Facebook has issued safety instruction ahead of
In the breach a third-party company erroneously accessed data that a then-legitimate quiz app had siphoned up, this vulnerability allowed attackers to directly take over user accounts.
Below is the mail to the Facebook users on how to secure their Facebook account in the much awaited Election of 2019.
Safety and security are very important to Facebook, which is why we’re approaching political parties during this time with some tips about how to secure your account.
Engagement from a wide range of voices on Facebook enriches our community and facilitates conversations, including conversations about politics. At times, a few sophisticated bad actors will at times seek to target high-profile political figures and those connected to them to undermine democratic discourse online.
HOW TO SECURE YOUR FACEBOOK ACCOUNT:
- Refresh your knowledge around protecting your account
- Turn on two-factor authentication to keep your account secure
- We also recommend that you register a physical security key to your account
WHAT TO WATCH OUT FOR:
We believe that it’s worth being familiar with the small handful of standard approaches generally used by those targeting elected officials, candidates and those associated with them. You can help protect your Facebook account by ensuring that your email account, website and third-party apps are kept safe. Below are five commonly used strategies and information about how to minimise your risk.
1. Spear phishing
In spear phishing, bad actors send highly customised emails to specifically targeted individuals. These emails are intended to look like legitimate correspondence but often contain malicious links or documents. In a recent spear phishing campaign, emails or messages indicate that a password reset is required for your email account. The email contains a shortened link that directs to a fake email login page. If you enter your information on this page, the attacker is able to acquire the information and access your account.
It’s important to understand that your personal email, social media and other accounts are just as attractive as the accounts that you use for your professional, government and official purposes. Exercise the same level of vigilance in protecting your personal accounts as you do with the accounts that you use for official business.
Recommendation: If you receive an unexpected email or message prompting a password reset, don’t click any links in the message. Instead, visit the sender’s official website to check the legitimacy of the request.
2. Facebook branded Page appeal phishing:
Sometimes phishing campaigns try to convince targeted users that their Facebook account or Page has been suspended, and the message may appear to be sent directly from Facebook. These campaigns are designed to collect your sensitive information with a link to a credential-harvesting domain. With access to your login credentials, attackers will be able to log in to your account and make changes to your settings that will ultimately prevent you from using the account altogether.
Facebook branded Page appeal phishing attacks make illegitimate use of Facebook’s branding to send messages – commonly via Messenger, increasing the impression that the notification is real and personalised. See below for an example of a recent phishing attempt:
Clicking the link in the message will compromise the account and lock users out of their accounts. Resolving this requires escalation to the Facebook security team. Attackers using this method of phishing have developed ways to hide their activity from detection while retaining access to the targeted Facebook Page or account. These campaigns are financially motivated and tend to target influential Facebook Pages with high follower counts, making policymakers attractive targets.
3. Website compromise:
Another approach that bad actors have used is “strategic web compromise”, in which they infect specific websites that their targets are likely to visit. Navigating to one of these sites will lead to the automatic downloading of malicious code, often in the target’s browser. This malicious code is then used to carry out further attacks, such as copying and sharing information accessed or browsed by the victim. Recently, this type of activity has focused on Ministries of Foreign Affairs and Embassy websites, which are likely to be visited by diplomats, politicians and their professional staffs.
Recommendation: Make use of web browsers only if they have built-in security protections, e.g. Google Chrome, and regularly patch and update the web browsers and other software that you use.
4. Targeting of professional staff
Online security threats extend not only to you but also to your colleagues and staff. A common tactic is to use the same approach with the entire staff of the targeted victim in order to gather as much valuable information as possible.
Recommendation: Share security materials and best practices with your staff. Internal security awareness training in your organisation should emphasise the value of your information and the likelihood that dedicated malicious actors will try to acquire it.
5. Third-party apps permissions
Installing applications to your devices can introduce unforeseen risks of account compromise. Many apps allow users to log in via another service for the sake of convenience, but this function also initiates data sharing between services. For instance, certain services allow you to log in using Facebook and, in turn, will receive data about your Facebook account. This form of authentication has been prone to abuse and is a common initial attack tactic for sophisticated bad actors.
Recommendation: It’s important to routinely review the apps downloaded to your devices, and particularly those that have requested access to your Facebook account. We recommend that you delete apps that you don’t recognise, apps that you don’t use and any apps that have particularly broad permissions and allow access to accounts that isn’t necessary. Learn more about how to manage your apps and their permissions.
Questions? Please contact our team at any time on our official Government & Politics page.