Stop Using Security Questions

Please stop using security questions.

Why security questions were designed with good intentions

If you forget your password, a site can ask you a series of security questions. This allows you to recover your account while still potentially authenticating you with questions only you know.

Account recovery options are always a great idea, but doing so with security questions is bad.

Insecurity Questions

Seriously — they introduce insecurity. In my experience, I’ve come across a form like this:

What is your favorite color?

Your security question must contain at least five characters!

What do you think the most popular colors are? Red? Blue? What about: teal, gray/grey, etc. A form I’ve came across actually had a 5-character minimum, which removed options from this answer and made guessing black/green/white/yellow a bit easier. My wife will tell you that everybody from the 90’s would say “Crayola Cerulean” is their favorite — I’m inclined to agree.

Facebook even has a feature where people can “know you better” where you can answer questions about yourself and paste it on your profile. Yikes!

Mother’s maiden names are easy to get from your social network (click you, click your mom, look at her friends names, or look at whom you call “aunt”, “uncle” etc).

Distributing Security Questions

I’ve once seen an admin that would screenshot a page that shown user’s security questions. This page existed to help admins verify users are who they say they are over the phone. In lieu of using it for this function, people were screen shotting this info and sending it to users who “forgot” them. Yikes.

I’m a site user — what should I do?

If a site insists you complete security questions, generate random text and throw that in the box. If you need to recover the account later, paste in that random text. While there, look for the company’s security@ e-mail, Twitter, etc. Tell them to fix it.

I’m a webmaster on the world wide web

Heh, old terms. Disable the requirement for security questions, remove account recovery until you can fix it. Replace it with CAPTCHAs and allow them to reset it via an e-mailed link. Make the link valid for <30 minutes, and with a bunch of entropy in the query string. Don’t store the expiration in the query string. If their e-mail is compromised, they indeed can steal this account. For this reason, it is imperative for users to have secure e-mail accounts. Also, wipe the security questions out of the database. If you’re compromised, those answers can quickly become public.

What if I follow the email reset and security questions?

You could. It’s better than no email reset.

 

Goo.gl Virus (Well, Phishing Scam)

First off, I want to be very clear that this is not actually a virus. This is a phishing scam.

I also want to make it clear that just seeing the domain https://goo.gl/ does not mean it is a scam, likewise not seeing that domain does not imply it is safe.

Sadly, the local community college would rather tell people about art than about data security and privacy, and the term “goo.gl virus” is a term people often use for these things.

What is this Goo.gl Site?

It is a URL shortener, similar to bit.ly, bit4.me, and others. In lieu of telling a friend to visit “https://robert-lerner.com/wildSpEllingandCaps123/123/4” you can create a short link, and tell them that instead.

That’s where the utility ends, and the scam starts. Link shorteners allow masking the actual destination of the URL, and thus, makes it harder to determine if the destination is legitimate. This site: CheckShortURL allows you to paste in the short URL and see where it is going. Always do this.

How does this scam look?

It could be anything from a friend to a post in a garage sale site. Below is an example of one I seen on a garage sale site just today:

Facebook Phishing Campaign

If you see something that sensational, it’s probably going to be fake. It has no place in a garage sale group. Another good indicator is that commenting is turned off. Why would you share news and expect no reactions? Simply put — it’s because they didn’t want the scam unveiled.

Sadly, this user probably fell for this trick, and lost her account which is now posting this in all of the groups she’s in. It may even be requesting money from friends and so on.

Facebook does not provide a good avenue for reporting this sort of issue, and garage sale group admins aren’t always online. I went after the hosting company itself “Wix” to see if they can approach it, but at the time of writing no action was performed.

So, I clicked the link to see where it goes…

… I did it safely though, using a Liveboot of a Linux distro inside of a virtual machine. This sandboxes the attack from any valid sessions I may have open. At this point I didn’t understand the attack, so I was extra cautious.

At first, the link takes you to this page:

Broken Video
Pretend broken video

Looking here, you can see the image is warning you of gruesome content — you probably expected this consider it would show people hurled off of a roller coaster. (Alright, so it’s kind of sick you’d click this, but whatever). Simply hovering over the pretend video player reveals it takes you to another site entirely… but it isn’t what you think:

Not-Facebook
Not-Facebook

Here, I left the URL bar partially visible. You can see obviously that you’re not on Facebook, but it is looking for your login. This is where people fall victim, they enter their e-mail and password to see the video. At this point, the attacker gets a copy of this.

I did a “whois” inquiry, which may allow me to see who owns this hacking domain, but the owner was hidden. The registrar was Namecheap.com (this is where they bought the domain). All of them have abuse@namecheap.com style e-mail addresses to report the phishing scams, though the turn around for these sites is often low.

How do I know if it is Facebook asking for my login?

When in doubt, don’t log in. In this case, it is obvious that the site is not Facebook. In some circumstances you can specify a fake email and password. If you don’t get a “bad username or password” message, it’s probably a bad site. (This is a guide, not a rule).

So I’ve been scammed, they have my FB login, but do I get to see the video?

Imgur wtf
Imgur wtf

Nope, rather hilariously, they dump you on imgur — at a “page broken” image. There is no video, there’s only you and your vacated account.

Update!

I worked with Namecheap.com’s abuse contacts (who is the registrar of the domain) and they acted promptly and cleared all of the DNS records for the domain, effectively taking it down.

Unfortunately, I had also reached out to Wix about the initial hosting domain, and as of this update the page is still live, and they offered to “report it” even though it is one of their own customers. Obviously, clicking the link below exposes you to part of the phishing site: