In an insightful interview captured on the ha.ckers.org site, a phisher emphasizes the benefits of targeting users of social networking sites such as MySpace and Facebook, LinkedIn, and so on. He claims that his efforts yield him $3,000-$4,000 per day. (If you have any data supporting or refuting this figure, please let us know.)
The phisher's money-making activities involve the following actions:
One such campaign was made public in February, when MySpace sued Scott Richter for allegedly compromising MySpace accounts via phishing schemes and then using MySpace to send unsolicited messages to the victim's friends advertising Polo shirts, ringtones, and other products.
According to an Indiana University study, 72% of individuals who received phishing messages spoofed to come from their social network acquaintances were fooled. In contrast, only 15% of the recipients were fooled when the messages came from an unknown party. Clearly, scammers have a strong incentive to data-mine social networks when crafting phishing campaigns. As I mentioned in a diary a while back, social networking sites have a small neighborhood feel that makes the participants comfortable with revealing personal details that make attacks more effective.
The inclusion of personal details in phishing messages seems to be on the rise. For instance, MesssageLabs observed an increase in the number of phishing messages that include personal details, such as names, addresses and zip codes. This data can be harvested from social networking sites with relative ease with website crawlers or website worms, such as those that have targeted MySpace and Orkut.
An attacker wishing to use a social network for a targeted attack can gain access to profile information with relative ease even without compromising accounts. In a study conducted by CSIS Security Group, a researcher set up a test account in LinkedIn, and specified in the profile that he worked at the large company he selected as the target for the case study. He was able to use the account to connect to other LinkedIn users from the same company, and even received unsolicited invitations from the employees to link to them. In less than 2 weeks, he was able to build a substantial network with email addresses, names, and other information about companies he could target for a subsequent attack.
According to a CA/NCSA study, 73% of adults who use social networking sites have given out personal information such as email address, name and birthday. Apparently, some even provided their social security number. Almost half of the respondents chose not to restrict access to their profile, even though they knew how to do that.
What can you do to mitigate the risks of social networks being used to aid in an attack against you or your organization? We're open to suggestions, but here are a few ideas that come to mind:
InfoSec Practice Leader
Gemini Systems, LLC
May 16th 2007
May 16th 2007
1 decade ago