Spammers Scan Social Networks to Research Targeted Attacks
Social networks provide spammers with plenty of opportunities to scam users in new and more effective ways, a security expert said.
Social networks have become ubiquitous, with more than 500 million users on Facebook, 100 million on LinkedIn and a reported 200 million users on Twitter. Google claimed it had 10 million users on its Google+ social network within the first two weeks of its limited launch. That's just the tip of the iceberg as there are plenty of smaller social networking sites targeting niche users.
All spammers need is a list of email addresses of their victims to launch a campaign. While these lists can be bought "for a pittance" from other criminals or from businesses that sell "leads" and other contact information, a scammer can easily create one based on information harvested from social networks, Asaf Greiner, vice president of products at Commtouch, told eWEEK.
"Suddenly email addresses don't need to be scraped from newsgroups, or guessed through brute force; they are all around you, on LinkedIn, Facebook, Twitter and so on," Greiner said.
The mass invitation tool often used by these sites to find out if the user's friends and acquaintances are already on the network is "a gift" for scammers. By creating a contact list of guessed or otherwise obtained email addresses, the miscreant can find out if any of those addresses correspond with a legitimate user on the network. Depending on the privacy preferences, the site may also provide photos and additional personal information. Within seconds, this feature "qualifies" a list of random email addresses by identifying real users.
With users sharing more and more details of their personal lives online, it is possible for scammers to create highly targeted lists based on user demographics, preferences and even socio-economic status. Scammers gain a fairly comprehensive view of their victims' online and offline habits just be looking at places they "check in" on geo-tagging services such as Foursquare, the kind of products and businesses they "like" on Facebook, and the kind of jobs they've had on LinkedIn, according to Greiner. All this knowledge is then used to design a spam campaign that will be more effective in getting the victim to click on a link or open an attachment.More than 24 million Americans on social networking sites keep their online profiles mostly public, letting anyone see their personal details, ID Analytics found in a study released this spring. People tend to think of the various networks as separate siloes, such as career-related information on LinkedIn and home details on Facebook, and book preferences on Good Reads. They don't realize that it's easy for a malicious person to correlate all the information across sites, especially if the user is using the same email address to create all the accounts, Thomas Oscherwitz, chief privacy officer for ID Analytics, told eWEEK.
Harvesting personal information, such as the employer, name of family members, the restaurants they visit, may sound like a tedious job to do manually. However, a number of "off-the-shelf gray-market" software automates this process by cross-referencing the data across multiple sites, according to Greiner.
It is fairly straightforward to create "a comprehensive dossier on just about any user," Greiner said.
Cyber-criminals are increasingly moving away from mass attacks because of low conversion rates, according to a recent report from Cisco Security Intelligence Operations. Even though more upfront research is required for targeted spear-phishing attacks, the Cisco report suggested success rates as high as 70 percent. Even though they are lower-volume attacks, spammers find the additional research results in a more profitable campaign, the report found.
The research makes it easier to create targeted messages that are highly personalized to the victim, making the rate of success even more likely. An email message could begin with "It was great running into you at the podiatrist's convention-here is that article I mentioned to you." The profession is available on LinkedIn and the victim may have mentioned the conference on Twitter. The email has the victim's name and professional or personal information, which helps establish its 'credibility'," Greiner said.
After meeting "so many people during that short time, a few names may have been missed, and someone certainly offered to send him an article...wouldn't you click if it were you?" Greiner said. The "article" may result in the user being scammed a few dollars or having malware downloaded onto the machine that wreaks even more havoc.
Telling people to use common sense when opening emails and clicking on links alone is not enough, Greiner said. Companies need to make sure users are being safe at the office and at home by running updated security tools, patching software and being vigilant about Internet security at the company site, on the road and at home, he said.