LAS VEGAS-Sometimes our friends aren’t really our friends. Just ask security researchers Nathan Hamiel and Shawn Moyer.
Hamiel, senior consultant for Idea Information Security, and Moyer, Agura Digital Security’s chief information security officer, teamed up before an audience Aug. 7 at the Black Hat conference to lay bare some of the security risks users of social networking sites face.
The attacks they discussed ran the gamut and included exploits that allowed hackers to add friends to-as well as log legitimate users out of-compromised MySpace accounts. The duo even created a phony profile on LinkedIn for fellow security professional Marcus Ranum, chief security officer at Tenable Network Security. Within a day, more than 50 people reportedly had fallen for the ruse and joined the phony profile as “connections.”
What the demonstration by Hamiel and Moyer showed is that personal data on social networking sites can be manipulated by attackers. However, their Black Hat presentation was far from the first time security pros have put social networking sites under the microscope. Also on Aug. 7, researchers at Sophos published information about an attempt by hackers to infect Facebook users by spreading messages with malicious links.
According to Sophos, messages are left on Facebook users’ walls that urge them to view a video that portends to be hosted on a Google Web site. Clicking on the link leads users to a site that tries to entice them into downloading an executable to watch the movie. The executable is the Troj/Dloadr-BPL Trojan horse, which in turn downloads malicious code detected as Troj/Agent-HJX and displays an image of a court jester poking out his tongue.
In addition, last week Kaspersky Lab detected two variants of a new worm, Net-Worm.Win32.Koobface.a and Net-Worm.Win32.Koobface.b, which attack MySpace and Facebook, respectively.
As evidenced by the Black Hat talk, part of the problem is the high level of trust people have in their social networks and the applications that reside on them. With that in mind, a little social engineering can go a long way to get users to run untrusted applications. And it’s not just personal data that can potentially be at risk.
“Companies need to make their own mind up as to whether they want to allow their users to access Web sites like Facebook and MySpace during office hours,” Graham Cluley, senior technology consultant at Sophos, said in a statement. “If workers are allowed to be given access to these sites then it’s vital that they do not put their personal and corporate data at risk, and are protected from Web-based infections.”