How many social networking accounts do you have? Do you access them often? Have you set up profiles on multiple sites and then forgotten about them, or left others to wither on the vine after using them frequently for a time?
While it may be impossible to completely prevent attackers from hijacking your accounts and attempting to aim threats at your friends and colleagues, managing your social networking accounts on a more active basis and enlisting all of the security and privacy tools that the sites offer can dramatically reduce the risk of such incidents, experts with Symantec maintain.
This advice may seem obvious, but, with the proliferation of so many social networking applications, let’s face it, it’s hard not to sign up for some sites, connect with people you know and then fall out of love with the apps.
The rise of multifarious social engineering attacks carried out over social networks has created a whole new world of risk for users of the systems, and all those that they connect with over the sites, as attackers have created a number of different means to abuse trust relationships formed by people to build targeted campaigns.
Who among us hasn’t received a malware or phishing ploy from the account of a trusted contact on Twitter (yesterday), or received messages asking them to check out videos of themselves posted on Facebook (every day)? Certainly most users of these wildly popular sites known this has become the reality.
One of the biggest drivers of risk is people’s tendency to abandon accounts, allowing attackers to take them over and threaten all of their contacts without users’ knowledge, or for users to fail to utilize key applications security and privacy settings that will make it harder for scammers and cyber-criminals to hijack their online personas, the researchers contend.
“These sorts of problems often happen when social networking profiles don’t have their privacy settings administered properly. It could also be a problem with the social network service, which might not have maintained proper privacy regulations on behalf of their participants,” said Symantec expert Vivian Ho in a recent blog post. “Spammers can get onto these social network sites and collect user information, such as e-mail addresses or personal blog URLs, for example, and they can collect additional information from friends’ profiles if those profiles are also set to be public.”
When people no longer actively manage their accounts, not only does it make it easier for attackers to assume their identities, but it allows for such attacks to carry on far longer, until someone finally clues the involved user into the fact that someone may be manipulating their reputation, and contacts.
If you decide to stop using a particular service, it’s better to simply close your account, then it is to merely leave it to fester and become a new point of risk for your contacts. And enlisting the privacy tools of sites like Facebook, in particular, can create an extra hurdle for scammers that may encourage them to move on to the near next target.
For active social networking users, it is vital to carefully consider every message or invitation they receive before opening its contents (think shortened URL) or clicking “yes” to sign-up for a group or application that is being advertised. If anything makes you wonder, ad maybe even f it doesn’t, reach out to the sender to ensure that the message or invite is legit, or do some background research on your own.
A little vigilance can go a long way.
Now, about that targeted spear phishing e-mail you just received from your boss on your work e-mail account…
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.