Article: Look who’s on the prowl

Phishers, scammers and spammers… cyber criminals are out to target people on social-networking sites. DIVYA KUMAR writes

Building a farm or joining the Mafia Wars on Facebook is just as much a part of your daily routine as checking your work email. Crappy movies, boring parties and bad break-ups are all fodder alike for acerbic Tweets. Pictures taken on your cellphone make it on your Orkut profile page at the speed of light, and padding your friends list is your favourite pastime.

Our lives today are increasingly submerged in social-networking websites, like millions others worldwide. In the last year, the number of Indian visitors to sites such as Facebook, Orkut, MySpace and Twitter increased by 51 per cent to 19 million (according to comScore’s 2009 report). And where people are, that’s where the phishers, scammers and spammers go.

“Social-networking sites have become one of the most popular targets for cyber criminals,” says David Freer, Vice President Consumer Business, Asia Pacific and Japan, of Symantec, calling 2009 the year of attacks against social-networking sites and their users. “These sites have a huge number of users (Facebook alone has 350 million), and cyber criminals have a fairly simple modus operandi – go where the people are.”

Amit Agarwal, one of India’s top tech bloggers and columnist agrees. “The threat is very real,” he says. “Often you read about these things but you don’t know the people affected, but this is actually happening, everyday.”

For instance, he describes a recent attack on Twitter, due to which passwords had to be reset on a few thousand accounts. “The attack took advantage of people’s innate laziness,” says the blogger. “Many of us use the same credentials – username and password – on multiple websites, which means that the guys at some questionable site you visited, let’s call it xyz.com, can now log on to your other accounts, such as Twitter.”

Once they have access to your account by any means, your entire contact list becomes vulnerable to spam, phishing or ‘drive-by download’ attacks through links or notifications that are sent out. “By their very nature, social networking sites are about a group of people who trust each other,” explains Freer. “If you get a request to look at photos on Facebook or click on shortened URL on Twitter from a friend, you tend to trust it automatically.”

Those links could take you to imposter sites that ask you to enter your credentials again (standard phishing), or more sneakily, simply take you to a site that silently download malware onto your system, i.e., the ‘drive-by download’. “Last year, this was the fastest growing form of attack – there were18 million drive-by download attacks in all of 2008; in 2009, we hit that number just between August and October,” says Freer.

The buzzword amongst experts for these attacks is ‘social engineering’ – using people’s behaviour patterns to target them for attacks. “The actual attacks are the same as what we’ve seen earlier, via email, etc., but the false sense of trust and security existing in social networks makes it easier for criminals to deceive,” says Na. Vijayashankar a.k.a. Naavi, cyber law and techno-legal consultant.

Third-party applications on websites such as Facebook – those fun games and other time-pass applications you add on – are also frequent offenders, exposing your system to malware embedded in the application itself or in the ad on the side of its webpage. “The bad applications are usually banned after a few reports from users, but on day one of the attack, no one will know. There are 500,000 applications on Facebook, for example; it’s just impossible for them to keep track of them all,” says Amit.

“A lot of these game apps involve money transactions, so they get your credit card details, and scams do happen,” says Tarun Shan, a 22-year-old student of Hindustan Engineering College, and an online entrepreneur. “People think these sites are so cool and just get so addicted, but they need to be careful.”

Common sense, it would appear, is the only real defence against these attacks (and an up-to-date anti-virus software on your system, of course). For instance, research shows that an alarming number of users on social-networking sites add people they don’t really know as friends. “Don’t get into a mad race to add more friends just for the sake of it,” says Naavi. “Use some sort of screening process when you get requests from people you don’t know.”

Be cautious about opening any weird links from people already on your friends list. “If you’re getting unusual messages from a friend, send them a note asking them about it,” says Freer. “And always be wary of short URLS which can mask malicious sites.”

And don’t be lazy – educate yourself. “Most of these websites are doing all they can to protect you, but you have to do your bit as well,” says Amit.

Top tips

1. Be wary of adding strangers to your friends list
2. Be careful while clicking on shortened URLs
3. Use strong passwords. Create different passwords for different accounts
4. Be cautious while using third-party applications and sharing private data with them
5. If you’re getting unusual messages from a friend, send her a note about them

Advertisements

2 Comments

Filed under Articles

2 responses to “Article: Look who’s on the prowl

  1. Excellent subject. I believe the solution is going to have to come from the web users. Some of what is need to correct the problem is social change as well as supporting network hardware.

    • Divya

      Glad you thought so 🙂 Absolutely… since users are being targeted based on typical behaviour patterns, it’s only through educated usage that the attacks can be sidestepped.

      Thanks for reading!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s