Social media, mobile phones top attack targets

Hackers exploiting lack of security basics, finds IBM X-Force analysis

security warning malware

Social media has become a top target of hackers and mobile devices are expanding that target, IBM reported on Tuesday in its X-Force 2013 Mid-Year Trend and Risk Report.

Attacks on enterprises are getting increasingly sophisticated, the report said.  Some attacks studied by IBM researchers were opportunistic -- exploiting unpatched and untested web applications vulnerable to basic SQL injection or cross-site scripting.

Others were successful, the report continued, because they violated the basic trust between end user and sites or social media personalities thought to be safe and legitimate.

"Social media has become a new playground for attackers," said Kevin Skapinetz, program director for product strategy for IBM Security Systems.

The report noted that a growing trend this year is the takeover of social media profiles that have a large number of followers. The trend continues to play a pivotal role in the way attackers are reaching their targets.

"It's one thing to get an email or spam from someone you've never heard of," Skapinetz said in an interview. "It's another thing to have one of your friends have their account compromised and send you a link that might interest you."

Traditional sources of online aggravation can't resist the siren call of social media, either. "Even if email is used in an attack, it will be under guise of coming from a social media account," he said. "Attackers are becoming more operationally sophisticated."

Social media attacks can affect more than the usual suspects, too. Social media exploits affect more than individuals; they can negatively impact enterprise brand reputation and cause financial losses, the report said.

Mobile devices are also becoming a hacker magnet. "Although mobile vulnerabilities continue to grow at a rapid pace, we still see them as a small percentage of overall vulnerabilities reported in the year," the report said.

What may be making matters worse is the proliferation of mobile devices in the workplace under Bring Your Own Device Programs. "BYOD -- what a nightmare that can be for any organization," HBGary's Threat Intelligence Director, Matthew Standart, said in an interview.

"It's difficult to protect your data even when you own all your devices and getting visibility into all your devices is a challenge in itself," Standard said. "Allowing users to bring their own devices increases the complexity tenfold."

The IBM report also noted that Distributed Denial of Service (DDoS) attacks are being used for more than just disrupting service at target sites. The attacks are being used as a distraction, allowing attackers to breach other systems in the enterprise.

[Also see: Targeted social media attacks said to be underreported]

"Both attacks and attack threats are being used as decoys," Marc Gaffan, co-founder of Incapsula, said in an interview.

"The attackers will bring down a website, get the IT people focused in a certain direction, tie up their resources on the DDoS attack while a more sophisticated breach is performed with no one paying attention," Gaffan said.

A decoy attack could also be used in conjunction with a phishing attack, he added. For example, a phishing message could be sent to a bank's customers asking them to use an alternative URL because the bank is having trouble with its common web address. A recipient may follow good security practices and paste the common URL for the bank in his browser.

Because the bank is under a DDoS attack, however, they can't connect to the institution, he said. So, in desperation, they click on the URL in the phishing message and get infected.

Those kinds of misdirection DDoS attacks, though, haven't become mainstream. "They are occurring, but they're relatively rare," said Daniel Peck, a research scientist at Barracuda Networks.

The IBM report also questioned the dedication of many organizations to sound security basics. "Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice," the researchers wrote.

"Attackers seem to be capitalizing on this 'lack of security basics' by using a model of operational sophistication that allows them to increase their return on exploit," they wrote.

"The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals," the researchers wrote.

Barry Shteiman, senior security strategist with Imperva, said in an interview that the lack of adherence to basics could be due to a fundamental misunderstanding of security by companies. "They don't understand the difference between a safety belt and auto insurance," he said. "They don't understand that it's more important to protect themselves than to preserve their reputation after a breach has been made."

Copyright © 2013 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)