According to a recent report by IT security and data protection firm Sophos, companies are reporting an alarming rise in attacks on users of social networks, such as Facebook and Twitter, by cybercriminals. One form of attack, known as phishing, is up from 21% in April 2009, to 30%, in Dec 2009.
Phishing is an example of social engineering, often accomplished through e-mail, but increasingly also through social networks, like Facebook, Twitter, and LinkedIn. Through messages that appear to come from well-known and trustworthy Web sites, cybercriminals often trick unsuspecting recipients into providing sensitive information. These messages include links to fraudulent sites, which are set up to look legitimate.
Who Is Most At Risk?
According to SearchSecurity.com, Web sites that are frequently spoofed by phishers include PayPal, eBay, MSN, Yahoo, BestBuy, and America Online. By diverting traffic to fraudulent sites, ComputerWorld’s Dan Tynan explains that phishers “might collect a few pennies from the [fraudulent] site owner for each visitor, or the site could do a drive-by install of malware and absorb your machine into a bot network.” Inadvertently revealing your credentials to a phishing site also puts you at risk for identity theft, or when it happens at work, jeopardizes your company’s information security.
In Boom in URL Shorteners Equals Boom in Malware and Spyware, Andrew Wee reports that the use of shortened URLs on social networks is another way for phishing attacks to increasingly occur.
Enterprising (or dastardly, depending on your point of view) URL shortener marketers have resorted to coupling linkbait-style snippets with links to malware sites. Clicking on a link can send the user to a page where malware, a trojan, or a virus is installed on the user’s computer.
According to Wee, the best (from the phishers’ perspective) and worst (from victims’ perspective) part of the deal is “the user unleashing this worm across their social network might have no idea of the havoc they’ve unleashed. That is, until they receive a torrent of angry wall posts and messages from their former friends.”
How to Stay Safe Online
For ways to avoid phishing and stay safe online, make sure to review the Internet Fraud Tips from the National Consumers League’s Internet Fraud Watch.
The sections below provide more guidelines from Facebook, Twitter, and LinkedIn, which are especially susceptible to phishing, through the use of URL shortner links. When you click on one of these shortened links, there’s no telling where the destination is.
Personally, I think twice these days, before clicking on links, from untrusted sources, and I rarely retweet a link on Twitter, or post one to Facebook or LinkedIn, without first verifying its destination.
How to Protect Yourself on Twitter
According to the Twitter blog, phishers “send out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages.”
The email says something like, “hey! check out this funny blog about you…” and provides a link. That link redirects to a site masquerading as the Twitter front page. Look closely at the URL field, if it has another domain besides Twitter but looks exactly like our page, then it’s a fraud and you should not sign in.
If you click the link and give your Twitter password to the phishing site, it’s possible for the phisher to send out direct messages on your behalf which could trick your followers. In these cases, Twitter proactively resets the passwords of the accounts.
So, if you find yourself unable to login to your account with your username and password, please use the reset password link to regain access. This will send an email to the address associated with your account, and you’ll be able to create a new password.
How to Protect Yourself on Facebook
Ryan McGeehan, at the Facebook blog, provides these tips to protect yourself against phishing:
- Use an up-to-date browser that features an anti-phishing black list. Some examples include Internet Explorer 8 or Firefox 3.0.10.
- Use unique logins and passwords for each of the websites you use.
- Check to see that you’re logging in from a legitimate Facebook page with the facebook.com domain.
- Be cautious of any message, post or link you find on Facebook that looks suspicious or requires an additional login.
- Become a fan of the Facebook Security Page for more updates on new threats as well as helpful information on how to protect yourself online.
How to Protect Yourself on LinkedIn
At the LinkedIn blog, Mario Sundar provides these basic member security and privacy guidelines to keep you safe:
- Review your current LinkedIn Account & Settings. From there you can identify what information you’ve set that is private (only to your connections) and what is public.
- Connect with only those you know and would trust because these are the people you will seek advice from and request a recommendation about your quality of work.
- Keep your password secure and log out of your account when you are done (especially if you’re accessing your account from a public computer).
- Always have at least one other email address assigned to your account should you lose access to the primary email address.
- Ensure your computer’s security software is up to date.
- Most importantly, don’t click on a link you don’t trust. (If it feels suspicious…it probably is.)
- Malware and spam rise 70% on social networks, security report reveals
- Recovering from Twitter Phising