Social Media has been the buzz word recently. While I am writing this post, there are more than 500 million active users accessing Facebook and 50% of active users log on to Facebook at least once a day from their office, home , coffee-shop , school, or while on the move. Today most of the organizations have active presence over Linked In, Facebook or Twitter. Social Media has emerged as an effective marketing tool to engage with mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research Inc said, “Social media isn’t a choice anymore – it’s a business transformation tool”.
The advent of new means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using the Social Media as the prominent way to retrieve vital information from the users. They also make usage of specific social networking malwares for financial gains. Message or web links coming from immediate connections over Facebook or Twitter make users believe that they are genuine and nothing wrong clicking them. Scammers leverage on this fact and exploit human parameters like greed, trust, fear and curiosity etc. to conduct wide variety of phishing attacks. As per the latest Anti-Phishing Q2 2010 Report, there is definite rise observed in social networking phishing attacks. As the statistics illustrate, the attacks were accounted for nearly 3 percent of reported attacks in Q2 which was almost negligible in Q1 of 2010.
Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website. The message is defined to pull your curiosity or it is made strong enough to create sympathy towards tragedy affected people. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-
“Did you see how will u look like in 20 years from now? lol: http://bit.ly/gbdhuD ”
“They need your help, Pls donate http://ntbnking.lnkd.it/jpn/donation “
“Hey, I am your old college mate! Just joined your company, Why not reconnect? - http://biz.ty/23424 ”
“I bumped into some of your old friends the other day; they wanted me to send you this - http://facebooklink”
The above websites could be asking for your net-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, malware / virus get downloaded on your systems and the system gets compromised. Many a times, scammers target one social networking site user account, compromise it using script and the same script gets propagated to his / her friends’ accounts. These are better known as self-replicating malwares which make usage of application vulnerabilities like Invalidated redirects, click jacking, and cross site request forgery etc. to spread across multiple user accounts. For mobile users, it becomes even worse as it is not easy to verify authenticity of URLs.
I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. The organizations need to look beyond traditional technology controls as the continuous education and awareness is the only solution to fight against phishing attacks.
An organization can take following steps to fight against phishing attacks:
- Establish a social media strategy. Clearly document and enforce what is allowed / not allowed to discuss and disclose in social networking sites
- Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent website
As an employee, following best practices can be adopted to evade becoming prey of phishing attacks
- Never click on a link or a bookmark which is associated with financial transactions or asking for any sensitive information; instead always have a practice to manually type URL in the address bar.
- Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
- Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about self or your organization.
- Report suspected links to internal security team as well as particular social networking sites so that they can work with the hosting provider to bring down the phish website
Both, the organization and its employees have to play their part to fight against phishing risks over Social Media.