Aujas US

An IDG Ventures Company

Phishers Target Social Media, Are You the Victim?

Phishers target social media

Phishers are targeting social media. Your company and employees have to play their part to fight them.

Social media has been all the buzz recently. While I am writing this post, there are more than 500 million active users on Facebook, with 50% of them logging on at least once a day from their office, home, coffee-shop, school, or while mobile. Today many organizations have an active presence across LinkedIn, Facebook or Twitter. Social media has emerged as an effective marketing tool to engage with a mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research, Inc., said, “Social media isn’t a choice anymore – it is a business transformation tool”.

This new and growing means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using social media in a big way to retrieve vital information from users. They also use social networking malware for financial gains. Message or web links coming from immediate connections over Facebook or Twitter lead users to believe that they are genuine and there’s nothing wrong with clicking them. Scammers leverage on this fact and exploit human emotions such as greed, trust, fear, and curiosity to conduct phishing attacks. According to the latest Anti-Phishing Q2 2010 Report, there is a definite increase in social networking phishing attacks. While attacks were almost negligible in Q1 of 2010, they accounted for nearly 3 percent of reported attacks in Q2.

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards people affected by tragedy. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD 

“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation 

“Hey, I am your old college friend! Just joined your company; why not reconnect? – http://biz.ty/23424 

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

The above websites could be asking for your Internet-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, the malware or virus gets downloaded your system is compromised.

Often scammers target one social networking site user account, compromise it using script, and this script gets propagated to the user’s friends’ accounts. This is called self-replicating malware, and uses application vulnerabilities such as invalidated redirects, click jacking, and cross-site request forgery to spread across multiple user accounts. For mobile users, it becomes even worse because it is not easy to verify authenticity of URLs.

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. Organizations need to look beyond traditional technology controls, and look to continuous education and awareness to fight phishing attacks.

Organizations can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed and not allowed to discuss and disclose in social networking sites.
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent websites.

As an employee, these best practices can help you avoid becoming prey of phishing attacks:

  1. Never click on a link or a bookmark which is associated with financial transactions or asks for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about yourself or your organization.
  4. Report suspected links to your internal security team and the social networking site so that they can work with the hosting provider to bring down the phish website.

Both the organization and its employees have to play their part to fight against phishing risks over social media.

Aujas can help your company manage risk from phishing threats with its industry-leading Phishing Diagnostic Solution. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

Advertisements

April 27, 2011 Posted by | Cyber Crime, Identity Theft, Phishing, Risk management, Social Engineering | , , | Comments Off on Phishers Target Social Media, Are You the Victim?

Right to Internet Use

social networkingThe United Nations advocates making “Right to Internet Access” a human right, one which countries such as Estonia, France, Finland, Greece and Spain have already implemented. This got me thinking about how we would look at “Right to Internet Use”, e.g., social networking.

We all know the power of social networking, its adaption and growth. According to Facebook, more than 500 million users spend over 700 billion minutes per month on the site. However, not many of us could have imagined its impact on reshaping the political landscape of countries. Perhaps the most talked about example is that of a 26-year-old woman, worried about the state of her country, who wrote on Facebook, “People, I am going to Tahrir Square”. The message soon snowballed into a movement to oust Egyptian President Hosni Mubarak. As another example, China’s reaction to what is called the “Jasmine Revolution” was swift, with filtering and monitoring on popular social media websites and services.

The buzz is about the CSM (Cloud, Social Media, Mobile) phenomenon which is reshaping the Internet world. It’s already established that social networking has overtaken search as the primary reason for users to access the Internet. Facebook has more than 200 million active users who use mobile for access, and these users are twice as active as non-mobile users.

Consumerization of the Enterprise, combined with the CSM phenomenon and recent political events, make me feel that this is not just about adaption of new technologies but more about changes and impact on the history of mankind. It’s not just about using new technologies and models to provide better services at lower cost to a larger user base. It’s about a medium to communicate, participate and influence changes in the world.

One can think of several positive and negative uses of this phenomenon. If used well, it can bring about necessary changes and revolutions. But it can also be used to spread panic and lead to concepts like “social networking terrorism”.

The CSM phenomenon is too strong and important to be ignored. Would censoring of this medium be possible? Like the Internet, CSM could be considered as a human right, leading to positions on “Right to Internet Use”.

At an Enterprise level, blocking and not adopting CSM is a risk management control which is not sustainable. Users and business would not accept this posture. We need to find answers for the two main reasons why some Enterprises are staying away from adoption of CSM, which are “Confusion and Fear”.

February 23, 2011 Posted by | Cloud Security, Enterprise Security, Social networking | , , , , , , , | Leave a comment