Since the beginning of May, Symantec has observed a new wave of phishing attacks on Facebook users. The attack uses a compromised Facebook account to send a malicious link to friends and direct them to a site that looks identical to the Facebook login page. Users are prompted to provide their login credentials that are phished and their Facebook accounts are then used by attackers to send their friends similar phishing e-mails in an attempt to gather more login credentials. Symantec is aware of this threat and we have no reports of infection.  For more information, visit the Symantec Security Response blog.
 
Symantec advises users to observe security best practices by maintaining a high level of caution about any message from within a Web site or that appear to be sent by that Web site and protect themselves by updating their security definitions.  Consumers who use the same password for multiple accounts, including online shopping and banking, are most at risk.  Cybercriminals will quickly be able to access all of their online accounts and cash in on their password provision. 
 
Most importantly, consumers must maintain a high level of caution about any messages they receive from within a Website or that appear to be sent by that Web site. Rather than clicking on any links in a message, type the URL directly into the Web address. Double check you’ve arrived at your destination. When clicking over to a Web site, make a habit of looking at what appears in the address line. You might not always be able to spot a fake site but in the case of this particular scam, it’s obviously not www.facebook.com.
 
Use complex passwords and unique ones for each site.  A few suggestions:

• Use a combination of uppercase and lowercase letters, symbols, and numbers
• Make sure your passwords are at least eight characters long. The more characters your passwords contain, the more difficult they are to guess
• Try to make your passwords as meaningless and random as possible
• Use different passwords for each account
• Change your passwords regularly. Set up a routine, changing your passwords the first of each month or every other payday
• Never write your passwords down, and never give them out—to anyone.
• Don't use names or numbers associated with you, such as a birth date or nickname.
• Don't use your user name or login name in any form
• Don't use a derivative of your name, the name of a family member, or the name of a pet
• Avoid using a solitary word in any language
• Don't use the word password
• Avoid using easily-obtained personal information. This includes license plate numbers, telephone numbers, social security numbers, your automobile's make or model, your street address, etc.
• Don't answer yes when prompted to save your password to a particular computer. Instead, rely on a strong password committed to memory or stored in a dependable password management program