Last Updated: 2007-05-16 20:55:43 UTC
by Lenny Zeltser (Version: 1)
The phisher's money-making activities involve the following actions:
- Capturing logon credentials via a fake social networking site that resembles the one being spoofed.
- Using captured contact information or compromised accounts to send advertising, profiting from Cost Per Action (CPA) deals.
- Accessing the victim's email accounts using captured logon credentials. (Most people use the same credentials on multiple sites.)
- Using compromised email accounts to gain access to commercial sites such as PayPal, E-gold, eBay and selling access to these accounts.
One such campaign was made public in February, when MySpace sued Scott Richter for allegedly compromising MySpace accounts via phishing schemes and then using MySpace to send unsolicited messages to the victim's friends advertising Polo shirts, ringtones, and other products.
According to an Indiana University study, 72% of individuals who received phishing messages spoofed to come from their social network acquaintances were fooled. In contrast, only 15% of the recipients were fooled when the messages came from an unknown party. Clearly, scammers have a strong incentive to data-mine social networks when crafting phishing campaigns. As I mentioned in a diary a while back, social networking sites have a small neighborhood feel that makes the participants comfortable with revealing personal details that make attacks more effective.
The inclusion of personal details in phishing messages seems to be on the rise. For instance, MesssageLabs observed an increase in the number of phishing messages that include personal details, such as names, addresses and zip codes. This data can be harvested from social networking sites with relative ease with website crawlers or website worms, such as those that have targeted MySpace and Orkut.
An attacker wishing to use a social network for a targeted attack can gain access to profile information with relative ease even without compromising accounts. In a study conducted by CSIS Security Group, a researcher set up a test account in LinkedIn, and specified in the profile that he worked at the large company he selected as the target for the case study. He was able to use the account to connect to other LinkedIn users from the same company, and even received unsolicited invitations from the employees to link to them. In less than 2 weeks, he was able to build a substantial network with email addresses, names, and other information about companies he could target for a subsequent attack.
According to a CA/NCSA study, 73% of adults who use social networking sites have given out personal information such as email address, name and birthday. Apparently, some even provided their social security number. Almost half of the respondents chose not to restrict access to their profile, even though they knew how to do that.
What can you do to mitigate the risks of social networks being used to aid in an attack against you or your organization? We're open to suggestions, but here are a few ideas that come to mind:
- Limit the information you make available in profiles on social networking sites.
- Restrict who can view your profile to the individuals you trust.
- Only accept "let's connect" invitations from people you trust to see your profile information.
- Educate users in your organization about the risks of using social networking sites promiscuously.
- Create enforceable policies in your organization governing the use of social networking sites. (Sometimes a bit of guidance can go a long way.)
InfoSec Practice Leader
Gemini Systems, LLC