Why you should be wary of Facebook quizzes

Those quizzes on Facebook are fun, and most are harmless. But some can be dangerous.

If you’re ever prompted to allow an app access to your Facebook, or to login with your Facebook credentials in an app or website, you should pay attention to what you’re authorizing that app to access.

Apps are developed all over the world by all sorts of people. You may have a higher level of trust in an app from a developer like Apple, Inc, and a lower level of trust in an app made by some kid in his basement.

Apps link to each other and share information, through a process you control. The information they share is stored in a variety of databases – some transient, some persistent.

Many of these databases are the targets of hackers. Or worse yet, they’re sold by unscrupulous app developers to spammers and phishers.

When you authorize an app to access your Facebook, you should measure the risk. To do this you’ll want to compare what the app wants access to with the potential of that app to be either nefarious or easily hackable. If it only wants to access your public profile, that’s generally harmless. If it wants to access your friend list, that means the names of all your friends will be shared with the app. If it wants to access your timeline that means anything you’ve ever posted to your “friends.” Same for photos, etc.

Now, you don’t want to live in fear. But consider minimizing your security footprint. EG: the larger the footprint, the larger the target.

Keep a small footprint by:

  1. Don’t put things on Facebook you wouldn’t want to get “out there.”
  2. Be as informed as possible and selective of which aspects of your Facebook apps you grant access to.
  3. Regularly remove apps you’ve given access to that no longer need it.

Check out the screenshots at the top of this post for more illustration.

Anatomy of a URL

By understanding the anatomy of a “URL” you will be able to better understand how the websites work and how to keep safe when clicking links.

What is a URL?

A URL (Uniform Resource something-or-other) is a unique address of a webpage. Like everything else that has an address: URLs are unique.

URL anatomy

First thing to know: The Slash /

The slash, is a key character in a URL. It separates different sections. You need to be able to recognize the slash so you can recognize the different sections of a URL.

http:// or https://

At the beginning of every URL is either an http:// or an https://. The “s” stands for secure. This means traffic between your computer and the website is encrypted (that’s a good thing).

Safety Tip: Whenever you type a password in a webpage, before you hit enter on your keyboard, you should make sure the website URL starts with https:// and not just http://.

Domain Name

After the http:// comes the domain name. The domain name stretches from the double slashes (://) all the way to the next slash (/).

http://this.is.the.domain.name.com/gobley-gook-random-mishmash?#&q

The “top” level domain name is the last word after the period. Usually this is “.com.” A .com is for commercial organizations. Other top level domains you might recognize are .gov (government), .org (non-profits), and even national ones like .ly (Libya) or .uk (United Kingdom).

When you look at a URL you must be able to recognize the domain name. You do this by looking at the slashes and periods. For now, focus on whatever is between the http:// and the first slash. Ignore anything after the first slash.

Within the domain name section, look at the periods, specifically the last period. The last period separates the “top” level domain from the “official name” aka the main name aka the real name of the actual business who owns this domain.

For example, how do we know that http://www.pepsi.com is owned by Pepsi? Well, we assume they bought it and that they wouldn’t let anyone else parade around with it acting like them. But, that doesn’t mean that something else can’t buy anotherpepsi.com and put up a website.

So, look at a URL, specifically at the domain name section between the :// and the first / and even more specifically right before the last period in that section, and identify whether or not it’s for the domain name you’d expect. Here’s a quiz to test your knowledge, which are probably NOT actual PayPal properties?:

a) paypal.com
b) www.paypal.com
c) paypal.requestfunds.com
d) requestfunds.securetransmittal.paypal.com
e) paypal.i-live-in-a-van.down.by.the.river.gimmemoney.paypals.com

In the above list,  If you guessed C and E you are correct. If you guessed something else, re-read this article.

Here’s another way to ponder this:

a) www.google.com
b) www.googlem.com
c) www.yourgoogle.com
d) www.google.ly

In the above list, only one of those domain names is sure to be owned by the company Google. The other two could be owned by anyone. How do we know? We look in between the 2nd-to-last and last periods, for the “official” name.

Web Page “Path”

Everything to the right of the first slash is the “path” of a webpage. Sometimes this section will be broken up by more slashes. This section quite frequently includes a bunch of apparent gobbley gook.

https://docs.google.com/document/d/1KGsegsLe7RytssUW_DgVpYpZUUBq_JPhuN2RpG2WRdk/edit#

But it is that gobbleygook that makes it unique. The gobbleygook is why you can add a bookmark to a webpage.

Now that you know the anatomy of a URL, you can more safely evade phishing and more quickly know if your traffic to that website is encrypted or not.

 

How to Spot a Phishing Email

Short answer: Hover over hyperlinks and look in the lower-left of your browser to verify the address (eg: URL) that the hyperlink is going to (check out the Anatomy of a URL if you don’t know what a URL is). If the name of the link and the address don’t match, or the domain name the link is going to looks wrong, don’t click it.

recognize phishing

Long answer:

“Phishing” is a sinister way malware tries to trick you into giving it your password.

Here’s how it works. An email gets sent out (spammed) to thousands of people with what looks like a normal link in it. These links used to be for things like “make your penis larger!” but over the years they’ve grown more savvy. Recently they’ve been saying stuff like “here’s my resume” or “login to verify your account.” Sometimes they’ll pose as if they’re from something familiar: PayPal, eBay, Google, etc.

A small percentage of the folks that get the spam will click the link. The link goes to what looks like a normal/official webpage, and it asks them to put in their password. They do so. The malware then uses their password to login to their email account and send the email out to everyone in their address book. And so on and so forth.

Your best defense against phishing is your wits. You may have heard the common advice to not click any links or attachments in email that you don’t recognize, aren’t expecting, or look fishy. But more and more malware is become savvy and posing itself as if it were legitimate email from someone you know (some of them even have decent english grammar).

Here’s one piece knowledge that will aid you as you confront the potential of receiving phishing emails:

Whenever you see a hyperlink (in an email or on the web), hover your mouse over it (see image above). Notice in the lower-left-hand corner of your web browser it shows you the actual “URL” (address) where the link would take you. If the link says one thing but the actual URL is something different: chances are it’s phishing. For example, if the email appears to be from PayPal, and the hyperlink says PayPal, but the actual URL is to anything other than PayPal, then best to be safe and not click it.

In the case of the screenshot above, the actual URL that shows when I hover over the link goes to xaynha247.vn. Right off, the domain name looks odd. But to be sure I can go to http://scanurl.net and type in the domain name.

When I do that for xaynha247.vn, sure enough the results show it as unsafe:

web-of-trust

So to stay safe and help you decide whether or not to click a link, make a habit of hovering over links in email and verifying the URL before clicking them.