You won't get an email from Apple asking you to update your billing information. But if you think you got one in recent days, delete it; it's a phishing scam designed to snatch that info from you, and it's definitely not from the Cupertino company.

The "vast phishing attack," as Mac software security firm Intego calls it, began around Christmas Day, and seeks to prey on those who got new Apple gear for the holiday. The spammers don't know whether you did or not; they do know that with Apple products as popular as they were on holiday gift lists, the odds are in their favor of getting some hits on this.

The email's subject line is "Apple update your Billing Information." Says Intego: "These well-crafted emails could fool many new Apple users, especially those who may have found an iPhone, iPod or iMac under their Christmas tree, and set up accounts with the iTunes Store or the Mac App Store for the first time. The messages claim to come from 'appleid@id.apple.com.'" And here's what it says:

Intego

Looks official, right?

Intego says if you click on the link in the message, you'd be taken to a "realistic-looking sign-in page, then, after entering your Apple ID and password, you’ll be taken to a page asking you to update your account profile, notably entering your credit card information. Again, this page looks realistic, and many of the elements it contains are taken from Apple's own Web pages."

But if you moved your cursor over the link in the message and waited for a "tooltip to pop up," you'd see this:

Intego

The URL that's shown is not an apple.com address, Intego says, "but rather a numerical address (we've blurred the first part of the address). At the end of the address is a page called apple.htm, which could fool people, but that’s not what’s important. Always look at the part right after the http:// in the URL: if it's not something.apple.com (it could be www.apple.com, store.apple.com, or something else), then it's bogus."

Thanks to Intego for the heads-up and the reminder that phishing scams may be at their worst during the holidays, but can also proliferate after them, too.

— Via TheNextWeb

Related stories:

• Romance scammers prey on the lonely at the holidays
• iPad 2, iPhone 4S top holiday wish lists
• 12 online holiday scams to avoid

Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.

A new Facebook phishing scheme is about as nasty as they come: The perpetrators threaten to delete users' Facebook accounts unless they hand over various account details within 24 hours.

While some of you might welcome such a deletion, most of us would not. Sophos Security is warning about the scheme, which was shared on Hoax-Slayer.

Facebook users may get emails that purport to be from Facebook, saying that the user is violating the social network's policy regulations by annoying or insulting other Facebook users. And, the email says, unless certain personal and financial information (including credit card numbers) is submitted within 24 hours, the user's account will be done away with.

"The emails are entirely bogus," says Lisa Vaas on Sophos' Naked Security blog. "The scams are, in fact, designed to steal credit card numbers and social media accounts, likely in order to further spread scams and bilk victims."

As pointed out by Hoax-Slayer, scammers can use the ill-gotten information to hijack a user’s Facebook account. Then, posing as the account holder, the criminals can send out more scam messages and spam to a victim’s Facebook friends, bolstered by the trust users place in their friends.

Once a criminal has gained access to a victim’s account, they will likely lock out the original account holder by changing account passwords and email addresses. With the credit card information, fraudsters can conduct identity theft and other malicious financial activity.

Hoax-Slayer warns users not to click on any links in the email itself. "Those who fall for the ruse and click the link will be first taken to a fake Facebook 'Account Disabled' web form that asks them to provide Facebook login details and part of their credit card number." Here's an example of the fake form:

Hoax-Slayer

Fake Facebook form that's part of the gimme-your-info-or-I'll shut down your account scheme.

"Once the victim has completed this bogus form, he or she is then taken to a second fake form that asks for webmail login details," Hoax-Slayer notes. Then, once that info is provided, the user "is taken to a third bogus form that asks for a username and — again — the first 6 digits of the user's credit card number."

As Facebook itself says on its security page:

Spammers and scammers sometimes send phony emails that have been made to look like they’re from Facebook or another reputable website. These emails can be very convincing, and the "From:" field can even be spoofed to include "Facebook” or “The Facebook Team.”

If an email looks strange, don’t click on any of the links in it, and delete it from your inbox immediately. Be especially wary of emails that ask you to update your account, tell you to open an attachment, or warn you to take some other urgent action.

"All these phishing scams boil down to a naked grab for your account details," wrote Vaas. "Remember, neither Facebook nor other reputable social media sites would ask for this information. The mere request is a surefire way to suss out bogosity."

Related stories:

• Nigerian criminals pose as FBI in new email scam
• Facebook's porn attack: Lawmaker wants answers
• Facebook user or not, you're being tracked
• Facebook's porn and gore attack: Who gets the blame?

Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.

msnbc.com

Some of it was just funny — an image of Justin Bieber passionately singing into a man's ... um ... appendage pasted where the microphone should be.

Other hardcore porn images were of the banal fare so easily found outside Facebook's gated Internet community. But there was also the Newsfeed spam featuring child pornography reported by some. The bloody dead dog and decapitated corpses were also among the shocking fare Facebook users found themselves subjected to when the week began and the world's largest social network battled "a coordinated spam attack that exploited a browser vulnerability."

"XSS, as I suspected," Jay Ashworth, this computer geek I know from Facebook, said following confirmation of the days-long debate by security experts and civilians alike over what caused — and who was behind — the gore and porn spreading across the social network. An XSS scam — or cross-site scripting — is as common as Facebook scams come, spread largely because of uneducated and/or insatiably curious Facebook users tricked into copying and pasting offending JavaScript into a vulnerable browser.

Here's Facebook's official statement:

Protecting the people who use Facebook from spam and malicious content is a top priority for us, and we are always working to improve our systems to isolate and remove material that violates our terms. Recently, we experienced a coordinated spam attack that exploited a browser vulnerability. Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.  

During this spam attack users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content. Our engineers have been working diligently on this self-XSS vulnerability in the browser. We've built enforcement mechanisms to quickly shut down the malicious Pages and accounts that attempt to exploit it. We have also been putting those affected through educational checkpoints so they know how to protect themselves. We've put in place backend measures to reduce the rate of these attacks and will continue to iterate on our defenses to find new ways to protect people.

Oh, and you can bet they are. While many users threatened to quit the site and made accusations that Facebook CEO Mark Zuckerberg couldn't care less about the ick that might very well have caught the eye of Grandma and/or all those 11-year-olds parents allow to lie about their age to be on the social network, Facebook wants the nude splatter-fest out of your News Feed even more than you do. Because it's a business. Businesses are customarily not fans of outside influences that drive away customers. And therein — as the much-abused Hamlet quote goes — lies the rub.

While Facebook points to a flaw in a browser, it won't identify which browser allowed the malicious code to spam violated Facebook accounts. While naked people and blood splatter grabs the headlines, less sensational XSS and clickjacking scams such as tricking Facebook users into clicking on "Why were you tagged in this video?" or pasting code into browsers in the hopes of getting a free meal at Olive Garden are so quickly forgotten they're often repeated.

"The bigger question is what motivated the attackers to use this flaw in such a strange way?" Chester Wisniewski of Sophos writes in the security company's Naked Security blog. "We investigate lots of Facebook scams here at Naked Security, and I would guess that nearly 100 percent of them lead to some financial payout for the scammer." Usually, scammers earn money when Facebook users are tricked into viewing advertising.

The latest outbreak "seems to be a purely malicious act," Wisniewski writes. "Facebook has a reputation for maintaining a reasonably family friendly environment and most Facebook users don't expect dead dogs and penises showing up on their wall."

The lack of monetary motivation has led security experts and others to speculate whether this was an attack by the hacker collective Anonymous, but there are no clues or confirmation. Facebook is letting it be known that it's on the case.

"In addition to the engineering teams that build tools to block spam we also have a dedicated enforcement team that has already identified those responsible and is working with our legal team to ensure appropriate consequences follow," Facebook said in an email statement. The site cited two prominent anti-spam legal victories.

In 2009, Facebook successfully sued "Spam King” Sanford Wallace for spamming users' Facebook walls in a lawsuit that resulted in a $711 million judgment in the social network's favor and possible jail time for Wallace. In 2011, Facebook was awarded more than $360 million in statutory damages from spammer Philip Porembski, who grabbed the login info of at least 116,000 accounts, which he used to spam 7.2 million users.

Meanwhile, Facebook users can do a lot to prevent spam simply by not clicking on suspicious links. Viral scams persist on Facebook because Facebook users continue to click malicious links. Over the last year, Facebook stepped up its defenses against these seemingly unstoppable pests by launching a variety of new security tools to help prevent spam and educate users.

To review, here are some things you can safely assume you won't see via Facebook: Osama bin Laden's body, that video of that thing Justin Bieber did to that girl, what happened when that girl's dad walked in on her, an app that reveals who has been looking at your profile, or any "authentic" message from Facebook WRITTEN IN ALL CAPS.

If you do get sucked into this or any Facebook spam scam, it's easy to remove the application, using Facebook settings, so that it no longer accesses your profile. Here's how:

• Remove any content the rogue app may have posted on your Facebook wall.
• Go to the Account Settings drop-down menu in the upper right side of your screen.
• From the Account Settings drop-down menu, choose Privacy Settings.
• On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
• On the App page, next to "Apps you use," select edit settings.
• There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
• Send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.
• Join Facebook's Security page as well as the Sophos security page on Facebook to stay up-to-date on the latest security issues.

More on the annoying way we live now:

• Facebook investigates gore, porn infecting your News Feed
• Fidel Castro's niece trolled in Twitter debut
• Pug smarter than tech blogger, spots spoof

 Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook. Also, Google+.

Duane Hoffman msnbc.com

Nothing starts the week off right like all your friends screaming nonsense via Facebook. You know, something like this:

ATTENTION: THE HACKERS ARE PUTTING SEXUAL VIDEOS TO YOUR NAME IN THE WALLS / PROFILES OF YOUR FRIENDS WITHOUT YOU KNOWING IT. YOU DONT SEE IT, BUT OTHER PEOPLE CAN SEE IT, AS IF THESE WERE A PUBLICATION THAT YOU MADE! ALSO, THEY'RE SENDING INBOX MSGS TO YOUR FRIENDS ASKING YOU TO CLICK A LINK. DON'T DO IT!! SO IF YOU RECEIVE SOMETHING FROM ME ABOUT A VIDEO OR A STRANGE INBOX MESSAGE, IT'S NOT ME! COPY THIS TO YOUR WALL. IT IS FOR THE SECURITY OF YOUR OWN IMAGE!!! And REPORT IT!!!!! ALSO IF U ARE ASKED TO VOTE ON A PICTURE. DO NOT GO & VOTE: IT'S A HACKER!! POST THIS TO YOUR WALL FOR YOUR FRIENDS!!

This hoax — which seems to be resurging after a viral run in late September — isn't tied to a clickjacking scam. Clickjacking occurs when you click a scam link that then posts the same scam link to the walls of everyone you know on Facebook. That's not what's happening here. Instead, Facebook users are cutting and pasting this warning on their Facebook status because another Facebook status told them too.

If that's you, cut it out.

Both Snopes — the hoax-debunking website you need to add to your Favorites browser bar immediately — and Sophos Security haven't found any evidence that hackers are able to prevent you from seeing content they've posted using your name, as the screaming status (above) claims. Of course, if you've clicked on a clickjacking scam — Justin Bieber punching some girl, that thing that girl's dad did that you won't believe, that thing about not having respect for Miley Cyrus, etc. — that same spammy link will crap up the walls of all your friends. But you will always be able to see the damage you've done.

Sophos confirms:

Yes, scammers have often posted thumbnails of what appear to be pornographic videos to compromised Facebook users' walls, but we have never seen any incidents where the post was *invisible* to the user.

Whether you're more culpable for clicking on a link that spams your Facebook friends, or actively cutting and pasting hoaxes under your own steam is a discussion to be decided by the ages. A CAPS LOCK status update may not spread malware, but it does spread ignorance as well as clog up paths of communication. Also, it's annoying.

In review, here are some things we can safely assume you won't see via Facebook: Osama bin Laden's corpse, that video of that thing Justin Bieber did to that girl or what happened when that girl's dad walked in on her, an app that reveals who has been looking at your profile or what you'll look like when you're old, and an authentic message from Facebook WRITTEN IN CAPS LOCK.

If you do fall victim to actual clickjacking — hey you're only human — here's what to do:

• Remove any content the rogue app may have posted on your Facebook wall.
• Go to the Account Settings drop-down menu in the upper right side of your screen.
• From the Account Settings drop-down menu, choose Privacy Settings.
• On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
• On the App page, next to "Apps you use," select edit settings.
• There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
• Now, send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.

Hat tip to Julissa McHugh for spotting this hoax's return.

More on the annoying way we live now:

• Pug smarter than tech blogger, spots spoof
• Fidel Castro's niece trolled in Twitter debut
• Adultery website encourages cheating on your fat wife

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook. Also, Google+.

Hulton Archive / Getty Images file

Many of us are already shopping online, or will be soon, for the holidays. McAfee is pushing its software with its release of the "dozen most dangerous online scams" this season, but there's also some good info here. Consider it a gift of knowledge for you as you surf the Web for presents for your loved ones:

1.  Mobile malware: More of us are using our phones for shopping, to research products or to redeem coupons. McAfee says Android phones are "most at risk," citing "a 76 percent increase in malware targeted at Android devices in the second quarter of 2011 over the first, making it the most targeted smartphone platform."

McAfee also says new malware "has recently been found that targets QR codes, a digital barcode that consumers might scan with their smartphone to find good deals on Black Friday and Cyber Monday, or just to learn about products they want to buy."

2.  Malicious mobile apps: "These are mobile apps designed to steal information from smartphones, or send out expensive text messages without a user’s consent. Dangerous apps are usually offered for free, and masquerade as fun applications, such as games. For example, last year, 4.6 million Android smartphone users downloaded a suspicious wallpaper app that collected and transmitted user data to a site in China."

3.  Phony Facebook promotions and contests: "Who doesn’t want to win some free prizes or get a great deal around the holidays? Unfortunately, cyber scammers know that these are attractive lures and they have sprinkled Facebook with phony promotions and contests aimed at gathering personal information." One recent scam promised two free airline tickets — something that sounds appealing at this time of year especially — "but required participants to fill out multiple surveys requesting personal information."
 
4.  Scareware, or fake antivirus software: We've seen lots of examples this year. "Scareware is the fake antivirus software that tricks someone into believing that their computer is at risk — or already infected — so they agree to download and pay for phony software." McAfee says it's one of "the most common and dangerous Internet threats today, with an estimated 1 million victims falling for this scam each day."

5.  Holiday screensavers: Ah yes, we love our screensavers for special times of the years like Christmas. But some of the free ones are loaded with more than holiday cheer. "A recent search for a Santa screensaver that promises to let you 'fly with Santa in 3D' is malicious," McAfee says. "Holiday-themed ringtones and e-cards have been known to be malicious too."

6.  Mac malware: Those two words wouldn't have even been put together in the same sentence a few years ago. But, as McAfee correctly says, "with the growing popularity of Apple products, for both business and personal use, cyber criminals have designed a new wave of malware directed squarely at Mac users." McAfee Labs says as of a year ago, there were "5,000 pieces of malware targeting Macs, and this number is increasing by 10 percent month on month."

7.  Holiday phishing scams: "Cyber scammers know that most people are busy around the holidays so they tailor their emails and social messages with holiday themes in the hopes of tricking recipients into revealing personal information."

 A "common holiday phishing scam is a phony notice from UPS, saying you have a package and need to fill out an attached form to get it delivered. The form may ask for personal or financial details that will go straight into the hands of the cyber scammer."

Bank phishing scams "continue to be popular and the holiday season means consumers will be spending more money — and checking bank balances more often. From July to September of this year, McAfee Labs identified approximately 2,700 phishing URLs per day."

And, "smishing" — phishing by text message, usually involving banking — is also a growing problem. "Scammers send their fake messages via a text alert to a phone, notifying an unsuspecting consumer that his bank account has been compromised. The cybercriminals then direct the consumer to call a phone number to get it re-activated — and collects the user’s personal information including Social Security number, address and account details."
 
8.  Online coupon scams and offers: Whether you're an extreme couponer or an occasional one, the season is rife with good online offers — and malicious ones. "Scammers know that by offering an irresistible online coupon, they can get people to hand over some of their personal information," McAfee says. "One popular scam is to lure consumers with the hope of winning a 'free' iPad. Consumers click on a 'phishing' site, which can result in email spam and possibly dealing with identify theft." Another is that "consumers are offered an online coupon code and once they agree, are asked to provide personal information, including credit-card details, passwords and other financial data."

9.  Mystery shopper scams:  "There have been reports of scammers sending text messages to victims, offering to pay them $50 an hour to be a mystery shopper, and instructing them to call a number if they are interested.  Once the victim calls, they are asked for their personal information, including credit card and bank account numbers."

10.  Hotel "wrong transaction" malware emails:  "In one recent example, a scammer sent out emails that appeared to be from a hotel, claiming that a 'wrong transaction' had been discovered on the recipient’s credit card.  It then asked them to fill out an attached refund form. Once opened, the attachment downloads malware onto their machine."
 
11.  “It” gift scams: Looking for the kind of gift that might sell out quickly this year? "When a gift is hot, not only do sellers mark up the price, but scammers will also start advertising these gifts on rogue websites and social networks, even if they don’t have them," says McAfee. "So, consumers could wind up paying for an item and giving away credit card details only to receive nothing in return. Once the scammers have the personal financial details, there is little recourse."
 
12. “I’m away from home” scammers: You know this by now, or should: "Posting information about a vacation on social networking sites could ... be dangerous. If someone is connected with people they don’t know on Facebook or other social networking sites, they could see their post and decide that it may be a good time to rob them. Furthermore, a quick online search can easily turn up their home address."

Protecting yourself
Aside from buying McAfee's products, or those from another security vendor, here are some of McAfee's tips on staying safe in general, but especially in the weeks ahead:

• "Only download mobile apps from official app stores, such as iTunes and the Android Market, and read user reviews before downloading them."
• "Be extra vigilant when reviewing and responding to emails."
• "Watch out for too-good-to-be-true offers on social networks (like free airline tickets). Never agree to reveal your personal information just to participate in a promotion."
• "Don’t accept requests on social networks from people you don’t know in real life. Wait to post pictures and comments about your vacation until you’ve already returned home."

Related stories:

• How to avoid the nasty fake antivirus scam
• FBI targets two "scareware" rings
• Mac malware keeps a churnin' -- tips to help
• Fake UPS email has scareware attachment

Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.

Websense

You're never going to get free airline tickets simply by clicking a link on Facebook and accepting a third-party app — not from JetBlue, not from Delta Airlines, and not from the latest airline name to be abused by social network scammers, Southwest Airlines.

Yet such viral scams persist on Facebook because Facebook users continue to click malicious links. Over the last year, Facebook stepped up its defenses against these seemingly unstoppable pests, sending warning prompts to users and partnering with Web of Trust, a crowdsourced website rating community. Today, the world's largest social network further enforced its spam defenses by partnering with security firm Websense, which will help protect and educate Facebook users via its bad link database.

"Starting today, Websense technology will add to Facebook's existing protections to stop users from clicking on links without knowing the trustworthiness of the destination," Dan Hubbard, Websense chief technology officer, said in a media statement. "When a Facebook user clicks on a link it will be checked against the Websense database. If Websense determines the link is malicious, the user will see a page that offers the choice to continue at their own risk, return to the previous screen or get more information on why it was flagged as suspicious."

Google Chrome and Twitter use similar warning systems, and as the handy Websense flowchart above reveals, you're still responsible for using the good sense the Lord gave a chicken. So if you're clicking a link and get a prompt that tells you the link might not be safe, don't click on it.

If you do succumb to your overwhelming desire to get those free airline tickets or the possibility of seeing Justin Bieber embarrass himself, you'll likely be asked to accept a third-party app. Accept it and you've just spammed all your friends with the same bad link. You might find yourself sent to an outside website where you'll be asked to take a survey. Either way, no free tickets or photo documentation of Justin Bieber humiliations are forthcoming.

To review, here are some things you can safely assume you won't see via Facebook: Osama bin Laden's body, that video of that thing Justin Bieber did to that girl, what happened when that girl's dad walked in on her, an app that reveals who has been looking at your profile, or any "authentic" message from Facebook WRITTEN IN ALL CAPS.

If you do get sucked in to this or any Facebook spam scam, it's easy to remove the application, using Facebook settings, so that it no longer accesses your profile. Here's how:

• Remove any content the rogue app may have posted on your Facebook wall.
• Go to the Account Settings drop-down menu in the upper right side of your screen.
• From the Account Settings drop-down menu, choose Privacy Settings.
• On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
• On the App page, next to "Apps you use," select edit settings.
• There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
• Send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.
• Join Facebook's Security page as well as the Sophos security page on Facebook to stay up to date on the latest security issues.

More on the annoying way we live now:

• How to stop Spotify from embarrassing you on Facebook
• Man steals $57K from neighbors using their Facebook info
• Facebook hacker posts stolen pics on porn site

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook. Also, Google+.

CBS

This photo of Justin Bieber fooling around on the set of CSI is potentially the best Facebook spam scam. Ever.

Facebook spammers are recycling social network scams at such accelerated speed, the flimflammers are now resorting to scams ripped from "Law & Order" plotlines ... apparently.

"The Facebook Killer" scam assaulted social network users over the weekend, tricking the naive and/or morbidly curious into clicking a link that offered, "News гepoгts of a maп they are calling the 'Facebook Killer' have gone ramрant, he has claimed 9 lives in the United States so far that we know."

via Sophos

Given the interminable popularity of the the procedural crime drama franchise, as well as the fact that you totally watched that insufferable Craigslist Killer movie on Lifetime  like, three times, you know what these scammers are thinking.

Click what seems to be a CNN link posted by one of your Facebook friends, and you're sent to a fake YouTube page with the prompt: "Are you older than 13 years of age? Click "Jaa" button 2x and confirm and play video."

via Sophos

Thing is,  "Jaa" is Finnish for "Share." Click that increasingly-common ruse and you've just spammed all your Facebook friends with that same link to the fake news report about a fake Facebook serial killer — who might be in your area! That's the twist on this particular spam scam, which attempts to work out your location, and add it to the fake comments on the fake story, notes Graham Cluley, senior technology consultant at Sophos:

Through GEO-IP lookup techniques it has attempted to work out where in the world I am - and so is presenting (in my case) a video which claims the serial killer is in the British city of Salisbury.

Furthermore, if you look down the page you'll see supposed comments left by other viewers of the video including one which says:

This is UNREAL! I live in Salisbury

Again, however, this is a trick by the scammers. If you look at the webpage's code you will see that it substitutes the name of the city into the comments as well.

If morbid curiosity compels you to keep clicking, "you'll be taken to what is commonly termed as a survey scam," Sophos reports. These are surveys, or competitions, which trick you into handing over your personal information and either earn the scammers commission or require you to sign-up for an expensive premium rate service."

As we've noted before, these scams morph regularly, so it's best to be careful of any Facebook link to either an outrageous news story or anything that ABUSES CAP LOCK ... especially if it involves murder or Justin Bieber, and super especially murder and Justin Bieber.

If you do get sucked into the scam — and it happens to the best of us — it's easy to remove the application to keep it from accessing your profile.

Here's what to do:

• Remove any content the rogue app may have posted on your Facebook wall.
• Go to the Account Settings drop-down menu in the upper right side of your screen.
• From the Account Settings drop-down menu, choose Privacy Settings.
• On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
• On the App page, next to "Apps you use," select edit settings.
• There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
• Now, send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.
• Then join the Sophos Facebook page to get the latest news on the latest scams ... so you can warn your family and friends instead of annoying them with profile spam.

More on the annoying way we live now:

• Did your lame password let 'beach body' hack Twitter?
• Computer officiates wedding, signals beginning of robot rule
• Internet Explorer 6 users have low IQs, study says

Helen A.S. Popkin always finds a legitimate way to work Justin Bieber into pretty much any story. Tell her to get a real job on Twitter and/or Facebook. Also, Google+.

via Sophos

Thousands of Twitter users continue to endure tweets telling them to "get the beach body you've always wanted" possibly because one third of Internet users still insist on using the same password on multiple websites.

"The messages link to what pretends to be a news website, but is really designed to promote an Acai Berry 'miracle diet' marketed as 'Power Slim,' " reports Sophos. "The product claims to have been seen in the pages of Women's Health, Elle, Marie Claire, Oprah, Cosmopolitan and other magazines."

Sound familiar?

Claims about acai berries made in fake news stories that appear in pop-ups, Google search results, on real news sites (including msnbc.com) and even on WebMd.com got the beatdown earlier this year by the Federal Trade Commission.

The FTC filed charges against companies and individuals for allegedly blurring the lines between advertisements and journalism by promoting false information about acai and colon cleansing. In some cases, companies and individuals were hit with temporary restraining orders preventing assets from being moved or records from being destroyed. The offending websites must prominently display a statement that they are being sued by the FTC, or be removed from the Web.  

Meanwhile, this latest Twitter spam scam seems familiar as well.

"It could be that the users' passwords have been compromised, similar to another Acai Berry spam campaign we saw on Twitter at the end of last year following the Gawker password breach," writes Graham Cluley, Sophos senior tech consultant.

Hackers used passwords grabbed in the Gawker hack to infiltrate user accounts on Twitter and other sites. As Cluley points out, "Too many users (perhaps as many as a third) are still using the same password for every website they access."

If you find your Twitter account suddenly spamming your followers, change your password right away — on Twitter and anywhere else you're using that same password. In fact, even if you haven't been hacked, why not take this moment to switch up your passwords to the Twitter, Facebook and Google+ accounts you know you totally have open at work right now?

Here's a video from Sophos to help you think up some good ones:

More on the annoying way we live now:  

• Google+ promises heads' up before it dumps your fake account
• Facebook's 'tweaked' photo changes are no big deal
• Twitter users spread 'Unfollowed Me' virus

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook. Also, Google+.

via Sophos

Just as any health care worker can tell you there's no such thing as 100 percent "safe" sex, every Facebook user should know there's no such thing as "safe" clicking. And if abstinence is not an option for you on either of these activities, the best you can do is educate yourself on possible risks. How appropriate then is the Facebook scam du jour, "The World Funniest Condom Commercial — LOL" currently infecting Facebook profiles all over the social network.

"The messages are spreading through a clickjacking scam (sometimes known as likejacking) which means that users do not realize that they are invisibly pressing that they 'Like' the video when they try to play it," Sophos reports. Appropriately enough, "the scam appears to be being perpetrated by the same gang who have been successfully spreading a "Baby born amazing effect" scam over the last several days."

Clickjacking is one of the ways spam is spread around Facebook. Clickjackers trick you into accessing links and/or "Like" buttons by hiding the code underneath content that piques your interest — such as "OMG! CNN CONFIRMS OSAMA BIN LADEN ALIVE" or that video of that thing Justin Bieber did to that girl that "YOU WON'T BELIEVE!"

As with most clickjacking spam, the "The World Funniest Condom Commercial — LOL" offers multiple tip-offs, such as the apostrophe "s" missing at the end of "World," the use of "LOL," and the use of sex as bait. Note: Most spam scams on Facebook cover three no-fail topics: Sex, death and Justin Bieber.

Fail to pick up on these clues and click to see "The World Funniest Condom Commercial — LOL" and you've also inadvertently "Liked" the link, spreading it to your now-annoyed Facebook friends and family. Unlike many spam scams on Facebook however, you are rewarded with an Argentinian condom commercial, though you can see on YouTube right now without getting unfriended. And SPOILER ALERT! It is not the funniest condom comercial in the world. That would be this one.

As Sophos points out, Facebook recently announced security updates  to help alert users to clickjacking scams via automatic prompts to confirm whether you actually want to "Like" what you're about to click, thus adding it to your Likes and Interests and spamming their friends. These updates haven't yet proved effective, and since scammers are always looking for away in, it's important to stay vigilant if you want to avoid annoying your friends.

In review, here are some things we can safely assume you won't see via Facebook: Osama bin Laden's corpse, that video of that thing Justin Bieber did to that girl or what happened when that girl's dad walked in on her, an app that reveals who has been looking at your profile or what you'll look like when you're old, and an authentic message from Facebook WRITTEN IN CAPS LOCK.

If you do fall victim to clickjacking — hey you're only human — here's what to do:

• Remove any content the rogue app may have posted on your Facebook wall.
• Go to the Account Settings drop-down menu in the upper right side of your screen.
• From the Account Settings drop-down menu, choose Privacy Settings.
• On the bottom right side of the Privacy Settings Page, click the Apps & websites link "Edit your settings."
• On the App page, next to "Apps you use," select edit settings.
• There you will see the third-party apps that have access to your Facebook profile. Delete any rogue applications. (It's a good idea to check this setting regularly, anyway.)
• Now, send an apology to all your Facebook friends who may have been tagged, and advise them to do the same.

More on the annoying way we live now:

• Fake 'Harry Potter' news causes Facebook freakout
• Fake 'Girl With the Dragon Tattoo' trailer is fake
• Mark Zuckerberg kills what he eats

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook.

via FB scam

Ain't happenin'

Facebook does not offer a "Dislike" button, and no matter how many "Dislike button" Facebook page petitions you "Like," how many chickens you sacrifice and how many birthday candles you waste, there likely will never be one. 

Think about it.

"Dislike" just doesn't fit with the Facebook credo, which is about social connections and promoting things. It doesn't work like YouTube, where you're rating one thing — videos — with an thumbs-up or down. Facebook wants everyone — including and/or especially product pages — to have a thumbs up experience. And let's face it: You people can't be trusted. Give the unwashed Internet masses the ability to "Dislike" something, and most assuredly things will get ugly fast.

Problem is, lots of Facebook users don't think about it. And so, the Facebook "Dislike" button scam, so popular in Sept. 2010, is back in fashion, tricking those blinded by hope into fouling up the walls of their Facebook friends with annoying spam.

Sophos reports:

Like the "Preventing Spam / Verify my account"scam which went before it, the scammers have managed to waltz past Facebook's security to replace the standard "Share" option with a link labelled "Enable Dislike Button".

The fact that the "Enable Dislike Button" link does not appear in the main part of the message, but lower down alongside "Link" and "Comment", is likely to fool some users into believing that it is genuine.

Clicking on the link, however, will not only forward the fake message about the so-called "Fakebook Dislike button" to all of your online friends by posting it to your profile, but also run obfuscated Javascript on your computer.

You know the old saying: Those who don't remember Facebook spam scams are destined to annoy their friends. 

via Sophos

It's a trap!

Facebook says it's working with major Web browsers to fix the security holes that allow malicious apps to slip into the social network. Last week, Facebook rolled out security updates to help clean up the site. But common sense can go a long way towards not annoying your friends, too.

Consider the case of the "Dislike" button which you're asked to click to install.

When was the last time you had to install a Facebook update? You can enable or disable, opt out or opt in by checking boxes in your account settings. But whenever you have to "accept" an application, you're giving permission to a third party, not Facebook.

Scammers (both on Facebook and IRL) repeatedly trick users by offering something that appeals to our overwhelming curiosity and/or vanity. If the President of the United States says he's not going to show you pictures of Osama bin Laden's corpse, your next best bet is Wikileaks, and not a Facebook app.

Further, no Facebook app can show you who's been "stalking" your profile — that's against Facebook's Terms of Service. 

Other things you'll never see on Facebook? Let's review: That video of that thing Justin Bieber did to that girl, what happened when that girl's dad walked in on her and an authentic message from Facebook WRITTEN IN CAPS LOCK.

Oh!

And if you want to see what you'll look like when you're older? Wait.

More on the annoying way we live now:

• Facebook attacks scam spam with new security tools
• Bin Laden death photos? Stay away
• 7.5M kids lie to get on Facebook - parents don't care
• Facebook's Google smear campaign outed
• Facebook photo-tagging scam running rampant

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook.

Google

Excited about Google Music, the recently announced free streaming service? A lot of folks are — and others are looking to take advantage of that enthusiasm by trying to get you to hand over your personal data on the basis that they'll give you what's needed to get started with Google Music.

If you get any such "offers" via email or text message or carrier pigeon, know that they're bunk. Google Music, in beta or test mode, is being done by invite-only by Google to those in the U.S., but that's it. It's not being offered by anyone else, period. You can go to this Google site to request an invite.

As website Mashable said Friday:

The beta doesn’t let current users give out invitations to their friends, so no one has spare invites to give you. That includes Mashable writers, your friends online, and any website claiming to be giving away Google Music invites.

Any person or website claiming to be “giving away” Google Music invites is lying, a fact we’ve just confirmed with Google representatives. Because of the way invites are handed out, they’re linked to specific Google Accounts. In other words, one person can’t request an invite and pass it on; the invite has to be requested and accepted by the same Google Account.

So far, we’ve seen all kinds of scam and spam out there around Google Music, from CPA surveys to data gathering apps that prompt you to enter personal information. We should be more surprised at the alacrity of these scam-hounds, but with every great product comes great potential for fraud. Free iPod, anybody?

As msnbc.com's Athima Chansanchai wrote earlier this week, "Once an invitation has been issued, Music Beta will be accessible to those with Gmail logins. Users will add their own music from their computers to the Google cloud."

Just be sure that when it comes to Google Music, the tunes may be in the clouds, but your head should not be.

Related stories:

• Cloud music to your ears from Google
• Cloud music service battle: Google vs. Amazon
• Google launching cloud music service, followed by Apple

Check out Technolog, Gadgetbox, Digital Life and In-Game on Facebook, and on Twitter, follow Suzanne Choney.

By now, everyone should have the memo:

The White House isn't sharing photos of Osama bin Laden's bullet-riddled corpse, let alone video — despite all that Facebook spam you may have seen last week promising you otherwise. Curious Facebook users who clicked the link were tricked into manually spamming friends as well, as their own profile, with the same fake info claiming to be straight from the BBC.

It seems those same scammers tried spamming Facebook email boxes with a "security check" that asks users to verify their accounts, reports F-Secure. Those people who fell for the fake verification (not from Facebook) will simply (unknowingly) spam their Facebook friends all over again.

Facebook says it has fixed the hole that let in this virus — a pretty sneaky one, considering the new security safeguards Facebook announced Thursday. The three-part rollout includes "Login Approvals," a partnership with safe-surfing tool Web of Trust, and prompts to make you think twice before clicking on phony offers or cutting and pasting malicious code into your address bar.

Facebook says it's working within the company and with major Web browsers to plug the holes that allow malicious content in the site — but history shows there's always something.Pay attention though, and these new tools can help you keep your profile safe and a little more spam-free.

Spreading spam annoys your Facebook friends. So stop
Clickjacking and tricking users into cutting and pasting malicious code into their address bars are the two big ways spam is spread around Facebook.

Clickjackers trick you into accessing links and/or "Like" buttons by hiding the code underneath content that piques your interest — such as a video of that thing Justin Bieber did to that girl that YOU WON'T BELIEVE. According to Facebook:

Now, when we detect something suspicious, we’ll ask you to confirm your like before posting a story to your profile and your friends’ News Feeds," Facebook explains in its blog. " If you have already clicked on a link resulting in an addition to your "Likes and Interests" section of your profile, you can edit your "Likes and Interests" field by clicking "Edit My Profile" underneath your profile picture. Then, select "Likes and Interests" from the left.

Facebook's new "Self-XSS Protection" is meant to prevent spam spread by users tricked into cutting and pasting malicious code into their address bars. According to the Facebook blog, "Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea." Facebook's message will look like this:

Web of Trust points out the bad links
As well as the new warning prompts, Facebook has partnered with Web of Trust, a "free safe surfing tool that tells you which websites you can trust based on the ratings supplied by other Web of Trust community members." Click a link that is rated spammy or suspected of malware, and expect to see this:

Login Approvals keeps out the creeps
Login Approvals, a double-authentication system announced last month, guards against someone else logging on to your Facebook account on a different computer or mobile device, even if that person has your password.

If you choose to use it, whenever you log in to Facebook from a new or unrecognized device, we’ll require that you also enter a code we send to your mobile phone via text message. If we see a login attempt from a device you haven’t saved, you'll be notified upon your next login and asked to verify the attempt. If you don’t recognize this login, you'll be able to change your password with the knowledge that while someone else may have known your login credentials, he or she was unable to access your account or cause any harm.

In review, here are some things we can safely assume you won't see via Facebook: Osama bin Laden's body, that video of that thing Justin Bieber did to that girl, what happened when that girl's dad walked in on her, an app that reveals who has been looking at your profile, and an authentic message from Facebook WRITTEN IN CAPS LOCK.

Rest assured, these new security features don't erase reasons to complain about Facebook. They do, however, provide easy-to-understand protections users can easily take advantage of, and if you want to help prevent the spread of spam, make sure your friends know about these new tools, too.

Related:

• Facebook hacker posts stolen pics on porn site
• Facebook photo-tagging scam running rampant
• Facebook's Google smear campaign outed
• Creepy lip-syncing kids guilt moms off Facebook
• 7.5M kids lie to get on Facebook - parents don't care

Helen A.S. Popkin goes blah blah blah about the Internet. Tell her to get a real job on Twitter and/or Facebook.