Spear-Phishing:
Social Networks open to harvesting

In a recent article, I outlined the problems with increased breaches of security on sites as huge as MySpace and Facebook, not to mention sites that are supposed to be geared specifically towards businesses. While there is still a digital DMZ around most enterprise, those who would compromise your users and security are going after these so-called soft targets with a new twist on the old social engineering methods to extract information and gain access to your resources. Here is what you should know about this latest ploy!

Social Engineering
Social engineering is nothing new. It has been around since before there were PCs. An individual talks their way into an office, claiming to be there to solve a problem from someone, working on the phones, picking up a file, etc. Social engineering is alive and well and remains the most effective hacking technique according to Aaron Higbee, a managing partner and co-founder of the Intrepidus Group. Its use assists in proliferation of malware, spam, mass phishing, botnets and even more advanced hacking techniques. Todays social engineering threats have progressed beyond the scope of infamous hacker Kevin Mitnick, who earned his reputation and subsequent jail time by using his ability to find soft targets within an organization and schmoozing them into providing information that would allow him access to their systems and network. Now out, Kevin Mitnick runs Mitnick Security Consulting LLC, a computer security consultancy firm.

Spear-Phishing?
Ok, so you have heard of Phishing, the electronic equivalent of throwing a hook and bait into a lake. Instead of a fish, the target of Phishing is information. So what is spear-phishing then? Spear phishing is the technique of using highly targeted spam to trick users into giving up what seems to be harmless, innocuous information. With that information in hand, the spear phisher is on their way to identity theft or a network breach. With common Phishing the phisher may pose as a bank and send out millions of bogus emails informing people that theres a problem with their account and more information is needed. With spear phishing, the attack uses actual information about the persons accountsuch as the car loan for your 2007 Acura MDXwhich is compromised and requires the recipient to enter a Social Security number or other account info. Social networking sites where people share information about their cars, boats, etc. makes this process easy for the spear phisher. They harvest the information from the web site and then craft an email that is tailored to information they got about the user that the user gave up for free.

Why is the threat so great?
In the social media area, a spear phisher really has a lot of avenues to build a story around individuals, Higbee says. Social networks are soft targets because they are loaded with the type of information that spear phishers love. These include but are by no means limited to hometowns, birth dates, spouse names, pet names, addresses, alternate email accounts, employers and more. That information gives hackers the means to turn mass phishing attacks into target spear phishing strikes that have far greater effective reach. And worse yet, many of these sites have tools that allow users to harvest targeted information. End users are often concerned when Companies and IT Departments choose to block or limit access to these sites. The consensus of security pros and IT managers alike is that the security risks associated with social networks are on the increase.

Why are Security Risks Increasing on Social Network Sites?
Social networks are popular because they share information. This makes them ideal conduits for conveying sensitive information outside the controls of the network infrastructure. Websence found in a recent study that security pros are concerned about social networking threats. Few companies realize how great the threat is. Higbee says that many companies contact them for security assessments, but tell the auditors to only look at conventional threats and security measures, ignoring social engineering and social networks. Intrepidus Group auditors probe clients with social engineering tests anyway, with 23 percent of the 500,000 seats tested by the company detected as having fallen for a social engineered spear phishing attack.

Solving The Problem
The problems plague and will continue to plague social network security and privacy issues can only be resolved if users take a more careful approach to what they share and how much and for those in the business world, by controlling what sites your employees can access. Common Sense, just as it was in Thomas Paines time is apparently not as common as you might think! To that end, some security companies are trying to push technology that checks the pages on social networking sites for malicious content. The real issue remains educating users to the risks of putting too much information on their social networking page and how it can be used to elicit sensitive information in spear phishing attacks. Users who continue to post ever increasing amounts of personal data on social networks without batting an eye are part of the problem, as surely as those who do not have up to date anti-virus software on their machines threaten those who do!

The Rules Remain
When it comes to using a social networking site, if you choose to do so, you should follow a few common sense best practice rules:

1. Don't post anything you wouldn't mind telling a complete stranger, because in reality that's the potential for access.
2. Be careful who you add as a "friend," because there's simply no way of verifying a user's actual identity online.
3. Friends on social networks should know that real friends should know personal information already, negating the need to post it online.

Where Does It Go From Here?
While social networks have a great potential for use in business, it is still important for people really need to understand that their use must be evaluated carefully to fully understand the threats they present. There are too many sources out there all saying the same thing about these sites for this to be a Chicken Little or Boy who cried Wolf situation. The comments made here about particular sites describe well-published events, so feel free to take a look yourself! As with all topics discussed here, we to stay up to date and provide you with the latest information available on technical subjects that are gaining momentum. As always, feel free to contact me with questions or comments!

All product names / logos, company names / logos are copyrights of their respective holders. John Boline is an MCSE, CNE, USE, a member of the Network Professional Association and the Microsoft Partner Research Panel, . The content herein is often based on late-breaking events. Much of the material is based on information from sources that are believed to be reliable. Hagerman & Company, Inc. disclaims all warranties as to the ultimate accuracy or completeness of the information. Hagerman & Company, Inc. and its employees shall have no liability for errors, omissions or inadequacies in the information contained within this article or for any interpretations thereof. The recommendations, positions and best practice policies outlined herein represent Hagerman & Company, Inc. initial analysis and therefore are subject to change as further information which may have bearing on these positions is made available. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice. Hagerman & Company, Inc. assumes no obligation to update the forward-looking statements made in this newsletter to reflect any change in circumstances, after the date of publication. Entire contents 2009 Hagerman & Company, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden

 

 

This page last edited on Thursday, June 03, 2010