Social networking has long become a consistent part of the “digital routine” for web users. Whereas system administrators and business owners have considered Facebook and other similar resources more as a problem (fearing employees would spend hours on social networks instead of working), today almost every respectful company has an official page on Facebook and other popular networks. Resources of this kind generate additional business opportunities.
However, with social media has also come new attack venues. Nowadays, malicious links are distributed not just by email or instant messengers, but also via private messaging from compromised accounts.
Let’s look at an abstract example. An attacker is interested in penetrating the corporate network of a company. He knows that an employee of the organization has an account on Facebook, but hacking it directly is not possible because the password is reliable. However that person may have a hundred or two hundred friends of which not everyone is as scrupulous in choosing passwords. As a result, one of those accounts gets hacked. Eventually, the employee receives a link from his or her alleged friend, and the link directs to a malicious site.
He/she either clicks it or does not. When it involves phishing, if an attacker supplied the link with a referent message, making the targeted victim believe the link is coming from his friend, the probability of success taking over the “enterprise” is very high. Especially if there are no anti-phishing solutions deployed on the victim’s side.
The described situation is very frequent, even if it is an abstract example. According to the survey of the main user risks that was conducted last summer by B2B International and Kaspersky Lab, people often fall into this trap. 18% of respondents admitted that they followed dangerous links on hacked accounts, while 49% of respondents said they were not able to tell normal accounts from compromised ones (although they appear quite easy to detect).
Over time, experienced users have surely developed certain protective mechanisms, like a healthy kind of paranoia. It is always easier to seek confirmation from a friend having sent the link than it is to disinfect your computer. Unfortunately, this kind of attack can cost a lot, especially if it was conducted at a computer or a device by which a user accessed corporate resources or which stored corporate data or details for billing accounts. Customer and financial data are what cybercriminals go for most.
I would like to additionally remind you of one major problem, which we described in September. Social network users have developed a habit of publishing excessive information about their lives including professional data. From this data, even disparate notes attackers could potentially extract a certain amount of information, sustaining a successful cyber attack.
For example, in Facebook employee A posts photos from the birthday celebration for employee B, referring to his/her account in the social network. Then a potential attacker knows, firstly, that employee B works in the company of interest with employee A, and secondly, the hacker gets to know B’s date of birth and his/her account in Facebook. The hacker then also knows (most likely) that about 21% of users around the world use their dates of birth as passwords to their accounts. Accordingly, the hacker goes to check if the employee B is among the twenty-one per cent and discovers that he/she is one of them. The chances are better than five to one.
This scenario is presumptive again, but regretfully real. Fortunately, a growing number of people get to understand that publishing too much information about them on the Web is not the most reasonable modus operandi. According to the above mentioned user risks survey by B2B International and Kaspersky Lab, about 22% of social network users are now starting to feel that they tell too much about themselves in social networks.