Just because that link was tweeted or messaged to you by a colleague doesn’t mean you should click it.
Just because your friend published a list of 25 previously unknown things about themselves doesn’t mean you need to reciprocate. Just because a celebrity you respect tweeted a link, it doesn’t mean it’s safe to follow it, particularly when the real destination is obscured through a URL shortening service.
Social networking has rapidly gained acceptance in all walks of life. Facebook boasts close to 200 million users. MySpace doesn’t advertise its figures but it is certainly Facebook’s closest competitor in terms of user numbers. Bebo can count in excess of 40 million users.
The customers of these social networking providers are not exclusively the school- or university-aged either. In fact, two-thirds of the world’s internet population now visit social networking or blogging sites, accounting for almost 10% of all internet time, according to a March 2009 Nielsen report.
It’s not just about social networking sites though. The professional networking site LinkedIn has a new member joining almost every second and will soon hit 40 million members, while micro-blogging service Twitter grew a staggering 1382% year on year in February 2009.
Explosive growth
With explosive growth and user populations of this order it’s hardly surprising that these services also appear to be coming of age as attack platforms for cybercriminals.
Among the more traditional attacks, facilitated through social networking, that we have seen over the past few months through social networking sites you can count the following.
• Several outbreaks of (so far) non-malicious worms on Twitter, using cross-site scripting vulnerabilities or clickjacking.
• Fake Bebo and LinkedIn profiles containing links that lead to malicious downloads.
• Rogue applications that appear to be designed for information harvesting and the infamous Koobface worm on Facebook.
• Hijacked profiles being used for 419 scams direct from one friend to another.
• Scam advertisements leading to bogus multi-level marketing schemes, or worse.
There are several entry points available for cybercriminals into the interactive playground of social networking; fake or compromised profiles, malicious applications, malvertisements, cybersquatting, spam and phish masquerading as legitimate notifications from social networks, information harvesting through group memberships, cross-site scripting vulnerabilities and direct messages just for starters.
Victims are at risk of identity theft, fraud, infection or simply of becoming an attack platform to infect or defraud their own friends and colleagues.
Bound by trust
The one thing that all of these attacks have in common, though, is the very thing that binds social networks together: trust. Because the attacks, messages and links come from friends or colleagues, they appear far more credible than the average spam email from a stranger.
Even the Koobface worm with its almost textbook standard spam messages such as “You are veryy ggood at pposing to a spy cameera!” becomes that little bit more believable when it comes from someone you know.
And, of course, when we choose to join a community, by default we naively choose to share all of our personal information with any other member of that community simply on the basis of a mutual shared interest.
Most of us are guilty of being far too trusting and far too free with our personal information online. We give away little snippets (or great chunks in some cases) of our personal lives in what is essentially a public or at best only semi-private forum, making the work of criminals such as carders and ID fraudsters far more simple.
More aware
In fact I have seen social networking sites spoken about in underground carding forums as a “free date of birth look-up service” along with a wealth of tips on how best to exploit these kinds of platforms.
We need to become far more aware of the value of our personal information and importantly the information we have about our friends. We also need to become far more conversant with the privacy controls available on social and professional networking sites and actually use them.
There is no need to fill out that questionnaire “25 Things About Me” and post it on your profile. There is no need to share your entire employment, educational or address history.
There is no need to share your “Porn Star Name” (first name = name of your first pet, family name = mother’s maiden name); isn’t that exactly the kind of information needed to reset your email account password, or access your financial data? And there is no need to volunteer the email addresses of friends and family when asked to recommend a “joke” website or application to 10 friends.
When your personal information becomes public it is out of your control and soon out of sight. Criminals can and do use this stuff to break into your online accounts. Just ask Sarah Palin.
Next time, before you hit “Post”, ask yourself this: “if a stranger called me on the telephone asking for this information, would I tell them?” If the answer is “No”, then step away from the mouse.
Rik Ferguson - Trend Micro
No comments:
Post a Comment