Threats to social networking websites continue to climb at an alarming rate, according to researchers at Kaspersky Lab. So far, more than 25,000 malware samples have been tracked by Kaspersky spreading through social networks and researchers estimate that the number could exceed 100,000 by the end of 2009.
The Kaspersky research suggests that attackers may be turning away from targeting traditional technical vulnerabilities, instead focusing on social engineering techniques to lure victims into giving up Twitter, Facebook and other social website account information, said Stefan Tanase, a malware researcher based at Kaspersky's Romanian labs.
"Using a zero-day exploit is definitely more expensive than just creating some social mechanism to get a computer infected," Tanase said.
Social engineering techniques that trick users into a false sense of trust have proven lucrative for attackers. Kaspersky estimates attacks against social networks are 10 times more successful at targeting users than e-mail-based attacks. "Human beings base their relationships on trust," Tanase said. "The bad guys are trying to exploit this trust."
Web security, cloud security:
US-CERT warns of Gumblar, Martuz drive-by exploits: Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.
XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.
In a presentation to reporters Thursday, Tanase explored some of the latest attack techniques, including the latest phishing attacks being used against Twitter users and ongoing Facebook hacks using fake accounts to build a network before promptly exploiting it. In many cases, attackers are passing a malicious link and curious users naïvely click on the links to bogus websites that force-download malware or harvest account information.
Tanase said Facebook, Twitter and other social networks have been responding promptly to attacks as they are detected or reported, but it is difficult to completely locking them down without impacting the user experience.
"They can clean up their mess inside their own house but they cannot do anything about all the user's computers that have been infected," he said. "It's very hard for them to do better … Their core business is usability and usability doesn't go hand-in-hand with security."
Companies are at a greater risk of data loss as a result of increased use of Web-based services. A recent survey of 1,300 IT managers conducted by research firm Dynamic Markets Ltd., and underwritten by security vendor Websense, found that IT managers are under increased pressure to weaken Web security policies.
IT security professionals are balancing the need to let end users use Web-based services to improve business efficiencies and the need to address the increased risk with the appropriate policies and security tools, said security expert Lenny Zeltser, who leads the security consulting practice for Savvis, and is a faculty member at SANS Institute. Even if companies attempt to block access to specific websites, it may not mitigate much risk, because employees can continue to leak out data gradually from home, Zeltser said.
"We're coming to the point where there's so many different ways for sharing information over the Web and so many different sites from webmail that's becoming increasingly powerful to social networking sites that they're becoming adopted on a large scale," Zeltser said. "Right now companies are realizing that everybody's doing it and they're finally considering what to do about it."
A bigger conundrum for companies is the phenomena of employees leaking data in drops, Zeltser said. Bits and pieces of information may appear harmless on Twitter, Facebook and other social networking platforms, but attackers have picked up on this and are trying to collect all the pieces to use the information to gain access to more sensitive resources.
"Each drop of data isn't sensitive by itself, but assembled together, they become more meaningful," Zeltser said. "People leak out these drops of data about themselves, about their organization, about their projects and about the context with which they work … somebody taking that data over time that's where it becomes meaningful, more risky and dangerous."
Business executives want employees to use social platforms because they're seeing the benefits, said Kaspersky's Tanase.
"Even though they're gaining popularity we need to not forget about the risks that are coming from these new applications," Tanase said. "What people should do is see both sides of Web 2.0 platforms -- the good and the bad."