Social Networking – A Playground for Cyber Criminals
As a Security Analyst, I witness very sophisticated Advanced Persistent Threat (APT) attacks as well as low level cyber criminals attempting to steal bank information, credit card data and website login credentials. One commonality that the cyber criminals and the APT share is the method for gaining access to information, which typically occurs through an end users email. When it comes to the criminal element of cyber attacks, I am often amazed at the lack of sophistication and effort that is asserted against their victims. It leads me to ask the question, “How on earth are these ever successful?”
There are, however, exceptions that can trip up anyone, even those within the information security profession. The right mixture of appropriate images, verbiage and the use of legitimate email addresses can open the way for a successful attack.
Yesterday I received a Twitter “direct message” from a friend of mine titled: “Hey this user is saying horrible things about you… tinyurl.com/xxxxx”.
Normally, I would ignore this message entirely if it had originated from someone unknown to me, but this was from a close friend. Not only was it a friend, it was worded in such a way that I actually believed for a second that he could have potentially written this direct message to me. Thankfully, my mistrust of almost everyone, and my annoying obsessive compulsion to verify messages received with the senders, I was able to avoid this attempt at hijacking my twitter account. It turns out, my friend whose account was used to send this direct message was hijacked using the same technique as above.
Let’s discuss for a second why this would have been successful under normal conditions.
- The message plays off of our desire to know what someone else is saying about you, especially within the context of social networking. Instant emotion can drown out rational decision-making that can prevent these types of attacks from succeeding.
- This was sent from a legitimate twitter mail server using the “Direct Message” function of twitter. This adds a layer of complexity to the attack that plays on your want to believe this is a legitimate email.
- It uses the tinyurl feature to obfuscate the link within the message. For most, this is an effective measure to keep the potential victim from knowning where the request is actually going.
If this had been successful, what would have happened?
Well, a clever set of redirects would have sent the user on at least 4 hops down the road, until they land at a well crafted webpage that looks just like a twitter login page. You can imagine the damage invoked by logging into this imposter twitter webpage. Unfortunately, my friend, who is a very savvy web user steeped in web technologies, found out the hard way. Hundreds of “direct messages” sent to his entire contact list including his friends, family and business contacts.
Of course, these types of attacks happen several times a day producing millions of victims. The fallout from account hijacking can be painful to reverse, and often requires time to gain control of the account and contact those who may have also received the message from your account.
If there is any sharing of passwords between your Social Networking accounts and financial institutions there is always a chance for financial and personal credit implications. This can complicate the recovery significantly, potentially costing the victim thousands of dollars and time recovering funds.
Protecting your Social Networking Accounts
Social Networking websites, such as twitter, provide cyber criminals a veritable treasure trove of potential victims all in a convenient location. Once a legitimate account is hijacked, it only takes a few minutes to acquire enough account information to compromise other social networking accounts. Here is something to consider, If you participate in multiple social networking websites, make sure that your passwords and password recovery information is different for each account. Because social networking websites have become so closely intertwined, one compromised account can lead to several, especially if your passwords or security questions are the same or similar.
Remain vigilant. Seriously, remain vigilant. Scrutinize the email you receive, and contact the sender if you are suspicious of the mail or messages received. Educate yourself to the types of attacks you can expect as an account holder of a social networking website. You never know, you may be the person on a friends contact list to let them know they have been compromised. The faster the detection, the faster the damage can be stopped.