As we’ve noted regularly in recent days, social networking sites are seeing a significant increase in attacks aimed at their users, primarily those seeking to lure people to fake log-in pages made to resemble the sites, through which the bad guys attempt to phish legitimate credentials to carry out future campaigns.
After grabbing credentials, attackers can craft threats that appear to come from known contacts, making it far more likely that people will click on unknown links that typically lead them to malware drive-bys, or at least URLs offering infected downloads.
The Twitter community has been abuzz with such phishing threats over the last several days, and, according to security researchers at Lumension Security, Facebook is seeing a similar activity spike this week as well.
“The gathering of user names and passwords from Facebook and Twitter can be of immediate value to the bad guys as many users have the same user name and passwords for e-commerce sites, allowing the bad guys to make immediate purchase[s] on the user’s account,” Lumension researchers said in a blog post. “The author believes that the current harvesting of Facebook and Twitter account credentials is a precursor for something bigger and perhaps more ominous down the road — directing users to … malware-laden Web sites.”
The best advice on how to avoid such scams, further endorsed by the vendor, is to merely avoid any potentially nefarious log-in pop-ups, and go directly to the sites themselves to enter your information.
However, as I pointed out in my post about LinkedIn Jan. 6, the ability of attackers to tap into the real power of social networking — shared trust established between known users — is the biggest threat of this type of activity, and can be seen in the predicted outcome of these latest social networking attacks.
Among the eye-teasing message subject lines that attackers are using to trick people into clicking, according to Lumension, are things like:
Facebook: “lol i can’t believe these pics got posted…. or “it’s going to be BADDDD when her boyfriend sees these”
Twitter: “hey! check out this funny blog about you…” and “win a free iPhone”
Unlike the attempts to dupe users of LinkedIn with free pics of Hulk Hogan nude (shudders) you can see why someone might be tempted to click on this batch on Facebook and Twitter, especially when they appear to come from friends.
Another trend being tracked by Lumension researchers over these first days of 2009 is an increase in phony Google Alerts that attempt to redirect people to a malware infection sites.
So, be sure that you know what you’re clicking on before doing so, and, only log in directly when you visit your favorite social sites. You’ll certainly be glad that you did.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.