Security researcher Nick Sullivan over at Symantec Corporation believes that privacy settings on social networking websites such as Facebook give people a false sense of security that could expose them to phishing attacks. "This illusion of privacy leads people to be a little freer in their disclosure," he wrote in a post to the company"s security response weblog. Private information, ranging from e-mail and phone number to physical address, can all be available to the determined phisher or identity thief. One way to do get to the information is to seize control of the account of someone designated a friend or someone in the same network, he said.
Phishers can easily engineer fake notifications that follow the format of legitimate friend requests e-mailed to Facebook members, for example. A typical e-mail would ask a user to click on a link to confirm that they are friends with an individual requesting addition as a friend on the network. Some users almost reflexively log in to a site through a link provided in an e-mail, he noted. "This simple, clean design is very easy for a phisher to mimic. ... This makes Facebook users ideal targets for the type of generic phishing attacks that are usually directed at financial institutions."