The first decade of the 21st century saw a dramatic change in the nature of cybercrime. Once the province of teenage boys spreading graffiti for kicks and notoriety, hackers today are organized, financially motivated gangs.In the past, virus writers displayed offensive images and bragged about the malware they had written, now hackers target companies to steal intellectual property, build complex networks of compromised PCs and rob individuals of their identities.
2009 saw Facebook, Twitter and other social networking sites solidify their position at the heart of many users’ daily internet activities, and saw these websites become a primary target for hackers. Because of this, social networks have become one of the most significant vectors for data loss and identity theft.
New computing platforms also emerged last year, and shortly thereafter fell victim to cybercriminal activities. What was lost was once again found in 2009, as old hacking techniques re-emerged as means to penetrate data protection.
By understanding the problems that have arisen in the past, perhaps internet users can craft themselves a better, safer future.
Social Networking
Battle lines are drawn
When the Web 2.0 phenomenon first caught on in 2004, many found it irritating and a timewaster. Likewise, organizations were concerned about wasted company time, as employees would log in to these sites during business hours and drain company bandwidth or worse—inadvertently leak confidential company information.
In 2009, however, such attitudes were relegated to the past as businesses widely adopted social networking techniques. Companies now commonly use blogs to disseminate and share information. Forums serve as a form of technical support where professionals can troubleshoot with peers and colleagues. Meanwhile, many companies embrace Facebook and MySpace because the sites present a great way to connect with customers and spread the latest company news or product offerings to the public.
According to Cisco, almost 2% of all online clicks in 2009 through 4,000 Cisco web security appliances have been on social networking sites, 1.35% on Facebook alone1. The business world would be foolish to ignore such a high level of activity and such a potentially lucrative resource.
Why businesses are concerned
For many businesses, the idea of controlling social networking by simply imposing a blanket block on such sites is impractical. More subtle and granular controls are required, such as data loss monitoring to watch for specific types of information passing outside company boundaries via non-approved vectors, and tightly configurable usage policies that can limit illegitimate use of certain sites and technologies while granting access to those who require it.
According to a Sophos survey conducted in December 2009, 60% of respondents believe that Facebook presents the biggest security risk of the social networking sites, significantly ahead of MySpace, Twitter and LinkedIn.
Although productivity continues to be the dominant reason for companies to block social networks (a third of companies say this is the reason they block Facebook), there has been a dramatic rise since April 2009 in the number of businesses who believe malware is their primary security concern with such sites.
It seems these malware concerns are well-justified, with a 70% rise in the proportion of firms that report encountering spam and malware attacks via social networks during 2009. More than half of all companies surveyed said they had received spam via social networking sites, and over a third said they had received malware.
Furthermore, over 72% of firms believe that employees' behavior on social networking sites could endanger their business's security. This has increased from 66% in the previous study. The number of businesses that were targets for spam, phishing and malware via social networking sites increased dramatically, with spam showing the sharpest rise from 33.4% in April to 57% in December. This highlights a surge in exploitation of such sites by spammers2.
Koobface
Those worried about the dangers of social networking sites have a right to be concerned, as many malicious attacks, spammers and data harvesters take advantage of under-cautious users. Most notably, the notorious Koobface worm family became more diverse and sophisticated in 2009.
The sophistication of Koobface is such that it is capable of registering a Facebook account, activating the account by confirming an email sent to a Gmail address, befriending random strangers on the site, joining random Facebook groups, and posting messages on the walls of Facebook friends (often claiming to link to sexy videos laced with malware). Furthermore, it includes code to avoid drawing attention to itself by restricting how many new Facebook friends it makes each day.
Koobface's attack vectors broadened, targeting a wide range of sites other than the one that gave it its name (i.e., Facebook). Social networking sites, including MySpace and Bebo, were added to the worm's arsenal in 2008; Tagged and Friendster joined the roster in early 2009; and most recently the code was extended to include Twitter in a growing battery of attacks.3
It is likely we will see more malware following in the footsteps of Koobface, creating Web 2.0 botnets with the intention of stealing data, displaying fake anti-virus alerts and generating income for hacking gangs. Social networks have become a viable and lucrative platform for malware distribution.
The Mikeyy Mooney worms
In April 2009, the StalkDaily worm rampaged Twitter as heavily spammed messages pushing an infected site by more subtle attacks spread from tweeter to tweeter.4 The worm appeared to be the work of 17-year-old Mikeyy Mooney,5 whose name was referenced in a second wave of attacks appearing just hours after the initial StalkDaily incident.6
Shortly afterward, yet another worm that was crafted using cross-site scripting techniques to spread referenced Mikeyy.7 Further attacks8 in April brought more misery to Twitter users.9
The speed with which these attacks have appeared, spread and become major issues should send a strong message to the big Web 2.0 companies. However, many still need to closely examine their systems and procedures to determine how to protect their members from these threats. Most of these problems can be easily corrected with improved design, programming and data usage policies, and, most important, rapid response to emerging issues.
Also a "localized" problem
Although these major global social networking sites seem to be the most significant part of the problem, they are no more than the tip of the Web 2.0 iceberg. Many countries, regions, groups and subcultures have their own social networking sites. These localized sites, like China's Renren network, are not only as vulnerable to attack, but also as likely to be both drains on corporate time and vectors for data infiltration.
Malware attacks on locale-specific sites have occurred, such as the W32/PinkRen worm, which targeted the Renren network of 40 million users in August 2009, posing as a video of Pink Floyd's classic song "Wish you were here."10 Some of these sites are significantly smaller than the global giants and not as well maintained, so the challenges of problem solving, vulnerability patching, and provisioning adequate privacy and security controls may be even greater.
Emerging vectors for social networking attacks
With individuals and businesses hooked on online social outlets, cybercriminals have taken notice and started using them for their gain. Beyond the common nuisances, such as wasted company time and bandwidth, malware and malicious data theft issues have presented serious problems to social networks and their users. Spam is now common on social networking sites, and social engineering—trying to trick users to reveal vital data, or persuading people to visit dangerous web links—is on the rise.
Spam is now common on social networking sites, and social engineering is on the rise
Social network logon credentials have become as valuable as email addresses, aiding the dissemination of social spam because these emails are more likely to be opened and trusted than standard messages. In many cases, spam and malware distribution are closely intertwined.11