Social Phishing Spikes As Spam Declines, IBM Finds

Improved Web application security leads attackers to be creative, reports IBM's X-Force Internet security team.

David Carr

March 23, 2012

9 Min Read
Network Computing logo

6 Social Sites Sitting On The Cutting Edge

6 Social Sites Sitting On The Cutting Edge

6 Social Sites Sitting On The Cutting Edge(click image for larger view and for slideshow)

IBM's X-Force team reports positive Internet security trends, although an apparent improvement in Web application security has only prompted evildoers and mischief makers to get craftier.

The X-Force Trend and Risk Report for 2011, released Thursday, revealed a 50% decline in spam email compared to 2010, more diligent vendor patching of security vulnerabilities, and fewer Web application vulnerabilities, with half the incidence of cross-site scripting vulnerabilities compared with four years ago.

One attack trend is an increased use of phishing emails that impersonate notifications from social media sites. "The volume of email attributed to phishing was relatively small over the course of 2010 and the first half of 2011, but phishing came back with a vengeance in the second half, reaching volumes that haven't been seen since 2008," according to the report. "Many of these emails impersonate popular social networking sites and mail parcel services, and entice victims to click on links to Web pages that may try to infect their PCs with malware. Some of this activity can also be attributed to advertising click fraud, where spammers use misleading emails to drive traffic to retail websites."

The social media phishing trend caught my attention because I had just embarrassed myself by stumbling across one of those attacks when I met with Tom Cross, X-Force Threat Intelligence Manager, at the South by Southwest conference in Austin earlier this month--more on that after the news.

[ Are data defenders getting better or just luckier? See Data Breach Costs Drop. ]

Cross said the decline in spam detected by IBM's global spam monitoring network reflects takedowns of several large spam botnets. It may or may not last, but, for the time being, that action has made a significant dent in spam volumes, he said.

Overall, Internet security seems to be improving, due to an industry focus on improving the quality of software. IBM saw a 30% decline in new exploit code--widely distributed hacking kits to exploit common software vulnerabilities--presumably because there are fewer new vulnerabilities popping up. Vendors are doing a better job of patching their software promptly when vulnerabilities are discovered. By IBM's count, the percentage of unpatched vulnerabilities declined to 36%, compared with 43% in 2010.

IBM found cross-site scripting (XSS) vulnerabilities--errors that make it possible to redirect user input from one site to another--are half as likely to exist in customers' software as they were four years ago. However, IBM says its security scans still find XSS vulnerabilities in about 40% of applications, "still high for something well understood and able to be addressed," according to the report.

Meanwhile, one variety of code-injection attack is on the wane, but attackers have shifted their attention to another. For years, many attacks on Web applications focused on SQL injection--tricking database-driven websites into executing queries of the attacker's design. For example, a dynamic page for displaying a single user's private account information by ID number might be tricked into substituting a wildcard in the query and displaying everyone's private account information.

The good news is the incidence of SQL injection vulnerabilities in public websites dropped by 46% in 2011. The bad news is that the number of shell command injection attacks rose by two to three times in 2011, according to IBM. A shell command vulnerability exists when a Web application passes a command to the Unix shell or other operating system command line in a way that an attacker can manipulate to execute his own commands.

Something Phishy This Way Comes

I mentioned experiencing my own social media pratfall, just prior to a meeting with IBM's Cross. The morning I was to meet him and some of his coworkers for breakfast in Austin, I received a Twitter direct message that appeared to come from one of my social media contacts who works at an IT services firm. Just: "Did you see this tweet about you?"--and then a link.

Half-awake and viewing this on my iPhone, I clicked through and was prompted for my Twitter password, which I entered. The Twitter look-alike site I had just visited--at dumped out back at, which then asked me for my password for real. Okay, I was dumb, but not so dumb that I didn't realize what had just happened. Within a few minutes, I had logged in from my laptop and changed my Twitter password. I did the same on a few other social media websites where I used the same password--also a bad habit, I know, but like most people I can only remember so many passwords.

When I confessed all over breakfast, Cross said I had probably acted quickly enough to avoid problems. As long as I didn't find anything odd in my feed or direct messages (as far as I know, no one has been getting appeals to buy herbal Viagra from me), I was probably all right. I'm just lucky whoever designed this attack didn't have a script ready to log into my account and change my password to some random value before I could get to it.

As for sharing a password between accounts, he thought it was good that I at least limited the practice to a class of accounts (for social media sites) rather than also using it for things like Internet banking.

In recent weeks, I've also been on the receiving end of some odd social media spam on Facebook. A woman I know through local politics started tagging me in photos--photos of women's shoes. At first, I thought she was caught up in some odd social media marketing scheme, abusing the photo tagging notification system (in a way I've seen some other folks do) to draw attention to an image and associated message, regardless of whether I was actually in the photo. But as I saw the complaints piling up on her Facebook wall, and still nothing changed, it dawned on me that her account had been taken over by a bot (or something). She later confirmed to me that she had lost control over her account and had been unable to navigate Facebook's self-service processes for resetting her password.I hate to reveal myself as being so dense, in both instances, but it's just the truth. Despite my misadventures, Cross said he doesn't see social media communication as a particularly hazardous attack vector compared with email and other Web-based attacks.

"I don't think it stands out" as a method of spreading malicious software, Cross said. To an attacker, "social media is interesting in that you have a lot of people that are interconnected and ways to spread things between them--but for no other reason."

The advent of single sign-on authentication through social media accounts may even be a good thing, in terms of overall Internet security, to the extent that it's easier for a small number of big Internet firms like Facebook, Twitter, and Google to implement strong account and authentication systems, Cross said.

People do get phishing and social engineering messages through LinkedIn, Twitter, and Facebook, but what's dangerous is not so much the medium as the information we reveal through it. The answers to the password reset questions we provided to the bank may be out there in our Facebook news feed for someone enterprising enough to sift through it.

This is particularly an issue for executives who may be the targets of advanced persistent threats, where an attacker is willing to study an individual and craft highly targeted phishing emails. The sufficiently motivated attacker can use all sorts of social engineering techniques to impersonate a real business contact or manipulate the victim into entering his or her password into a faux business website. I thought immediately of a Defense Intelligence Agency presentation on social media risks I reported on a few years ago, where the DIA's concern was that defense employees and contractors were giving away too information about the people and projects they were working on--particularly for the adversary willing to take the time to build a dossier from social media and other data.

Ryan Berg, an IBM cloud security strategy leader who joined us for breakfast, noted that even when social media isn't the main avenue of attack, it can provide an opening for "second-order attacks." For example, the victim might receive one of those "I'm stranded in London, please send money" messages from a friend's email. To determine whether that's for real, the victim turns to Facebook, where--sure enough--there are a bunch of recent posts seeming to indicate the friend has been traveling in London. Maybe the two even connect through Facebook chat. Yet all of this activity is coming from an imposter who, once gaining control of the email account, had the access required to also break into the friend's Facebook account as well.

"We see that fairly often, where people pivot from access to the email account to access to other services," Cross said. If there's one password you should guard carefully and make extra-hard to guess, it's your email password.

In contrast to the Twitter direct message I received, or some of the crude email spam ploys we all receive, a chief financial officer or other key executive may receive phishing emails that don't contain any obvious tip-off to their fraudulent nature. "Sometimes we see things that are very reasonable-looking, because the individual is targeted by people who really know what they're doing," he said.

Automated scans are unlikely to catch those ploys. If a piece of malware is attached, it's likely to have been run through all the popular antivirus programs ahead of time to make sure it will pass through undetected, Cross said. User education is really the best protection, he said. They key is to avoid treating it as a routine compliance activity, where the training will put people to sleep. Top executives and other personnel with access to sensitive data might need one-on-one training, if that's the best way to catch their attention.

While user vigilance may never be perfect, heightened awareness can be the best early warning system, Cross said. If users are paying enough attention to forward you an email they received that they suspect might be a phishing attack, "that could be a foothold--that could be the thread you use to unravel a whole bunch of stuff you wouldn't have known about otherwise," he said.

Follow David F. Carr on Twitter @davidfcarr. The BrainYard is @thebyard and

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

About the Author(s)

David Carr

Editor, InformationWeek Healthcare and InformationWeek Government (columnist on social business)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights