Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert

By Robert Westervelt, News Editor 28 May 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Threats to social networking websites continue to climb at an alarming rate, according to researchers at Kaspersky Lab. So far, more than 25,000 malware samples have been tracked by Kaspersky spreading through social networks and researchers estimate that the number could exceed 100,000 by the end of 2009.

The Kaspersky research suggests that attackers may be turning away from targeting traditional technical vulnerabilities, instead focusing on social engineering techniques to lure victims into giving up Twitter, Facebook and other social website account information, said Stefan Tanase, a malware researcher based at Kaspersky's Romanian labs.

"Using a zero-day exploit is definitely more expensive than just creating some social mechanism to get a computer infected," Tanase said.

Social engineering techniques that trick users into a false sense of trust have proven lucrative for attackers. Kaspersky estimates attacks against social networks are 10 times more successful at targeting users than e-mail-based attacks.

"Human beings base their relationships on trust," Tanase said. "The bad guys are trying to exploit this trust."

In a presentation to reporters Thursday, Tanase explored some of the latest attack techniques, including the latest phishing attacks being used against Twitter users and ongoing Facebook hacks using fake accounts to build a network before promptly exploiting it. In many cases, attackers are passing a malicious link and curious users naïvely click on the links to bogus websites that force-download malware or harvest account information.

Tanase said Facebook, Twitter and other social networks have been responding promptly to attacks as they are detected or reported, but it is difficult to completely locking them down without impacting the user experience.

"They can clean up their mess inside their own house but they cannot do anything about all the user's computers that have been infected," he said. "It's very hard for them to do better … Their core business is usability and usability doesn't go hand-in-hand with security."

Companies are at a greater risk of data loss as a result of increased use of Web-based services. A recent survey of 1,300 IT managers conducted by research firm Dynamic Markets Ltd., and underwritten by security vendor Websense, found that IT managers are under increased pressure to weaken Web security policies.

IT security professionals are balancing the need to let end users use Web-based services to improve business efficiencies and the need to address the increased risk with the appropriate policies and security tools, said security expert Lenny Zeltser, who leads the security consulting practice for Savvis, and is a faculty member at SANS Institute. Even if companies attempt to block access to specific websites, it may not mitigate much risk, because employees can continue to leak out data gradually from home, Zeltser said.

"We're coming to the point where there's so many different ways for sharing information over the Web and so many different sites from webmail that's becoming increasingly powerful to social networking sites that they're becoming adopted on a large scale," Zeltser said. "Right now companies are realizing that everybody's doing it and they're finally considering what to do about it."

A bigger conundrum for companies is the phenomena of employees leaking data in drops, Zeltser said. Bits and pieces of information may appear harmless on Twitter, Facebook and other social networking platforms, but attackers have picked up on this and are trying to collect all the pieces to use the information to gain access to more sensitive resources.

"Each drop of data isn't sensitive by itself, but assembled together, they become more meaningful," Zeltser said. "People leak out these drops of data about themselves, about their organization, about their projects and about the context with which they work … somebody taking that data over time that's where it becomes meaningful, more risky and dangerous."

Business executives want employees to use social platforms because they're seeing the benefits, said Kaspersky's Tanase.

"Even though they're gaining popularity we need to not forget about the risks that are coming from these new applications," Tanase said. "What people should do is see both sides of Web 2.0 platforms -- the good and the bad."

Tags: Data Protection Solutions and Strategy,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Threat and Vulnerability Management Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary