, AVG has noticed a "couple of hundred" Facebook pages that appear to have been created by an automated malware program. All of the pages contain the same profile picture but have different user names.

From a security threat standpoint, the Facebook break-in doesn't appear to be particularly serious, Thompson said in his blog. Facebook deactivates the new accounts "as quickly as they find them." Even so, the fact that hackers got past Facebook's Captchas highlights a continuing trend by attackers to try and exploit social networks, he said.

Simon Axten, a Facebook spokesman, said the company is investigating the report and is working on identifying the fake accounts "so we can disable them en masse."

In an e-mail message, Axten said that the URL contained in the profiles has already been blacklisted by major Web browsers and blocked from being shared on Facebook. The company is using a third-party Captcha company called reCAPTCHA, which was recently acquired by Google and "is about as well-regarded a Captcha provider as there is," he said. Facebook is trying to understand how the new accounts were created, though it is possible that the sign-up process was manual. Another possibility is that those responsible for the attack farmed out the Captchas to be solved by humans for a price. "On the education front, we encourage users not to click on strange links and to take appropriate steps if they feel their computer or Facebook account has been compromised," he said.

In a note posted today, the Internet Crime Complaint Center (IC3), which is a partnership between the FBI and the National White Collar Crime Center, warned about the trend. Fraudsters are continuing to hijack attacks on social networking sites and are using them to spread malicious software, the IC3 warned.

According to the IC3, fraudsters are using spam to promote phishing sites or to entice users to download an application or view a video. Users visiting such sites or clicking on the videos or photos then get infected by various pieces of malware. Often the spam is disguised to appear as if it were sent from a user's 'friend.'

Some attackers also plant malicious ads containing malware downloads on social network sites, the IC3 note warned.

Users of social networking sites need to be aware of such threats and take measures to address them, the IC3 said. Adjusting Web site privacy settings, being selective about friends and what they are allowed to view and disabling options such as texting and photo sharing when they are not being used are all ways users can protect themselves on social networking sites, the IC3 said.

Read more about security in Computerworld's Security Knowledge Center.