Top 8 Social Media Security Threats
By Michael Eggebrecht, Community Editor at CIOZone
Survey after survey has shown that an ever increasing number of corporate employees are using social networking sites in the office.
Many people see this as a good thing — social media is a powerful tool for collaboration, and staffers looking for answers to work-related questions often turn to networking tools.
But it also exposes organizations to dangers that are likely keeping some IT security staffers up at night.
As sites like Facebook, LinkedIn and Twitter have grown more popular, there has been some question about whether they have the security tools and policies needed to deal with a rapidly accelerating number of users.
And because the sites’ users are more trusting of the messages they get from their contacts, they have become a hot target for hackers.
According to Internet security vendor Kaspersky Lab, “malicious code distributed via social networking sites is ten times more effective, in terms of successful infection, than malware spread via e-mail.”
Max Kelly, head of security at Facebook, posted on the site’s security blog last year that, “due to the nature of the Internet, and the nature of malicious software, most Web sites will at some point need to deal with patching a security hole. All good Web sites take these issues very seriously, since no one wants users to suffer.”
No one doubts that Facebook and other social media sites take security seriously. But how effective are they in their efforts?
Last week, social networking sites were in the spotlight again, as a distributed denial-of-service-attack aimed at silencing a Georgian blogger brought Twitter, Facebook and LiveJournal down for several hours. Critics say the sites didn’t handle the attack as well as they should have. But more worrisome are these recent attacks:
Koobface
Probably the best-known social networking virus, Koobface has been finding its way onto corporate computers since last August, when it began appearing on MySpace and Facebook, followed by LinkedIn and Bebo.
Koobface, which is used by cybercriminals to steal sensitive data, added Twitter to the list last month.
Koobface sends messages to the contacts of an infected account, tricking users into downloading a Trojan from a malicious Web site.
The danger, of course, is that even relatively savvy social networkers tend to be more trusting of messages from their peers.
And every time the nasty virus gets struck down it pops up again — more sophisticated than before — to create more zombies.
Earlier this month, a new round of attacks aimed at Facebook and Twitter utilized randomized urls and language like “LOL” and “WOW” in the bad messages, making them harder to identify.
The Mikeyy Worm
In April, Brooklyn teenager Michael Mooney revealed just how vulnerable Twitter can be.
Over three days, the site was hit several times by the StalkDaily, or Mikeyy, worm, which took advantage of a cross-site scripting weakness to hijack users’ accounts.
As Mooney — AKA Mikeyy — explained in an e-mail to PC World, “The worm spread through multiple XSS exploits, which then reposted data with Ajax after getting their auth token.”
The worm was more or less harmless, merely using the infected accounts to send out nuisance messages like “Dude! Mikeyy! Seriously? Haha. ;)” — but all a user had to do to contract the virus was view an infected profile.
Twitter rushed to assure tweeters that the hole had been closed and no sensitive data lost, but the incident gave it a black eye in terms of security.
Mooney, who either created the worm out of boredom or to expose Twitter’s problem — his answer changed in nearly every interview he granted — almost immediately landed a security gig with software developer exqSoft Solutions.
He may have left his virus-crafting days behind, but there are plenty of other Mikeyys out there with more devious intentions.
Acai Attack
The Acai berry has been hyped as a wonder dietary supplement, but it also has been the subject of pyramid schemes and “free” trial offer scams. In May, Acai weight-loss spammers got ahold of hundreds of Twitter accounts and directed message recipients to a site where they could sign up for an Acai trial, according to security vendor Sophos.
While the purpose of the scam isn’t exactly a concern for corporations, the hackers’ ability to take control of the accounts should be. For Sophos, it’s a cautionary tale: “Far too many people use the same passwords on multiple sites, which obviously increases your chances of becoming hacked.” That’s a lesson that organizations need to stress to their staffers.
Facebook Phishing
In April and May, Facebook was hit by waves of phishing attacks from sites based in Latvia and China.
The hackers used Facebook’s internal messaging system to coax users into giving up their credentials on a fake Facebook log-in screen.
The goal? Create an army of spam zombies.
Facebook has emerged as a favored target for phishers, and it has taken heat for the ease with which they can take advantage of the platform.
Critics have accused the site of being slow to react to attacks and ignoring user warnings.
And by regularly sending embedded links in its e-mails to users, Facebook conditions them to click on links that appear to come from the site — even when they don’t.
Facebook has established a “phishing scam awareness” group and warns users that “before entering any sensitive information like usernames or passwords, make sure you are on facebook.com and not a similar, but different domain.” Is that enough?
Michael Fabricant
A high-profile victim of Facebook phishing can do a lot to raise awareness.
If you’re a politician, though, like U.K. parliament member Michael Fabricant, you probably don’t want that example to be … you.
In June, hackers used Fabricant’s Facebook account to send bad links to 1,500 of his friends — I’m assuming there were more than a few constituents in the bunch.
On his blog, Fabricant was apologetic. “If any of my Facebook Friends get a message from me called ‘Look at this’ — Don’t!
I did when I received a similar message and look what happened to me. Outlawed from cyberspace and unable to communicate now with my cyber friends.”
Graham Cluely, senior technology consultant at Sophos, took the opportunity to issue a warning: “A third of computer users admit to using the same password for every Web site they access, and if Fabricant is one of these, he should now make it a priority to change his login details before the hackers have a chance to get to his other Internet accounts,” he said.
TwitterCut
A key part of social networking is building your list of contacts. For Twitter users, that means bumping up the number of people who follow your tweets.
So when the TwitterCut worm showed up in May, sending out tweets that promised more than 1,000 loyal followers in just one day, it’s no surprise that the bad links got some clicks.
What’s more surprising is that when the destination site requested users’ Twitter password and log-in information, people were willing to fork it over.
To be fair, the TwitterCut site did a good job of aping Twitter — unsuspecting users may not have noticed the difference.
But once TwitterCut obtained the credentials, it spammed the users’ followers, in turn collecting their log-in details.
TwitterCut closed down at the end of May, though it insisted it wasn’t a phishing site and didn’t intend to do anything with the scores of credentials it had racked up.
More “Twitter trains” have since appeared. The lesson — one that obviously hasn’t been impressed on everyone — is simple: don’t share your log-in information.
Best Video
Is Twitter getting more dangerous?
Just one week after TwitterCut reared its head, Twitter users were treated to a new round of sketchy tweets — these from a Russian Web site (.ru) offering a YouTube video called “Best Video.”
Many curious users ended up downloading a fake antivirus application that claimed their computer was compromised (it was) and demanded payment to fix it.
“No matter how good that ‘best video’ looks, don’t go to any juste.ru domains,” warned Twitter on May 30.
An Embarrassing Hack
By gaining access to an employee’s account, hackers were able to send out nuisance messages from the Twitter feeds of President Barack Obama and Britney Spears earlier this year. But more embarrassing by far was a recent incident in which a hacker used a Twitter employee’s credentials to gain access to confidential documents.
Upon guessing the staffer’s personal e-mail password, the hacker was also able to access a Google Apps account where the documents — which included business plans, financial projections and a mishmash of other sensitive information — were stored.
Many of the documents were eventually published online by technology blog TechCrunch, which received them from the hacker last month.
While there has been debate about the wisdom of Twitter sharing such documents using Google Apps — and about the security in place in Google’s hosted application suite — Twitter co-founder Biz Stone was quick to defend Google.
“This attack had nothing to do with any vulnerability in Google Apps which, we continue to use,” he posted on a blog.
But one lesson that Twitter has hopefully learned from the hacker, who claims to have obtained employee credit card numbers in the attack, is that its employees need to use stronger passwords.
* * *
Stay Informed With ISR News Alerts:
* * *
By Michael Eggebrecht, Community Editor at CIOZone was previously Managing Editor at Securities Industry News, a publication for technology and operations professionals in the financial services industry, as well as having held positions as the Interactive Media Designer for AOL and as a Senior Copy Editor for RIA.
CIOZone.com is the first of its kind online meeting place for CIOs. It is built upon the foundation of social networking and combines user generated content and expert editorial together around an open source platform.
The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author, CIOZone.com and to Information-Security-Resources.com
August 17th, 2009 at 10:00 am
This was a great article!
August 26th, 2009 at 8:55 am
One thing we find particularly interesting is that reasonable people who take adequate steps to stay safe online at home don’t feel the need to take those same simple steps at work. As social networking sites become a bigger part of day-to-day business, this may become an increasing problem for employers.
August 29th, 2009 at 10:26 am
Wow, I knew about Koobface, but the volume of different things out there is scary.
The corporate angle is also one that I hadn’t thought of before. Interesting.
September 17th, 2009 at 7:03 pm
These new worms bring additional threats to enterprise IT and individual users. Traditional anti-virus or anti-spyware can not solve this threats effectively. It’s mostly based on the trust relationship between human. Even digital signature is weak here. Similar to the methods against spamming, there should be limitations for these kind of bulk volume requests and messages from some single accounts or API. This might help mitigate this threats.