Essential Computer Security

Social networking presents a paradox when it comes to security. The very premise of ’social’ networking is to share news and information with friends, family, and like-minded individuals, but sharing too much information or being too trusting of those within your social sphere of influence can result in getting your system compromised or your identity stolen.

Facebook and Twitter have both been targeted recently by different attacks. The Facebook attack is more of an old-school style phishing attack. It is designed to look like it came from Facebook and it actually succeeds better than most phishing scam emails I have received.

The attacker is probably capitalizing on the recent modifications to the Facebook homepage to catch users off guard and convince them that changing login information is just another change being made. Both the ‘Update’ button and the link that says ‘Click here’ lead to some malicious destination and not to Facebook.

The Twitter phishing attack is a little more insidious because it attempts to leverage the social aspect of social networking to breach your trust. The Twitter phishing URL arrives via DM, or Direct Message. Unlike normal Twitter tweets that are public domain and can be searched and viewed by all, DM’s are private and can only be sent to you from a user that you follow. The very fact that you are following the person on Twitter implies at least some level of trust between you and that party.

The actual DM is relatively short, saying something to the effect of “ur on here http://twitter-videos…” with the URL being shortened or obfuscated in some way to hide the true URL. If you click on the URL you arrive at a page that looks identical to a Twitter login page. If you enter your credentials on this page you are giving them to the attacker who can then use your account to DM others who follow you and continue the web of phishing.

If you follow me on Twitter you may have received such a DM from me. I fell victim to this attack. Before you slap my wrists for the security oversight, I figured out the course of events and it serves as an additional warning for you.

See- I don’t really use Twitter. I use the service, and I use my Twitter account, but I don’t use the site. Ever. I use Tweetdeck. So, when I got the DM–from someone I trust–I clicked on the URL. When I saw the Twitter login page I didn’t think twice about entering my credentials because I knew I wasn’t logged in to Twitter. Had I been logged in to the Twitter site when I received the DM it would have seemed odd that it was asking me to log in *again*, but because of the way I interact with Twitter it didn’t concern me in the least.

Bottom line: I know its social networking and you’re using it to share with others and be social. Just remember that attackers are actively looking for ways to exploit the implicit trust you place in your social networking connections so always be skeptical and use some common sense.

Tags: Blog // 6 Comments »