Social Media and Identity Theft Risks PT II

Tuesday, March 30, 2010

Robert Siciliano


Now that the 3 major search engines Google, Bing and Yahoo index real-time search for Twitter and other social networks, consumers and employees must be aware that not all relevant search is a safe click. Scammers and identity thieves see this as real-time free advertising for their malware.

When news breaks, the social media is now considered a trusted source for cutting edge information. The search engines trust that data and place those keyword search results on page one.

A criminal hacker seeing news break begins to multiply that message and embed malware in the links that lead to fraud.

Tainted Twitter and Facebook updates are riddled with spam and viruses in status posts where links are often disguised in short URLs that go to spoofed sites or include a downloadable virus. The use of short URLs has made Twitters 140 character limit the perfect launch pad for spam leading to diet pills, Viagra and viruses.

The blind trust the search engines have in these results puts the user in jeopardy.

While all 3 search engines have automatic and manual processes for detecting such links, the sheer volume of hackers using this strategy creates a cat and mouse scenario that is far from fool proof.

1.    Don't click on links from those who you aren't familiar with. I never click links in the body of an email from those I'm not familiar with and I don't do it on social media either.

2.    If you are compelled follow the link, use a short URL decoder that provides a glimpse into where the link goes. Otherwise make sure you have the most updated browser that informs you of entry to spoofed sites. And make sure your antivirus is fully up to date.

PC World reports that a third of social networkers have at least three pieces of information posted on their pages that could lead to identity theft. Names, addresses, birth dates, mothers' maiden names, kids' names, pets' names, employers and phone numbers are among the various types of data that could help a criminal piece together your identity. Social networkers are simply making it too easy for thieves.

Almost 80% of those polled are concerned about privacy issues on social networks, yet almost 60% are unaware of what their privacy settings are and who can see their data. One third of social networkers admitted that they use the same password for all their social networking accounts.

Most social networks have privacy settings that many users never venture to manage. It is imperative to spend a few minutes and lock down your profiles so they can't be seen by everyone in the world.

It is not unusual for a potential identity thief to "friend" a potential victim. The thief poses as someone the target may know, or someone who is known within the target's social circle. Once the thief has been accepted as a friend, he or she is in the target's inner circle and gains a great deal of insight into the target's daily life.

Getting in Through the Front Door

Ethical hackers are the tech industries white nights, also known as "white hat hackers". They are hired by companies CIO's to penetrate an organizations network to determine where its vulnerabilities are. Use them before a bad guy does.

The process of a white hat starts with a permission based hack that often leads to results that make the CIO nauseous. Getting the data may mean hacking a wireless connection, hacking a public facing website, or even going through a skylight after hours

Heres how to do it with a fake badge and a Facebook profile. The process begins like this:

1.    Scan social networks such as Facebook, Twitter, LinkedIn and Myspace for names of employees and vendors of the company to penetrate. Notate and gather identities

2.    Create an identity of an employee of the company or vendor and launch a social media profile of that person

3.    Begin to contact each person who is an employee of that company and invite them to be "friends"

4.    Create a "Group" on a site such as Facebook. A group in social networking is a place where people in common gather.

5.    Once friended, invite those same people into the companies Group

6.    With the intelligence gathered from the Friends and Group determine who works at which facility and what their level of access is, when they go on vacation etc.

7.    Do some onsite intelligence gathering with hidden video to document styles of dress, corporate logos on shirts, badges, get business cards etc

8.    Recreate the identity, badge and business card of an employee or vendor who works at or services the company

9.    Poising as the employee or vendor visit a remote facility to gain inside access to make a delivery, repair, or for removal of equipment that may have propriety data.

This is an example of how vulnerable people make themselves and their corporate networks because of what they post to Facebook. Restricting or eliminating employee social media use is certainly an option. However the "work arounds" to gain access can sometimes be even riskier.

  1. Implement policies: Social media is a great platform for connecting with existing and potential clients. However without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network.
  2. Teach effective use: Provide training on proper use and especially what not do to.
  3. Encourage URL decoding: Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
  4. Limit social networks: In my own research I've found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure.
  5. Train IT personnel: Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
  6. Maintain updated security: Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
  7. Lock down settings: Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
  8. Prevent social media identity theft: Register all your officers, company names and branded products on every social media site you can find to prevent twittersquatting and cybersquatting. You can do this manually or by using a very cost effective service called
Social Media Phising

I've been getting the same "direct message" from several of my Twitter followers. Apparently, their accounts have been hacked, because it's a phishing message that says, "Is this you?" and contains a shortened URL.  Twitter Phishing is sending tweets to update accounts or visit spoofed sites where the user needs to enter credentials that allows a financial transaction.

The Register reports users who follow these links are invited to submit their login credentials via a counterfeit Twitter login page (screenshot via Sophos here). In the process they surrender control of their micro-blogging account to hackers, who use the access to send out a fresh round of phishing lures.

In the past, compromised accounts have sent pictures and links to spoofed websites. The new attacks mimic email address book attacks when the compromised account sends direct messages to the users followers. Twitter only allows direct messages to those who are following you.

When clicking links and downloading whatever intended multi media file, the unsuspecting victim may end up with a virus that spreads a keylogger and/or harvests user login details. Criminals know many internet users have the same passwords for multiple accounts.

Recent study shows there are as many as 70,000 variations of these keystroke sniffing programs which is double what was discovered in 2008.  Criminals have become proficient at hacking databases containing millions of credit card numbers using this process.

When fully accessing a persons, or a businesses bank account, this allows the criminal hacker more time to transfer funds and write checks to themselves.  Scraping user names and passwords for Facebook, Twitter and other social media sites also allows the hacker to spread more spyware to those in the trusted circle and gives the attacker an opportunity reach out to the friends or followers of the victims to scam money in many other ways.

Don't just click on any link no matter where it's coming from. Attackers understand a person is more likely to click a link from someone they know, like and trust. If someone direct messages you requesting you click something, their account may be in control of a criminal.

Portions of this article originally appeared in the Bank Fraud IT Security Report. Robert Siciliano identity theft expert discussing Facebook hacking on CNN. Robert Siciliano is CEO of a professional speaker and author and can be reached via


Possibly Related Articles:
Viruses & Malware Privacy Webappsec->General
Google Yahoo Social Media Bing
Post Rating I Like this!
McHenry Ruther Thank you for sharing Identity Theft Protection.
Robert Siciliano McHenry Ruther, Thanks for reading!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.