In this article, Check Point Software Technologies Ltd takes a look at how hackers are ingeniously leveraging social networking sites and Web 2.0 to craft new phishing attacks, posing a new threat to their users.

The Social Networking Phenomenon

Social networking sites are unquestionably the key phenomenon of Web 2.0. Their social impact is colossal, bridging the gaps between communities, wiping away physical borders to enable people and businesses to socialize, exchange and create.

In 2009, the World Wide Web could be counting more than 1 billion social networkers, which represents more than half of all the Internet users. Last month, Facebook hit the 300 million users mark. If Facebook was a country it would be the 4th largest country in the world, pointed its CEO Mark Zuckerberg. QZone, the Chinese site claims to have an even higher amount of users, while sites like Twitter and LinkedIn each reaches about 50 million users. And this is to name only a few of them.

This incredible popularly and massive growth however, is also what makes social sites a lucrative fishing pond for cyber criminals. Since 2007 and the boom of social networking sites, experts have seen a sharp increase of online attacks specifically targeting the Web 2.0 applications. Up to 19% of all online incidents could be touching Web 2.0 sites according to some recent analysts’ research.

What type of factors can motivate such a sudden and alarming rise?

“For hackers, social networking sites represent a powerful vector of attacks,” explains Guy Guzner, director of security products at Check Point. “These type of sites ensures a large exposure together with a rapid and prolific spread of information between mutually trusting parties. This makes it easy for cyber thieves to spread malware or malicious links and launch multiple phishing attacks,” he adds.

Indeed within their virtual circle, social networkers have established a fairly high level of trust. They share information, images, files and content of all sorts in good faith among their network counterparts, without requiring identify or any other sort of validation. Because they believe they are in a close, intimate space, users are more likely to trust other senders and click on unknown links, upload new applications or videos or surrender personal information. Once introduced onto a user’s circle, one can imagine that a hacker wouldn’t have difficult time propagating spam-like posts to all that user’s connections.

“ Malware distributed via social networking sites stand a much higher chance to reach their targets compared to the same malware sent by email,” says Guzner.  With an average of 130 connections per user on Facebook or 126 followers per Twitter user, no doubt that social networking sites offer cybercriminals a wide pool of potential victims and a fairly decent hit rate.

Even more fun, hackers operating on these sites also benefit from a large diversity of tools to play with, including the wide range of Web 2.0 features and applications, such as, for example, Twitter’s user generated content, Youtube videos, MySpace or LinkedIn profiles. All these applications have been exploited and high jacked at some point over the past few months in order to distribute malware and steal information. Just last October, a series of popular Facebook applications, such as “CityFireDepartment”, “Mynameis”, “Pass-it-on” or “Aquariumlife” were hacked and used to compromise users’ computers via unpatched Adobe software vulnerabilities. The same month another large scale spam attack was taking place on Facebook, attributed to the Bredolab botnet, that was using fake Facebook password-reset messages to trick networkers into downloading a dangerous piece of malware

For organizations, allowing employees’ use of social networking site at work can be even more problematic and damaging. Not only do these sites pose an increased threat to the network, but many more disastrous consequences are to be anticipated, such as sensitive data leakage or misuse of posted corporate information. The potential security risk is high enough to motivate number of businesses to prohibit their employees to access social networking sites while on the job.

Yet is banning the only solution to mitigate the security risk of the Web 2.0?

“From the technological standpoint, social networking sites do not create many different challenges than those we were dealing with before,” says Guy Guzner. “The issue is more about managing the risk coming from enhanced web exchange than prohibiting their usage.”

To mitigate the risk, a series of basic measures can actually be implemented that will provide a good first line of defense. In fact, the same common sense and protection measures normally applied on the Internet apply with social networking sites: users should understand first of all that the same vigilance is required within their virtual social circle as on their email or anywhere else on the Internet. They should adopt safe ways to protect their identity, starting by using a diverse range of passwords that are sufficiently strong for their various accounts, and by choosing the right privacy settings. As for business employees, they should avoid overly exposing their personal or company information and adopt a responsible, protective behavior online, just similar to their behavior in the non-cyber world.

At corporate level, enterprises can rely on the same tools that they use to protect their networks, starting with a robust security architecture that incorporates a good firewall and powerful IPS to detect blended threats and shield against all sorts of security attacks. This should be complemented by a comprehensive end-point security solution that provides support against rapidly proliferating worms, Trojans, spyware, and other malicious code that can threaten business continuity, require time-consuming incident remediation, jeopardize user productivity, and introduce numerous risks due to altered or stolen data. “This type of protection, coupled with a good compliance policy and regular applications updates and patching, considerably helps prevent phishing exploits such as recently reported on Facebook and other similar sites,” notes Guzner.

After all, the Web 2.0 brings a wealth of advantages for organizations, just like for individuals. Once ensured that the overlaying IT risk can be controlled, organizations will hopefully start embracing online social networks along with their tremendous benefits.

Contributed by Check Point Software Technologies Ltd