The proliferation of social networking sites has opened up numerous new opportunities of communication for both individuals and organizations. However, the downside of having such new opportunities is the dramatic increase in the volume and speed in which cyber-threats are being created.
Social networks are ever more appealing to Internet users and privacy has become an important issue to be taken under serious scrutiny. Whether they’re strictly about socialization or business-oriented, it is easy to note that social networks are highly appreciated and popular. Tens of millions of members from countries all over the world connect using these platforms on the account of their career, schooling, and hobbies.
Social networking is built on the idea of sharing information openly and fostering a sense of community. Unfortunately, an online network of individuals actively sharing their experiences and seeking connections with other like-minded people can be easy prey for hackers bent on social engineering and phishing attacks. It's important to be aware of the threats, and to maintain a well-documented procedure on how to use these services and what are the best practices on how to stay safe. And by the way.... have you noticed the increasing number of corporate data leaks that happened during the last months?
If we were to compare the state of the current threats to classical email attacks, both end users and employees understood in time that there are flaws in the system, that you can receive emails that are not always coming from real users, or that attachments in spam messages are usually infected, which made the life of a system administrator a lot easier.
However, social networks are still quite a new phenomenon, and judging by the number of users already using these services, we can easily draw the conclusion that there is a huge interest around these services, which makes it really difficult for an organization to enforce a “stay away” rule to its employees. This is caused by the fact that because of the technology evolution and past experience, users expect (and sometimes are highly convinced) that these services are safe.
Most of the times, the above statement is true: the services are indeed safer and the infrastructure is quite well designed. However, there are two main things that need to be taken into account: privacy and security.
While people would hesitate to approach unknown persons in the real world, or shout their thoughts in the middle of a group of unknown people, social networks make it extremely easy for them to socialize with individuals all around the globe. They exchange thoughts, beliefs, interests, photos on a regular basis and are able to stay informed about the others’ activities and daily routines at a click.
Apart from personal benefits, a business-oriented social network can also be used in marketing campaigns with a positive impact. Employees’ personal blogs, tweets, social accounts and their network friends’ reactions may boost brand awareness on the Internet. This is significant in as much as the respective employees keep their “followers” constantly informed about the developments in the company’s products or services. Consequently, social networks can be extremely efficient and proactive marketing tools. If you work in a corporation, raise your hand all of you who have a dedicated employee for handling “social media”.
However, it is important for social network members not to be too generous while sharing details about their personal life and to set a boundary in their curiosity for others’ private matters. It is not completely harmless for social network members to share too much of their personal life and routine, since they cannot completely control where all of this data ends up. Once posted, the information becomes public – within anyone’s reach and ill-willing individuals will not hesitate to take advantage of these treasures.
For instance, members of a professional social network could find themselves approached by different unknown individuals asking to be added on their contact list. In doing that, professional network users need to be aware that the “new unknown friend” might exploit their own contacts’ information. An older study by BitDefender states that a high majority of the people being approached by unknown persons on Facebook will accept their friendship if enough social engineering is involved. Once secured, the victim’s contact list might become as a data pool for recruitment purposes, or a set of spam/phishing /impersonation targets.
Employers should also see the warning signs. Most of the social networks available out there have at least one field dedicated to the user’s career and employment history, so every single action of the user might also impact on the employer. Most companies build their success and respect on moral standards – the very moral standards the social networking user / employee couldn’t care less. By various associations (such as pictures of the employee in inappropriate stances publicly posted), employer could get their core values diminished.
Practical scenario: one of the employees who have a solid base of contacts within the company might voluntarily or not open the door to, say, a HR recruiting agency by simply accepting a friendship request. Subsequently, the HR agency will be able to browse all of the user’s contacts and look for suitable (or key) personnel to be recruited from the current employer. Employees should always keep in mind to only add to their list the people they actually know and are colleagues and friends with as well as to permit access to their list of contacts only to the persons on that list.
The other main aspect that has to be considered is security, and in the past years we’ve seen several examples of badware lurking on social networks.
For instance, there is at least half a million Facebook users falling for “see who viewed my profile” applications. End users and employees need to understand that these sort of applications do not exist in reality since Facebook doesn't offer the possibility of computing such numbers. These applications will just show users random numbers instead of actual people that viewed their profile, while in the background they will post messages on the user’s wall and will send his or hers private information to its creators.
Koobface, which was probably the most mediatized malware spreading on Facebook, is one of the most advanced e-threats related to social networks. Its ability to compromise a large choice of social networks and its extremely advanced infection mechanisms makes it the ultimate war machine ready to siege users social network accounts.
Once installed on the local machine, the worm looks for cookies belonging to well-known social networks, such as Facebook®, Twitter®, Hi5TM, Friendster® and MySpaceTM, among others. However, there's more in Koobface than the eye meets: every iteration of the worm brought additional surprises to build on its previous features, such as CAPTCHA breakers, locally-installed HTTP servers, keyloggers and ftp file uploader components, as well as a rogue DNS changer and an advertisement pusher.
In order to spread from one infected account to another, Koobface sends messages on the behalf of the compromised users to all their friends. Since Facebook® is extremely restrictive with large numbers of messages originating from the same account in a short time span, the worm forces the infected user to solve the CAPTCHA dialog for it. After the CAPTCHA has been successfully "defeated", it would post a link to a fake YoutubeTM video concealed with a URL shortening service (usually bit.ly). Unwary users clicking on the malicious link will subsequently asked to install a codec, which ultimately turns out to be the very downloader that drops, installs and "configures" the Koobface worm.
Likejacking: The process whereby posted content is LIKED without the user’s consent or knowledge. Simply put, after clicking a link (to view the content behind it) the users find that a message is automatically posted on their Wall, on their behalf, saying that they LIKED that link. Usually, once they’ve illicitly secured users LIKE, the creators of the page on which the content is placed can replace it with malicious elements.
Consequently, the link that remains on the user’s wall for everyone to see, can later on lead to all sorts of content that can put users accounts and their computers in danger: phishing pages or, even worse, malware disguised as various useful plugins (video codec, flash players, etc.).
Usually, a likejacking attempt involves two simple things: the bait (the message that attracts curiosity) and where it takes you (the address where the video content is stored).
When it comes to the bait, social engineering is the best approach: there’s scandal to be witnessed or shock to be had (adult content, irreverent behavior in teenage girls, acts of cruelty, etc.) and so on.
The days of email phishing, email spam and classical viruses are slowly coming to an end, and this happens not because the security industry is winning the war, but because with the rise of new communication platforms, such as social networks, instant messaging, voice-over-ip communication and smart phones, a whole new world of possibilities was born for spammers and malware writers, where high tech skills are not mandatory. Sure, email spam and classical malware are going to be here for a while, but why not taking advantage of the new features in social networks or the entire web 2.0 concept.
However, it’s not just about social networks: every communication platform becomes a target nowadays. As a general rule, the easier to penetrate is a service, the more attacks, and although current services are well architecture, they are still highly susceptible to social engineered attacks.
Computer users and company management should understand that it is extremely difficult to keep employees away from social networks. Since they are highly addictive, users will keep searching for ways to access those websites, even if the company policy is to completely block them, which means that users might unknowingly open security holes. Instead of blocking them, a better idea would be to educate employees on how to stay safe while using these services.
Employees need to be educated in regard to what they share. Both end-users and corporate employees should refrain from posting things online that would later regret. Odds are good that someone, someday, will stumble across it, and it may come back to haunt them. Aside from simply abstaining from posting embarrassing or inflammatory comments online, users should take two fundamentals to heart: remember who their friends are, and know that a friend of a friend can be an enemy.
As an end to this blog-post, it goes without saying that only a strong community can build the efforts of keeping everyone safe and we count on you to fight cyber-criminals together with BitDefender. We are looking for feedback, interaction, and exchange of ideas on the best approach to educate the market.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.