Social networking is meeting an unfriendly visitor — social engineering.
Social engineering tactics — scams that depend on user-interaction to execute an attack against them — rose dramatically in 2006.
Over the past 12 months, Internet users got a little savvier to fake e-greetings and breaking news stories that tempt them to click on a link. They’ve learned through technology news headlines or first-hand personal experience that those links lead them to phishing sites and may secretly install spyware on their computers.
What Internet die-hards probably didn’t expect was social engineering scammers springing up on their beloved online networks.
As it turns out, for all the social engineering incidents of the past year, it was the worm and phishing attack against MySpace in early December that woke the world up to what some security experts are calling the next big Internet threat.
The attack forced the online social networking giant to shut down hundreds of user profile pages after a worm converted legitimate links to those that escorted users to a phishing site. The sinister site attempted to obtain personal information, including MySpace user names and passwords.
With the rise of Web 2.0 and more social interaction on sites like MySpace, LinkedIn and YouTube, security experts warn that we will see more hackers insert malicious code into dynamically generated Web pages in 2007.
Much like the recent MySpace attack, the goal is to remotely change user settings, access account information, poison cookies with malicious code, expose secure connections and access restricted sites. These hackers are after two things: identities and cash.
“Social networking sites are goldmines of information, and a social engineers dream. You don’t even have to go dumpster diving anymore,” Chris Boyd, director of malware research for FaceTime Security Labs told the E-Commerce Times.
“I’ve seen profiles where users give out their home number, address, places they hang out … the works. And that’s before the bad guy has even lifted a finger to use any sort of system based exploit,” he added.
Calculating the Danger
The danger is real, according to a study conducted by CA Technologies and the National Cyber Security Alliance (NCSA). In October, the alliance issued its first social networking study examining the link between specific online behaviors and the potential for becoming a victim of cybercrime.
Despite all the publicity about sexual predators on sites like MySpace and FaceBook, the alliance took a different approach by measuring the potential for threats such as fraud, identity theft, computer spyware and viruses.
Although 57 percent of people who use social networking sites admit to worrying about becoming a victim of cybercrime, they are still divulging information that may put them at risk, as Boyd suggested.
Social networkers are also downloading unknown files from other people’s profiles, and responding to unsolicited instant messages that could contain worms, the NCSA reported.
“The payoff is almost always financial — even if they’re stealing login data, they’re only doing it to spam Web sites that install adware, such as the recent MySpace worm,” Boyd explained. “The impact on these sites can be gigantic. For example, the only real safeguard against the MySpace worm attack was to not use the service. You can’t get a bigger impact than that.”
The Rise of Web 2.0
At a high level, social engineering attacks are Web 2.0 attacks. As more users go online to take advantage of Web 2.0 applications like social networking sites, blogs, wikis and RSS feeds, malware authors are going to be right behind them, predicted Dan Nadir, vice president of product strategy at ScanSafe.
“The explosion in the popularity and use of Web 2.0 sites has made them an irresistible target for malware authors,” Nadir told the E-Commerce Times. “Early signs of this were evident in 2006. In August, the ScanSafe Threat Center found that up to one in every 600 social networking pages host malware, and in recent weeks, malware on Wikipedia, MySpace and YouTube has been exposed,” he said.
Web 2.0 user-contributed content means that the content on the thousands of URLs is constantly changing. Unfortunately, Nadir noted, many traditional Web filtering solutions rely on URL databases and honeypots (traps set to detect or deflect unauthorized users from accessing systems) and, therefore, are not in a position to keep the dynamic content that characterizes Web 2.0 sites.
What’s more, traditional antivirus solutions that require signatures will be slow to react to zero-day threats (threats that appear before a signature or patch is made available).
“Web 2.0 and the increasing shift toward Web services makes many existing Web filtering and Web malware solutions ineffective,” Nadir warned. “The only way to keep up with the latest Web threats is to rely on a solution that actually scans the URL in real time every time it is requested, versus just comparing it to a dated list of URLs.”
Security researchers report that confidence tricks are an extremely popular way to draw the eye of social networkers, especially if they can fool the user into thinking the rogue executable is somehow related to “increased security.” Boyd has seen this a number of times on MySpace, and said certain sections of these sites are becoming “the equivalent of ghettos or red-light districts: no-go zones,” he said.
Randy Abrams, director of technical education at ESET, believes user education is a key to thwarting social networking attacks. Users should never click on any links that ask them to install something, for example, or links in strange messages from people they don’t know.
“Users must learn to distrust e-mails that direct them to sites where they are asked to enter personal information,” Abrams told the E-Commerce Times. “If phishing disappeared overnight, another social engineering based attack would spring up to replace it. The real defense is to learn how not to fall victim to social engineering. Technology is a very, very useful supplement but can’t solve this social problem.”
Is It Really a Problem
Despite McAfee Avert Labs’ prediction that social networks will be a central malware theme in 2007, not all security researchers believe that social networking attacks are the next big target for malware.
Though there have been a some instances of worms that use these sites to propagate, there have only been a few examples in the wild, according to Ed Moyle, a manager in CTG’s Information Security Services practice.
Moyle told the E-Commerce Times he understands the basis for the predictions, but still doesn’t believe these attacks will see the same level of popularity as traditional malware. The majority of social networking sites have a few features that help make them less appealing to malware authors: they are centralized and offer community enforcement.
“In all these cases, I think it comes down to one thing: profitability,” Moyle noted. “Most researchers agree that the motivation for malware development is increasingly financial. Given the features in these types of sites, I think it’s less likely that malware authors can readily ‘make a buck,’ and are likely to instead spend their time and energy in writing malware where they can guarantee a return.”