By Kelly Jackson Higgins
It started with a stolen Facebook photo attached to an inflammatory profile. It led to online harassment, death threats, and emails to the victim’s boss questioning the victim’s character. But an online personal attack against Graham Cluley earlier this year is one example of how easy it is to use a social network to damage the identity of an individual -- or an entire company.
Cluley’s case shows just how rapidly social networks can spread a smear campaign or personal attack -- and how it can quickly spread to the victim’s professional life. Cluley, who is a senior technology consultant with Sophos, recently met another victim who experienced a similar attack on Facebook, Kerry Harvey. He says it was apparently an acquaintance of Harvey’s who built a phony Kerry Harvey Facebook profile that branded her occupation as a “prostitute,” complete with her cellphone number.
Could such a thing happen to you or employees at your company? You bet. Social networks are the next major attack venue for trolls, spammers, bot herders, cybercriminals, corporate spies -- and even jilted ex-lovers or enemies -- to make money, or just plain wreak havoc on their victims’ personal lives, security experts say.
“It's the easiest way to passively gain intelligence on the largest groups of society and nearly every walk of life,” says Robert Hansen, aka RSnake, founder of SecTheory LLC.
The root of the problem is that social networking sites by nature aren't secure. They typically don’t authenticate new members -- you can’t always be sure that your online friend is who she says she is -- and attackers can easily exploit and capitalize on the “trusted” culture within the social network. Users often don't deploy the security and privacy options that some of these sites offer, either.
Social networking application development tools like OpenSocial and third-party tools on Facebook, for example, can be abused by attackers to readily spread malware or lift personal information. There’s also the very real risk of corporate espionage, with attackers culling tidbits from personal or professional social net profiles to wage targeted attacks on businesses via their employees. And popular Web attacks, like cross-site scripting, can also be used against members of social networks.
And don’t think for a minute that your “private” or closed profile keeps you safe from an attack or potential personal embarrassment, either. “There is no such thing as privacy on the Internet,” says Adam O’Donnell, director of emerging technologies for Cloudmark. “You are only delaying the inevitable information leakage for any content you put online. My recommendation is to treat the Internet as if all content there lasts forever.”
Attacks on social networking sites have only just begun, so think twice before you get too personal with what you post on them, or too loose about accepting and trusting new friends and connections.
“You’re only going to see these attacks on social networks go up,” says researcher Nathan Hamiel, who along with colleague Shawn Moyer recently conducted some relatively simple but scary hacks recently on various social networks that they demonstrated at Black Hat USA and Defcon 16 this month. “We’ve noticed some weird social networking attacks since we did our talk” at those hacker conferences, he says.
Here's a look at the seven most lethal social networks hacks:
* 1) Impersonation and targeted personal attacks
* 2) Spam and bot infections
* 3) Weaponized OpenSocial and other social networking applications
* 4) Crossover of personal to professional online presence
* 5) XSS, CSRF attacks
* 6) Identity theft
* 7) Corporate espionage
1) Impersonation and targeted personal attacks
You’d think security experts would be relatively immune from social networking hacks since, well, they’re security experts. But a recent wave of nasty hacks targeting security industry figures such as Alan Shimel of StillSecure and Petko Petkov of GNUCitizen, where their personal email accounts and other private data were raided and posted on the Net, have demonstrated that a determined attacker can even get to the experts.
Putting yourself “out there” with a social network presence basically leaves you open for all kinds of attacks, even personal ones. Just ask Sophos’s Cluley, who faced hate messages, death threats to his wife, and his photo being superimposed on some pornographic images after his Facebook photo hack. “They didn’t use my name,” he says, but all it took was someone to recognize his face.
Twitter, the microblogging site where members post quick updates on what they’re doing or comments to multiple “followers,” introduces a whole other element to social networking security -- physical security, experts say. “I never talk about where I am, who I'm with, where I'm going, or any other specific details,” RSnake says. “But that doesn't stop anyone else who knows that same information from doing that behind my back - maliciously or not.”
Sophos’s Cluley says posting too much information on Twitter, such as your whereabouts or trip plans, leave you wide open to things like burglary or stalking. “Twitter is a fascinating thing. To be honest, it could lead to all sorts of physical problems, such as physical theft…or jealous ex’s” tracking what their ex is up to, says Cluley, who “tweets” his blog titles. “When I post to my blog, I’m not saying ‘I’m at the supermarket.’ First of all, who cares? I much prefer to wait until I get back” from the store to say what I’m doing, he says.
And as Hamiel and Moyer demonstrated at Black Hat USA and Defcon 16, you don’t even have to have a social networking profile to be targeted. The two researchers were able to easily impersonate security icon Marcus Ranum (with his permission) on LinkedIn, the social network for businesspeople. Ranum doesn’t have an account, so the two basically lifted Ranum’s photo off the Internet and gathered information on him online and built a convincing phony Ranum profile. (See LinkedIn Hack Demonstrates Ease of Impersonation.)
They channeled Ranum so well that they amassed 42 LinkedIn connections within 12 hour, even duping Ranum’s own sister into friending the phony Ranum profile.
2) Spam or bot infections
Spammers -- for plain old advertising, click fraud, or for bot recruitment -- need mechanisms that efficiently and effectively deliver and spread their messages, malware, or both. And attackers have already honed in on the social networking community, hijacking accounts and using their address books to spread spam, worms, or other malware.
“We’re seeing more and more malware via spam and links in spam. We’re seeing this with malware text on Facebook and Twitter that’s designed to draw people to particular pages,” Sophos’s Cluley says.
Most recently, attackers hijacked some Facebook accounts, and posing as members sent messages to their friends to dupe them into viewing a video clip link, which instead was actually a Trojan that silently downloaded malware onto their machine once they opened the link.
A recent report by ScanSafe found that in July, up to one in 600 profile pages on social-networking sites hosted some form of malware, mostly adware and spyware.
3) Weaponized OpenSocial and other social networking applications
Users often don’t think anything of installing an application in their browser. “But these applications can all have the same levels of access to their system, and some of the most private information is often [stored] in the browser, so it can be more dangerous,” Moyer says. “It blows my mind how people can think that downloading [these applications] is not as bad” as downloading some application to their system.
That makes third-party application services like OpenSocial a dangerously handy tool for attackers. “The addition of the third-party application service also allows for another avenue for code-based attacks to occur,” Cloudmark’s O’Donnell says.
“These are opt-in only, and a limited number of developers use the tools. What ends up happening is that developers with a limited amount of security-sensitive development experience create these applications that spread like wildfire, allowing a new vector for infection on many profiles -- and by infection, I primarily mean attacks focused inside the social network,” O’Donnell says.
Users don’t always realize that the third-party widgets for Facebook, for example, weren’t written by Facebook. Some have holes that collect more information on users than necessary or safe, and others have been written specifically to install adware or generate revenue. “To their credit, Facebook has closed down some of these apps that behaved inappropriately,” Sophos’ Cluley notes.
A rogue application called “Secret Crush” was circulating around Facebook earlier this year, spreading spyware instead of love. (See 'Secret Crush' Spreads Spyware, Not Love.) It sent victims an invitation to find out who has a secret "crush" on him or her, and lured them into installing and running the Secret Crush app, which spread spyware via an iFrame. The attack got more advanced and worm-like when it required the victim to invite at least five friends before learning who their “crush” was.
“They [these sites] are basically under constant attack,” Moyer says. “We think a lot of the Web 2.0 problems [with these sites] are more about how much trust is being placed on the client side.”
4) Crossover of personal to professional online presence
Even if you keep a MySpace account for personal use, and a LinkedIn one for professional networking, there’s no guarantee that those late-night partying pictures aren’t going to end up in front of your colleagues on LinkedIn, or worse, your boss.
“Consider everything on a social network to be public, whether it’s private photos or work history,” Hamiel says. “You can’t stop a ‘friend’ from copying your stuff and putting it wherever” they want.
There are some measures social networkers can take to prevent the details of their social and personal lives from spilling over to their professional ones. Cloudmark’s O’Donnell says he doesn’t bother with separate personal and professional social networking accounts: “For me I find it far easier to not keep them separate, and to present a professional face on both my personal and my professional profiles."
You can set up “limited” profiles on sites like Facebook. “I can add someone as a limited friend, and they don’t know they’re limited. They can’t see my holiday photos,” for instance, Sophos’s Cluley says. That way, “I’ve really tied down and parceled up what I want as my real close friends” on the site.
There are also privacy settings that can control what information you share with others on the social network, and what information Facebook apps can get and share about your profile.
5) XSS, CSRF attacks
Cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities are obvious attack vectors, and some social networking worms have used XSS flaws to help propagate themselves. But most social networks have tightened their defenses against XSS attacks, security experts say, and CSRF attacks are not yet common.
XSS and CSRF do pose a big risk to these sites, especially when it comes to social networking applications, experts say. In an XSS attack, malicious code is injected into vulnerable Web applications and users who view those pages can get hacked. In a CSRF attack, an attacker basically tricks the victim's browser into making a request on his behalf -- as the logged-in user.
“Anytime [that] you, an attacker, can force a user to load HTML, the potential is there for browser exploits, botnet infections, and account manipulation via XSS/CSRF,” says HD Moore, director of security research for BreakingPoint Systems.
A CSRF attack could potentially jump and spread across multiple social networking sites that the user is logged onto -- effectively spreading the attack from one social network to another. It could, for example, force a victim viewing a CSRF-infected page on MySpace to post something on his own wall on Facebook if the wall-posting function was vulnerable. “I think [CSRF] certainly is one useful vector that's being overlooked now,” Moyer says.
Meanwhile, with the openness of social networks, attackers don’t really need to bother with complicated XSS or CSRF attacks. “But if you [the attacker] combine attack vectors, you could be a lot more effective. We think as long as [social networks] allow users to create markup in profiles and comments and link to external content, this will continue to be a problem,” Moyer says.
6) Identity theft
A social network profile can give away some valuable tidbits –- victim’s name and date of birth –- that identity thieves can use to guess passwords or impersonate them, and even eventually steal their identity, some security experts say.
But that doesn’t mean that identity thieves are crawling all over social networks, Hamiel says. “I just think that the claims that social networks are an identity theft magnet are overblown."
Social networkers sometimes inadvertently hand over the goods themselves: In a study Sophos conducted over a year ago, about 41 percent of Facebook users in the study gave out their email address, date of birth, and phone number to someone they didn’t know.
One safety tip for social networkers is not to answer all the questions posed to them by the site, and don't provide your true date of birth, Sophos's Cluley says. “You don’t need to tell Facebook your educational background, your phone number, etc. You don’t even have to tell them your real date of birth,” he says. “I want the identity thief to get the wrong date of birth.”
You can even make up a phony maiden name for your mother. “Don’t make it something that’s a matter of public record,” he says.
Even so, social networks basically tap into human nature’s innate need to socialize, and the bad guys know it. “People aren't very good at security,” RSnake says. “We were built to work in teams, we're pack animals.”
Even if an employer blocks access to social networks from the office, the organization still could be susceptible to corporate espionage attacks via its employees’ personal profiles.
To pull off a spear phishing attack, for example, all an attacker has to do is search for Company A’s employees on a social networking site and then pose as someone within the organization -- such as the head of human resources -- and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophos’s Cluley says: “Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.”
A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.
The only shot at preventing this hack is for social networkers to limit what they post publicly and to keep their employer’s name out of their profile. “Keeping the name of your employer... far away from your personal profiles can reduce the chance that someone will target your employer through you,” BreakingPoint’s Moore says. “The trouble is that even with completely separate personal and professional identities, it only takes one scrap of public information linking the two to negate all of the time that went into separating them in the first place.”
That’s because the “six degrees of separation” rule applies on most social networks: You’re only a few hops away from a bad guy. “We know that there are bad people on these networks using them to steal information,” Cluley says. “You may be only a half a dozen hops from an identity thief if we’re all connected.”
Responses to: firstname.lastname@example.org
Many thanks to support group member, Gypsy for this gem!