Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert

By Robert Westervelt, News Editor 28 May 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Threats to social networking websites continue to climb at an alarming rate, according to researchers at Kaspersky Lab. So far, more than 25,000 malware samples have been tracked by Kaspersky spreading through social networks and researchers estimate that the number could exceed 100,000 by the end of 2009.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Kaspersky research suggests that attackers may be turning away from targeting traditional technical vulnerabilities, instead focusing on social engineering techniques to lure victims into giving up Twitter, Facebook and other social website account information, said Stefan Tanase, a malware researcher based at Kaspersky's Romanian labs.

"Using a zero-day exploit is definitely more expensive than just creating some social mechanism to get a computer infected," Tanase said.

Social engineering techniques that trick users into a false sense of trust have proven lucrative for attackers. Kaspersky estimates attacks against social networks are 10 times more successful at targeting users than e-mail-based attacks. "Human beings base their relationships on trust," Tanase said. "The bad guys are trying to exploit this trust."

Web security, cloud security: IT managers under pressure to weaken Web security policy  A new survey suggests senior and mid-level executives want to expand use of social networking platforms, cloud-based collaboration tools and other applications. US-CERT warns of Gumblar, Martuz drive-by exploits: Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date. XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.

In a presentation to reporters Thursday, Tanase explored some of the latest attack techniques, including the latest phishing attacks being used against Twitter users and ongoing Facebook hacks using fake accounts to build a network before promptly exploiting it. In many cases, attackers are passing a malicious link and curious users naïvely click on the links to bogus websites that force-download malware or harvest account information.

Tanase said Facebook, Twitter and other social networks have been responding promptly to attacks as they are detected or reported, but it is difficult to completely locking them down without impacting the user experience.

"They can clean up their mess inside their own house but they cannot do anything about all the user's computers that have been infected," he said. "It's very hard for them to do better … Their core business is usability and usability doesn't go hand-in-hand with security."

Companies are at a greater risk of data loss as a result of increased use of Web-based services. A recent survey of 1,300 IT managers conducted by research firm Dynamic Markets Ltd., and underwritten by security vendor Websense, found that IT managers are under increased pressure to weaken Web security policies.

IT security professionals are balancing the need to let end users use Web-based services to improve business efficiencies and the need to address the increased risk with the appropriate policies and security tools, said security expert Lenny Zeltser, who leads the security consulting practice for Savvis, and is a faculty member at SANS Institute. Even if companies attempt to block access to specific websites, it may not mitigate much risk, because employees can continue to leak out data gradually from home, Zeltser said.

SearchSecurity radio:

"We're coming to the point where there's so many different ways for sharing information over the Web and so many different sites from webmail that's becoming increasingly powerful to social networking sites that they're becoming adopted on a large scale," Zeltser said. "Right now companies are realizing that everybody's doing it and they're finally considering what to do about it."

A bigger conundrum for companies is the phenomena of employees leaking data in drops, Zeltser said. Bits and pieces of information may appear harmless on Twitter, Facebook and other social networking platforms, but attackers have picked up on this and are trying to collect all the pieces to use the information to gain access to more sensitive resources.

"Each drop of data isn't sensitive by itself, but assembled together, they become more meaningful," Zeltser said. "People leak out these drops of data about themselves, about their organization, about their projects and about the context with which they work … somebody taking that data over time that's where it becomes meaningful, more risky and dangerous."

Business executives want employees to use social platforms because they're seeing the benefits, said Kaspersky's Tanase.

"Even though they're gaining popularity we need to not forget about the risks that are coming from these new applications," Tanase said. "What people should do is see both sides of Web 2.0 platforms -- the good and the bad."

Tags: Web Application and Web 2.0 Threats,  Web Browser Security,  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software FBI estimates rogue antivirus losses exceeding $150 million Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary