The amount of personal and professional information posted on social networks means it's increasingly easier for criminals to create a detailed profile of their victims.
Social networks provide spammers with plenty of opportunities to scam
users in new and more effective ways, a security expert said.
Social networks have become ubiquitous, with more than 500 million users on
Facebook, 100 million on LinkedIn and a reported 200 million users on Twitter.
Google claimed it had 10 million users on its Google+ social network within the
first two weeks of its limited launch. That's just the tip of the iceberg as
there are plenty of smaller social networking sites targeting niche users.
All spammers need is a list of email addresses of their victims to
launch a campaign. While these lists can be bought "for a pittance"
from other criminals or from businesses that sell "leads" and other
contact information, a scammer can easily create one based on information
harvested from social networks, Asaf Greiner, vice president of products at
Commtouch, told eWEEK.
email addresses don't need to be scraped from newsgroups, or guessed through
brute force; they are all around you, on LinkedIn, Facebook, Twitter and so
on," Greiner said.
invitation tool often used by these sites to find out if the user's friends and
acquaintances are already on the network is "a gift" for scammers. By
creating a contact list of guessed or otherwise obtained email addresses, the
miscreant can find out if any of those addresses correspond with a legitimate
user on the network. Depending on the privacy preferences, the site may also
provide photos and additional personal information. Within seconds, this
feature "qualifies" a list of random email addresses by identifying
sharing more and more details of their personal lives online, it is possible
for scammers to create highly targeted lists based on user demographics,
preferences and even socio-economic status. Scammers gain a fairly
comprehensive view of their victims' online and offline habits just be looking
at places they "check in" on geo-tagging services such as Foursquare,
the kind of products and businesses they "like" on Facebook, and the
kind of jobs they've had on LinkedIn, according to Greiner. All this knowledge
is then used to design a spam campaign that will be more effective in getting
the victim to click on a link or open an attachment.More than 24
million Americans on social networking sites keep their online profiles mostly
public, letting anyone see their personal details, ID Analytics
found in a study released this
spring. People tend to think of the various networks as separate siloes, such
as career-related information on LinkedIn and home details on Facebook, and
book preferences on Good Reads. They don't realize that it's easy for a
malicious person to correlate all the information across sites, especially if
the user is using the same email address to create all the accounts, Thomas
Oscherwitz, chief privacy officer for ID Analytics, told eWEEK.
personal information, such as the employer, name of family members, the restaurants
they visit, may sound like a tedious job to do manually. However, a number of
"off-the-shelf gray-market" software automates this process by cross-referencing
the data across multiple sites, according to Greiner.
It is fairly
straightforward to create "a comprehensive dossier on just about any
user," Greiner said.
are increasingly moving away from mass attacks because of low conversion rates,
according to a recent report from Cisco Security Intelligence Operations
. Even though more upfront research is
required for targeted spear-phishing attacks, the Cisco report suggested
success rates as high as 70 percent. Even though they are lower-volume attacks,
spammers find the additional research results in a more profitable campaign,
the report found.
makes it easier to create targeted messages that are highly personalized to the
victim, making the rate of success even more likely. An email message could
begin with "It was great running into you at the podiatrist's
convention-here is that article I mentioned to you." The profession is
available on LinkedIn and the victim may have mentioned the conference on Twitter.
The email has the victim's name and professional or personal information,
which helps establish its 'credibility'," Greiner said.
"so many people during that short time, a few names may have been missed,
and someone certainly offered to send him an article...wouldn't you click if it
were you?" Greiner said. The "article" may result in the user
being scammed a few dollars or having malware downloaded onto the machine that
wreaks even more havoc.
people to use common sense when opening emails and clicking on links alone is
not enough, Greiner said. Companies need to make sure users are being safe at the
office and at home by running updated security tools, patching software and
being vigilant about Internet security at the company site, on the road and at
home, he said.