Web 2.0 sites such as Facebook, Twitter and MySpace will become the main battleground for malware developers, according to computer security company Sophos.
Brett Myroff, CEO of Sophos SA, says the emergence of social networks has created an easier environment for 'criminal' elements to target unsuspecting users, creating a greater security risk for those who frequent such sites.
In its updated Security Threat Report, Sophos revealed 21% of respondents had been phished on a social networking site, and 21.2% had received malware.
Ian de Villiers, senior security analyst at SensePost, says: “The prevalence and popularity of social networking sites and user-contributed content provides not only a means for obtaining and inferring large amounts of information regarding individuals and organisations, but also a moderately effective manner for distributing malware.”
He explains that Facebook, for example, currently has a subscriber-base of about 250 million active users - a massive number of potential “marks” for cyber criminals.
McAfee's Threat Report for the second quarter adds there are distinct security vulnerabilities on social networks. “Many of the risks have to do with the large number of features and applications that so many people run without a second thought. This carefree attitude has allowed various worms, phishing attacks, and other such malicious activity to come into play.”
De Villiers agrees: “People seem to have no qualms about clicking on links or downloading suspect software when they have been forwarded to them by online acquaintances.”
According to McAfee's report, there are many social networking tools that offer services such as monitoring bank accounts and blocking access from others, and often these 'tools' require users to enter usernames and passwords. But people have become so comfortable with online interaction that passwords are often not strong enough.
“Once attackers gain access to account credentials, they have full access to the victims' friends and can launch all sorts of mischief. This phenomenon gives new meaning to the term 'friendly fire',” says McAfee.
Up close and personal
Several cases of sensitive information appearing on public platforms hit the headlines recently. Most notable was the blunder by the wife of the new UK Secret Intelligence Service head, who posted pictures of their family and friends on Facebook for all to see.
“It's unfortunate that many people feel so at home with the interactive Web 2.0 experience that they forget the basics of online security,” says McAfee.
“Users of social networking sites should be very cagey about what information they disclose - both to the social networking site, and also on their profiles,” notes De Villiers.
“Just as you would not leave your ID book or keys available to strangers, the same applies on these sites.”
Brett Myroff, CEO of Sophos SA
Myroff believes the onus is both on site owners to put in sufficient safeguards, and on users to be educated on what to reveal and what to keep off social media sites. “Just as you would not leave your ID book or keys available to strangers, the same applies on these sites.”
However, De Villiers believes there have been improvements, and that users' security perceptions have changed over the past few years. “If one compares the number of unprotected profiles on social networking sites such as Facebook today compared to the same site a year ago, many more people ensure that their profile information is restricted to known persons nowadays.”
Plugging leaks
Last month, a hacker gained access to a Twitter employee's e-mail account and forwarded hundreds of internal Twitter documents, including financial statements, to Web sites and publications. Twitter said in its company blog that the incident was not a hack on the Twitter service, but a personal attack followed by the theft of private company documents.
According to the Sophos report, organisations have become increasingly worried about malicious attacks originating from social networking sites, as well as the dangers of employees revealing sensitive personal or company information online.
The report reveals that a quarter of surveyed organisations have been exposed to spam, phishing or malware attacks through sites such as Twitter, Facebook, and LinkedIn, and approximately 50% of companies are blocking all or some access to social networks.
De Villiers says one of the big concerns surrounding companies and their employees' online activities is that an organisation does not currently have much control over what information is disclosed. “Badly configured social networking profiles leak a wealth of information such as dates of birth, relationships, past and current employment details - the list is almost endless.”
He explains that numerous employment details are available on social networking sites, and that a minefield of information on a specific corporation can be obtained. “This greatly reduces the effort required to specifically target corporations for social engineering attacks such as phishing, and the outcome is that such attacks can be implemented with great effect.”
As Web 2.0 technology develops to allow greater interaction and information sharing, Myroff believes security measures will have to work to keep pace. “They are effective at the moment, but the threat landscape is continually evolving, and so must the security technologies. One needs comprehensive solutions rather than point products.”
Related stories:
Cyber crooks exploit risky searches
Web 2.0 malware explodes in June
Social networks exposed to cyber crime
Mobile malware goes cross-platform
Share