- Category: January - February 2010
Social media websites can be an asset to businesses, but they also enable cyber-criminals to steal users’ personal information and wreak havoc with corporate IT systems. Learn the many ways in which social media websites can pose a threat to corporate networks. Find out the steps that IT managers can take to ensure that critical business data remains secure and protected while simultaneously taking advantage of these exciting new business opportunities.
The phenomenal growth and popularity of social media websites has created promising opportunities for businesses as well as dangerous new ways for cyber-criminals to create havoc on corporate networks.
Since its inception in 2005, YouTube has grown to 445 million users, an increase of 359%. Facebook now has 390 million users, an increase of 153% since it started in 2004. Twitter, with 55 million users, has increased 1,171% since it began in 2006. According to Alexa.com, in the past six months, Twitter.com traffic increased steadily to a peak of more than four million users. In the most recent three months from when this report was written (November 2009), traffic had increased by 49%.
Facebook traffic increased steadily over the past six months to more than 20 million users. Traffic increased by 11% over the same three month time span.
Using social media, businesses now have increased capabilities to interact with their many customers, prospects, vendors, supporters, shareholders and stakeholders. Corporate leaders can run blog postings on social media sites to discuss business issues or introduce new products. As part of their corporate communication efforts, companies rely on social networking to spread the word about community events they sponsor or worthy causes they support. These new channels are lightning-fast, cost-effective and even provide bi-directional communication.
How the Damage Is Done
Workplace Internet use, while often necessary, increases the chances of web based viruses and spyware infiltrating a company’s IT system.
One of the most common tactics used to accomplish this through social networking occurs when a user accesses a social media website that has been compromised. When the user enters the website to send a message that includes a harmless link or video and the message is opened by another user, spyware hosted on the site lures them to fake websites that trick them into divulging personal details and passwords.
For example, mashable.com warns that there is a new Twitter phishing scam making the rounds and spreading quickly via direct message. The infected message, which seems to be an iteration of a previous phishing scam, simply reads, “Hi, this you on here?” Clicking on the link will take you to a phishing site where scammers can take your personal information and hijack your account. This tactic, known as a phishing attack, can compromise users’ business accounts without their knowledge. Once the account is compromised, the cyber-criminals can infiltrate the user’s list of contacts and repeat the attack on other victims.
Cyber-criminals redirect users to websites where profit is made from selling products that make fraudulent claims. For example, a customer who visits a site and buys tools that supposedly remove viruses or spyware is actually paying to download even more malicious malware. The scam artists also try to elicit private information such as passwords and bank-account numbers to commit other misdeeds.
Monitoring and Educating
Although there are powerful tools for blocking social website access, determined users can in some cases find ways—however obfuscated—around them. To counteract these threats, companies must monitor Internet use by both in-house and roaming users and educate all employees about proper use of the web.
Companies of all sizes should establish an acceptable use policy—a set of rules that define the ways in which an organization’s IT network may be used — and take steps to educate employees about the policy and the ways it will be enforced.
The top five social media threats of 2009 used a variety of techniques to infect corporate systems: 6
Probably the best-known social-networking virus, Koobface infiltrated corporate computers in 2009 when it appeared on MySpace, Facebook, LinkedIn and Twitter. Koobface sends messages to the contacts of an infected account, tricking users into downloading a Trojan from a malicious
The Mikeyy Worm
In April 2009, Twitter was hit several times by the Mikeyy Worm, which took advantage of a cross-site scripting weakness to hijack users’ accounts. The worm used the infected accounts to send out a stream of nuisance messages—all a user had to do to contract the virus was view an infected profile.
The Acai berry has been hyped as a wonder dietary supplement, but it has also been the focus of pyramid schemes and free-trial offer scams. In May 2009, weight-loss spammers seized control of hundreds of Twitter accounts and steered message recipients to a site where they could sign up for a phony Acai trial.
In April and May 2009, Facebook was targeted for waves of phishing attacks from malevolent sites based in Latvia and China. To recruit an army of spam “zombies,” hackers used Facebook’s internal messaging system to trick users into giving up their credentials on a fake Facebook log-in screen.
A phishing attack that reels in a high-profile user can raise awareness of social media’s vulnerabilities. In June 2009, hackers used U.K. Parliament member Michael Fabricant’s Facebook account to send corrupted links to 1,500 of his friends. After this incident, Fabricant said that he felt “outlawed from cyberspace.”
Social Networking Gone Awry
In 2008, the CEO of Whole Foods Market, John Mackey, placed anonymous social-media posts about his own company’s stock and the stock of a competitor that Whole Foods was trying to acquire.
In his posts, Mackey disparaged the competitor’s stock in an attempt to weaken its value and improve Whole Foods’ bargaining position for the acquisition. A respected executive, Mackey had his reputation tarnished; was forced to issue a public apology; and endured investigation by both the U.S. Securities and Exchange Commission (SEC) as well as an internal committee within his own company. Ultimately, no charges were filed against Mackey, but the embarrassing incident cast a shadow over the Whole Foods brand.
When President Barack Obama was running for election, malicious software penetrated his campaign website (my.barackobama.com) and allowed hackers to gain access to campaign workers’ computers and install a Trojan. The Trojan enabled the cyber-criminals7 to register multiple bogus user accounts on the website and install a virus-infected video that quickly spread the infected code.
In May of 2008, there was a similar incident at the website that flooded the site’s comment forums with links that deceived the online blogging community into downloading the Trojan onto their own machines
How Can a Company Protect Itself?
Every organization should take action to protect itself from the threats that social networking presents. There are several things that companies can do, but some practices and procedures are more effective than others.
Establish policies for employee use of the Internet
Many organizations don’t have adequate Internet Acceptable Usage policies. In fact, many don’t have Internet policies at all. An employee focused policy on proper use of the web—though difficult to enforce— should list the types of websites that employees are allowed to visit and those that aren’t permissible, as well as penalties for violating the rules.
Establish anti-virus and anti-spyware protection
These tools must be deployed throughout a company’s network, preferably at the server, gateway and end-user levels. While expensive to deploy, installing these capabilities on individual desktop machines, laptops and mobile devices can help to protect against threats that can enter via a USB storage device or a user’s CD-ROM.
Block non-business related websites
Another option is the deployment of URL-filtering tools that block access to non-approved websites. Many organizations use these filters, and they provide valuable first defense against inappropriate sites. However, new social networking websites and tools are frequently released, so URL filtering should be used as part of a larger proactive strategy.
Filter content for unwanted file types
Blocking file types based on content can help prevent some types of web threats from entering a network, particularly files that are associated with malware. Content-filtering tools can preserve bandwidth and storage by blocking unwanted, space-consuming audio and video files. According to Osterman Research, a policy only approach won’t protect an organization from employees who forget the policy or choose to ignore it and a systems-only method without a clear, well-enforced policy to support it could cause confusion and resentment among employees. Instead, organizations should use several different methods in a layered approach to ensure the highest levels of protection.
Enter Hosted Web Security
In the past, customers often used software installed on users’ PCs or on an internet gateway device, such as a firewall, to prevent malware infection, security breaches and data loss. These on-premise solutions, however, drain financial resources, consume employees’ time, are difficult to scale and most important, don’t provide 100% protection.
With the rapid pace of development and expansion of the Internet, hosted web security services are becoming more and more popular. A hosted service is operated and maintained by an off-site company; it has a lower cost of ownership than on-site solutions; it reduces the need for internal staff; and it is easily scalable. This type of service, which is highly proactive against web threats including the growing number of threats from social media, provides these advantages:
- Effectively blocks users from visiting non-business-related websites, which boosts user productivity and organizational compliance.
- Saves bandwidth and storage by blocking large media files such as video, audio and image files “in the cloud” before they are downloaded into the customer infrastructure
- Frees staff from the tasks associated with managing an in-house deployment
- Is much more scalable than on-premise solutions. If the amount of web content scanned or the number of users increases, a hosted solution can scale quickly with a change of settings in a web interface.
- Provides lower, more predictable costs—even for large numbers of users— than is possible with an on-premise solutions.
By Bjorn Engelhardt, VP of Symantec Hosted Services, APJ