IT managers see phishing spam targeting the workplace in greater numbers than social networking sites, such as Twitter or Facebook.
Twitter.com on the morning of Sept. 21, a survey of small business IT managers
revealed spam as the primary security threat to business networks.
Despite the increasing number of malware attacks originating from social
networking sites like Facebook, MySpace and Twitter, the managers called those
threats "marginal" to businesses.
The latest SMB survey from spam and Web filtering software vendor SpamTitan
focused on phishing trends on business and enterprise networks. A
full 75 percent of IT managers responded that spam is the
biggest source of phishing attempts affecting business users, the SpamTitan
Phishing attacks are most commonly encountered in e-mail or social network
spam, although there are other techniques. As companies implement stricter
network security measures to filter out spam from their employees' in-boxes,
there are concerns phishers will just shift their focus to online sites.
Employees frequently access social networking sites from work, and even the
most savvy users are likely to click on links like "i can't believe these
pics got posted..." or "hey! check out this funny blog..." if
they think their friends posted them.
The managers in the survey did not ignore possible attacks from social
networking sites. The survey found that 37 percent of the managers
considered the number of online phishing attempts proliferating on social
networking sites a "growing phenomenon." However, almost an
equal number disagreed, calling it a natural response to the growth of online
"Phishing attacks remain a clear and present threat to
businesses," said Ronan Kavanagh, SpamTitan's CEO.
"The arrival of social networking in the workplace has presented phishers
with a bigger pond to phish in."
Attackers are creative, identifying new ways to trap users even if they don't
click on the link. For example, the Sept. 21 attack on Twitter revolved around
a cross-site scripting issue on the site's home page. The security hole allowed
attackers to display pop-up windows or redirect users to third-party sites if
they scrolled their cursors over a link. In this case, the mere fact of the
mouse passing over the link, whether intentionally or inadvertently, triggered
the site redirect. Twitter
patched the bug by early afternoon.
Twitter is no stranger to scams. Earlier this year, hackers stole e-mail
addresses and passwords from compromised
torrent sites. Users who applied the same e-mail address and password
for Twitter found their accounts hijacked by these attackers. Another scam
tricked users into giving
up their Twitter credentials by using TinyURL, a URL shortening service, to
disguise a link to a phishing site.
The survey results are consistent with reports from other security
companies. Spam masquerading as banking and order confirmation e-mails is one of
the most common phishing techniques.
Attacks against HSBC, eBay and PayPal accounted for more than 52 percent of
in the first three months of 2010, according to antivirus vendor Kaspersky
Labs. In contrast, Facebook's share was less than 6 percent over the same
period. Symantec also noted that phishing e-mails spiked 11 percent overall
from July to August this year.
A different SpamTitan survey last year looked at social networking sites and
discovered that 23 percent of surveyed online users had been exposed to a
phishing attempt. Even more distressingly, 19 percent had clicked on the link,
and 3 percent had divulged their personal or financial information.