Social Network Account Spoofing

Users of Facebook, LinkedIn and other social networks are vulnerable to attacks that rely on account spoofing. A scammer poses as either someone you know or a friend of a friend, in order to fool you into revealing personal information. He then uses that information to gain access to your other accounts and eventually steal your identity.

In a typical exploit, says Joffe, someone contacts you on a site like Facebook or LinkedIn, pretending to be a friend of a friend or a co-worker of someone you trust. Then, this new "friend" contacts you directly through text message or email. The correspondence seems legitimate because you believe he has a connection with an individual you trust.

In another scenario, a scammer might impersonate someone you already know -- claiming to be an old friend from high school, for instance. Spoofers can find out your connections by following your public feeds or looking up the names of co-workers on sites like LinkedIn, where you've posted your work information.

Once the scammer has established a connection with you, he uses devious means to steal personal data, such as chatting online to find out the names of your family members, favorite bands, hobbies and other seemingly innocuous information. Then he uses that information to try to guess your passwords or answers to security questions for banking sites, webmail accounts or other online services.

Morehouse describes another type of attack that targets companies as well as individuals. The spoofer might set up a Facebook page that claims to be the official company page for, say, a major retailer. The spoofer might claim that the page is a formal method to contact the company or register complaints.

The page might offer fake coupons to entice people to join, and it soon goes viral as people share it with their friends. Once hundreds or thousands of users have joined the page, says Morehouse, the owner tricks them into giving out personal information, perhaps by signing up for additional coupons or special offers.

This ends up being a double attack: Consumers are harmed because their personal data is compromised, and the company is harmed because its customers now associate the fake Facebook page with the real company -- and decide not to buy from that company anymore.

Joffe says there is no way to prevent a criminal from setting up a fake Facebook page, but companies can use monitoring tools such as Social Mention to see how the company name is being used online. If an unauthorized page turns up, companies can ask the social network to remove the fake listing.

November 21, 2011 (Computerworld)

Text-Message Malware

While smartphone viruses are still fairly rare, text-message attacks are becoming more common, according to Rodney Joffe, senior vice president and senior technologist at mobile messaging company Neustar and director of the Conficker Working Group, a coalition of security researchers that came together to fight the malware known as Conficker. PCs are fairly well protected today, he says, so some black-hat hackers are now targeting mobile devices. Their incentive is mostly financial:

Text messaging provides a way to break into devices and make money.

Khoi Nguyen, group product manager for mobile security at Symantec, confirmed that text-message attacks aimed at smartphone operating systems are commonplace now that people are increasingly reliant on mobile devices. It's not just consumers who are at risk, he adds. Any employee who falls for a text-message ruse using a company smartphone can jeopardize the business's network and data and possibly cause a compliance violation.

"This is a similar type of attack as [is used on] a computer -- an SMS or MMS message that includes an attachment, disguised as a funny or sexy picture, which asks the user to open it," Nguyen explains.  "Once they download the picture, it will install malware on the device. Once loaded, it would acquire access privileges, and it spreads through contacts on the phone, [who] would then get a message from that user."

In this way, says Joffe, hackers create botnets for sending text-message spam with links to a product the hacker is selling, usually charging you per message. In some cases, he adds, the malware even starts buying ring tones that are charged on your wireless bill, lining the pockets of the hacker selling the ring tones.

Wireless carriers say they do try to stave off the attacks. For instance, Verizon spokeswoman Brenda Raney says the company scans for known malware attacks, isolates them on the cellular network, and even works with federal crime units to block them.

To keep such malware off users' phones, Joffe recommends that businesses institute strict corporate policies limiting whom employees can text using company networks and phones, and what kind of work can be done via text messaging. Another option is a policy that prohibits text messaging entirely, at least until the industry figures out how to deal with the threats.

November 21, 2011 (Computerworld)