• United States



by Senior Editor

Four Signs of an Easy Victim on Social Networks

Feb 15, 20108 mins
Application SecurityCybercrimeData and Information Security

What makes cyber criminals target you in a social network scam? Sophos' recent study identifies the signs of a soft target online.

Earlier this month, CSO reported that cybercrime attacks on Facebook, Twitter and LinkedIn have exploded, according to a recent survey conducted by security firm Sophos(See:Facebook, Twitter, Social Network Attacks Tripled in 2009).Reports of malware and spam rose 70 percent on social networks in the last 12 months and 57 percent of users report they have been spammed via social networking sites. Another 36 percent reveal they have been sent malware via social networking sites (See also: Social Medial Risks: The Basics).

Also read about some of most common ways users get taken on social networks in 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid

The “Social Security” survey is part of Sophos’ 2010 Security Threat Report, which looks at current and emerging computer security trends and found that social networks are opening up new opportunities for cyber criminals to locate so-called “soft” targets and pull of precise and targeted attacks.We wanted to know: What makes someone look like an easy hit for the bad guys? Chet Wisniewski, Senior Security Advisor with security firm Sophos, gives us some clues.

You have access to a VIP or valuable dataSeven Deadly Sins of Social Networking Security).

Security researchers are noting two distinct kinds of attacks on social networks, according to Wisniewski. The first; the more traditional spray spamming where many users receive a message on their Facebook wall, in their inbox, or on Twitter, that contains a malicious link. But the other, more disturbing trend, said Wisniewski, is that these social networks, by nature of how they work, make it possible for criminals to cyber stalk potential victims. The bad guys watch your activity to see what you say, and then use it in an attack (Read more in

“There is definitely another network of crime where they are taking time, and closely watching in order to pull off certain things,” said Wisniewski.

Users at risk for this kind of attack might be a person who has access to something or somebody that the criminal wants. You might be the executive assistant to a corporate CEO, or a human resources representative who has access to all of your company’s employee files. You may not think anyone notices, but this makes you a desirable target, said Wisniewski.

“If you are someone’s executive assistant innocently using Facebook, and the criminals know you are associated with someone important, the can target your profile to try and get malware onto your computer,” he said.Once they’ve installed malware onto your computer, hackers can gain access to sensitive information with keystroke logging technology, which is just one example of a way to breech sensitive data. In fact, in the recent highly-publicized China-based online attacks of Google, it was revealed the criminals looked up key employees on social networks and found out who their friends were on Facebook. They then hacked the accounts of those friends and contacted their victims pretending to be someone they were not. The employees clicked on malicious links from the so-called “friends,” and were lead to malware.

“When you do a forensic investigation after an attack, often you find they were targeting people who don’t expect to be targeted,” said Wisniewski.

Takeaway: Consider who you are and what you do. Are you privy to information that would be useful in a criminal’s hands? Best to keep your guard up, click on links judiciously, and make sure you have a network of people you know are trustworthy, which brings us to our next point….

You have lots of “friends”

So you have 1,000 friends on Facebook? Wow, you must be quite a popular guy! Of those 1,000, how many do you actually know?

Many Facebook and Twitter users like pumping up their friends list and followers numbers, but they do it at their peril said Wisniewski. Sophos conducted a Facebook ID probe and created a fabricated Facebook profile before sending out friend requests to individuals chosen at random from across the globe. To conduct the experiment, Sophos set up a profile page for ‘Freddi Staur’ (an anagram of ‘ID Fraudster’), a small green plastic frog who divulged minimal personal information about himself. Sophos then sent out 200 friend requests to observe how many people would respond, and how much personal information could be gleaned from the respondents. The experiment revealed that 82 users, or 41 percent, were willing to divulge personal information, such as email address, date of birth and phone number, to a complete stranger.

“When you make 400 or 500 friends, you don’t really know them,” said Wisniewski. “How can you be sure they aren’t sitting there, lurking, watching your wall for months so they can see what you say and use something that would be in line with your regular behavior in order to fit in and have a greater chance of success when it’s time to hack you?”

Wisniewski pointed to the example of a large university that was subjected to an attack on a social network. Hackers were friending university employees and watching discussions that were going on about a new IT program being rolled out at the school. The criminals eventually managed to successfully get employees to click on malicious links by sending out messages claiming to “relate to the dean’s message about the new IT program.”

Takeaway:Think again about accepting “friend” invitations from people you don’t truly know. And don’t automatically “follow” every Twitter user who follows you.

You aren’t concerned about your privacy settings

There has been a lot of press, and controversy, about Facebook’s privacy settings. Privacy options for users were most recently changed in December 2009 and now give members the opportunity to choose from three levels of privacy; friends only, friends of friends and everyone. Users can also choose to customize their settings to hide information from certain people. Some critics of the latest changes point out that Facebook now forces all users to make their friends list, fan pages and location public. Still, there are many other sensitive sections that can be hidden. The problem is people don’t enable the privacy settings.

“I don’t think people understand the changes,” said Wisniewski. “But they actually give you finer-grain control if you use them.”

Under the latest privacy-settings options, if you fail to specify what you want hidden, and from whom, it will be available for all to see by default. That includes people who find your profile in a search engine. It only takes a few minutes to access your settings under the ‘account’ section of your profile. You can decide if you want certain features, such as your wall or your personal information (IE: job, religious affiliation), to be seen by friends only, friends of friends, or everyone.

Takeaway: Take the time to update your privacy settings. If you haven’t yet, by default most of your profile can be read by people you don’t even know; which could include criminals.

You share too much information

“It’s one thing to use LinkedIn to post your professional accomplishments,” said Wisniewski, “But to post a resume with your address and phone number and other personal information goes too far.”

LinkedIn, generally seen as the lowest-risk social network, still poses a reasonable amount of danger, said Wisniewski. In addition to the obvious risks of revealing too much personal information, you can also disclose too much about your company, setting them up for an attack.

“For someone looking for information about your organization or looking for targeted bits about your company it’s fantastic,” he said. “I can go and search for your company name and three-quarters of your employees probably have profiles that tell me exactly what they do, what their position is. I can learn a lot about the company and, if I wanted to, I can then take on a social engineering attack and use that LinkedIn information for my attack through Facebook or email.”

LinkedIn, like Facebook, gives you the option to manage your privacy settings through your account. You can decide if you want your full profile, or just certain pieces of information, to be available to everyone, or connections only.

And when it comes to TMI on Facebook or Twitter, Wisniewski advises following a simple rule to avoid putting stuff out there that can be used against you.

“If you wouldn’t be comfortable disclosing this information with an acquaintance in a bar, maybe you shouldn’t put it out there at all,” he said.

Takeaway: Be discreet. Check what comes up when you plug your name into a search engine and make sure what comes up is information you want to share with the world.