Phishing Scams Focus on Workplace E-Mail, Not Twitter, Facebook: Survey

IT managers see phishing spam targeting the workplace in greater numbers than social networking sites, such as Twitter or Facebook.

As a JavaScript exploit wreaked havoc on on the morning of Sept. 21, a survey of small business IT managers revealed spam as the primary security threat to business networks.

Despite the increasing number of malware attacks originating from social networking sites like Facebook, MySpace and Twitter, the managers called those threats "marginal" to businesses.

The latest SMB survey from spam and Web filtering software vendor SpamTitan focused on phishing trends on business and enterprise networks. A full 75 percent of IT managers responded that spam is the biggest source of phishing attempts affecting business users, the SpamTitan survey found.

Phishing attacks are most commonly encountered in e-mail or social network spam, although there are other techniques. As companies implement stricter network security measures to filter out spam from their employees' in-boxes, there are concerns phishers will just shift their focus to online sites. Employees frequently access social networking sites from work, and even the most savvy users are likely to click on links like "i can't believe these pics got posted..." or "hey! check out this funny blog..." if they think their friends posted them.

The managers in the survey did not ignore possible attacks from social networking sites. The survey found that 37 percent of the managers considered the number of online phishing attempts proliferating on social networking sites a "growing phenomenon." However, almost an equal number disagreed, calling it a natural response to the growth of online user communities.

"Phishing attacks remain a clear and present threat to businesses," said Ronan Kavanagh, SpamTitan's CEO. "The arrival of social networking in the workplace has presented phishers with a bigger pond to phish in."

Attackers are creative, identifying new ways to trap users even if they don't click on the link. For example, the Sept. 21 attack on Twitter revolved around a cross-site scripting issue on the site's home page. The security hole allowed attackers to display pop-up windows or redirect users to third-party sites if they scrolled their cursors over a link. In this case, the mere fact of the mouse passing over the link, whether intentionally or inadvertently, triggered the site redirect. Twitter patched the bug by early afternoon.

Twitter is no stranger to scams. Earlier this year, hackers stole e-mail addresses and passwords from compromised torrent sites. Users who applied the same e-mail address and password for Twitter found their accounts hijacked by these attackers. Another scam tricked users into giving up their Twitter credentials by using TinyURL, a URL shortening service, to disguise a link to a phishing site.

The survey results are consistent with reports from other security companies. Spam masquerading as banking and order confirmation e-mails is one of the most common phishing techniques.

Attacks against HSBC, eBay and PayPal accounted for more than 52 percent of all scams in the first three months of 2010, according to antivirus vendor Kaspersky Labs. In contrast, Facebook's share was less than 6 percent over the same period. Symantec also noted that phishing e-mails spiked 11 percent overall from July to August this year.

A different SpamTitan survey last year looked at social networking sites and discovered that 23 percent of surveyed online users had been exposed to a phishing attempt. Even more distressingly, 19 percent had clicked on the link, and 3 percent had divulged their personal or financial information.