Six new and rising hacker threats
Cybercriminals are constantly seeking new attack vectors
By John Brandon | Computerworld US | Published: 14:00, 20 May 2011
3. Social network account spoofing
Many of us use Facebook, LinkedIn and other social networks to connect with friends, family and colleagues, which leaves us vulnerable to a new technique called social network account spoofing. The idea is that a scammer poses as either someone you know or a friend of a friend to get close to you, then fool you into revealing personal information. He then uses that information to gain access to your other accounts and eventually steal your identity.
In a typical exploit, says Joffe, someone contacts you on a service like Facebook or LinkedIn, posing as a friend of a friend or a co-worker of someone you trust. Then, the new "friend" contacts you directly, usually through text message or email. It might seem surprising to have this "friend" contact you outside the social network, but he seems legitimate because you believe he has a connection with someone you trust.
In another scenario, a scammer might impersonate someone you already know, claiming to be an old friend from high school, for instance. Spoofers can find out your connections by following your public feeds or looking up the names of co-workers on sites like LinkedIn where you have posted your work info.
Once the scammer has established a connection with you, he uses devious means to steal personal data, such as chatting to find out the names of family members, favourite bands, hobbies and other seemingly innocuous information, then trying those as passwords or answers to security questions at banking sites, webmail accounts or other sites.
As Joffe points out, the idea behind social network account spoofing is "thousands of years old." Conning you out of your personal information is an age old trick. Today's social networks just provide a new avenue for con artists and criminals to get close to you. The trick works because there is often no way to know whether someone you've come to trust online is actually who he says he is.
"The problem with communication by Facebook or LinkedIn is that you are stuck in a web interface, you can't check the IP address or header information. Everything is in a nice friendly world," Joffe says.
Stratum Security's Morehouse says hackers are becoming increasingly crafty on social networks. They first identify a target, then do the research: what is this person like, whom do they follow, what do they like to do?
What's more, social network attacks are sometimes combined with email and website spoofing, Morehouse says. You might develop a friendship on LinkedIn and then get an email from that person that looks like it was sent via LinkedIn but is actually a fake. When you click the link to reply to the message, you're taken to a fake LinkedIn site. Logging in there reveals your LinkedIn username and password to the spoofer.
Another type of attack Morehouse describes targets companies as well as individuals. The spoofer might set up a Facebook page pretending to be the official company page for, a retailer like office supply giant Staples. To make it seem credible, the spoofer might claim that the page is a formal method to contact the company or register complaints.
The page might offer free (but fake) coupons to entice people to join, and it soon goes viral as people share it with their network of friends. Once hundreds or thousands of users have joined the page, says Morehouse, the owner tricks them into giving out personal information, perhaps by signing up to receive additional coupons or special offers.
This is a double attack: Consumers are damaged because their personal data is compromised, and the company is damaged because its customers associate the fake Facebook page with the real company, and decide not to buy from that company anymore.
As with text message attacks, individuals' best defence against spoofing attacks is to use common sense, Joffe says. Hackers usually do not do a good job of impersonating a person or company, and they tend to send links and phishing scams to con you. They might try to mimic a friend but rarely manage to accurately convey their personality. In some cases, the attacks are traceable through email headers or IP addresses, and most attacks are too general and untargeted to be believable to anyone who's careful.
Other precautions might seem obvious but are often overlooked. If someone says he's a friend of a friend or co-worker, make sure you confirm his identity with your common connection. And it's a good idea to lock down your privacy settings at social networking sites so that your contact info, posts, photos and more aren't visible to everyone. In Facebook, for example, select Account -> Privacy Settings -> Custom and click the "Customise settings" link at the bottom to gain control over exactly what you want to share with everyone, friends of friends, friends only or no one.
For companies, it's a little trickier. Joffe says there is no way to prevent a hacker from setting up a fake Facebook page initially, but companies can use monitoring tools such as Social Mention to see how the company name is being used online. If an unauthorised page turns up, companies can ask the social network to remove the fake listing.
Social networks like Twitter and Facebook have changed the way we communicate in our personal and work lives, many would say for the better. Yet these useful portals also provide conduits that others can use to make our lives miserable.
A relatively new concept variously called cyberstalking, cyberharassment or cyberbullying involves an individual or a group making repeated personal attacks online, such as posting negative comments on every tweet you make or posting crude altered photos of you on a social network. The perpetrators may hide behind online aliases to hide their identities. By law, cyberbullying becomes a federal crime if a stalker makes any life threatening comments.
Most of us have heard of a handful of well publicised cases of cyberbullying among teens, but it's also on the rise for adults who connect to social networks from their place of employment, according to Kathleen Baty, a personal safety consultant and CEO of SafetyChick Enterprises. These workplace-related attacks might involve another employee, or someone trying to steal company information.
"Cyberstalking in the workplace has become more and more common and is tough to define because there are so many different forms to threaten or harass in this digital world, and so many different motives behind the behaviour. It can be anything from a personal/romantic relationship gone bad, to a co-worker/business conflict, to a competitor trying to wreak havoc on a company," says Baty.
To keep cyberstalkers off company networks, businesses should implement all the usual corporate security tools, such as firewalls and encryption, Baty says. Additionally, companies should institute a social media policy that outlines clear guidelines for what kinds of information employees should and should not post or discuss on public sites.
If you do become a victim of cyberstalking or cyberbullying, Baty advises you to report it immediately to local law enforcement authorities. If it happens at work, report it to your HR department as well. Don't delete harmful posts or other electronic communications, she says, but instead retain all documentation of incidents, mainly as evidence but also because the headers for email and forum postings can be used to track down the offender.
That said, the best defence is to protect your personal information as carefully as you can. For instance, never reveal online such details as where you live, and don't announce your movements, such as that you are on vacation or home sick and have left your workplace computer open to attack, which rules out public "check-in" social networks such as Foursquare.