• 03/23/2012
    6:14 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Social Phishing Spikes As Spam Declines, IBM Finds

Improved Web application security leads attackers to be creative, reports IBM's X-Force Internet security team.

I hate to reveal myself as being so dense, in both instances, but it's just the truth. Despite my misadventures, Cross said he doesn't see social media communication as a particularly hazardous attack vector compared with email and other Web-based attacks.

"I don't think it stands out" as a method of spreading malicious software, Cross said. To an attacker, "social media is interesting in that you have a lot of people that are interconnected and ways to spread things between them--but for no other reason."

The advent of single sign-on authentication through social media accounts may even be a good thing, in terms of overall Internet security, to the extent that it's easier for a small number of big Internet firms like Facebook, Twitter, and Google to implement strong account and authentication systems, Cross said.

People do get phishing and social engineering messages through LinkedIn, Twitter, and Facebook, but what's dangerous is not so much the medium as the information we reveal through it. The answers to the password reset questions we provided to the bank may be out there in our Facebook news feed for someone enterprising enough to sift through it.

This is particularly an issue for executives who may be the targets of advanced persistent threats, where an attacker is willing to study an individual and craft highly targeted phishing emails. The sufficiently motivated attacker can use all sorts of social engineering techniques to impersonate a real business contact or manipulate the victim into entering his or her password into a faux business website. I thought immediately of a Defense Intelligence Agency presentation on social media risks I reported on a few years ago, where the DIA's concern was that defense employees and contractors were giving away too information about the people and projects they were working on--particularly for the adversary willing to take the time to build a dossier from social media and other data.

Ryan Berg, an IBM cloud security strategy leader who joined us for breakfast, noted that even when social media isn't the main avenue of attack, it can provide an opening for "second-order attacks." For example, the victim might receive one of those "I'm stranded in London, please send money" messages from a friend's email. To determine whether that's for real, the victim turns to Facebook, where--sure enough--there are a bunch of recent posts seeming to indicate the friend has been traveling in London. Maybe the two even connect through Facebook chat. Yet all of this activity is coming from an imposter who, once gaining control of the email account, had the access required to also break into the friend's Facebook account as well.

"We see that fairly often, where people pivot from access to the email account to access to other services," Cross said. If there's one password you should guard carefully and make extra-hard to guess, it's your email password.

In contrast to the Twitter direct message I received, or some of the crude email spam ploys we all receive, a chief financial officer or other key executive may receive phishing emails that don't contain any obvious tip-off to their fraudulent nature. "Sometimes we see things that are very reasonable-looking, because the individual is targeted by people who really know what they're doing," he said.

Automated scans are unlikely to catch those ploys. If a piece of malware is attached, it's likely to have been run through all the popular antivirus programs ahead of time to make sure it will pass through undetected, Cross said. User education is really the best protection, he said. They key is to avoid treating it as a routine compliance activity, where the training will put people to sleep. Top executives and other personnel with access to sensitive data might need one-on-one training, if that's the best way to catch their attention.

While user vigilance may never be perfect, heightened awareness can be the best early warning system, Cross said. If users are paying enough attention to forward you an email they received that they suspect might be a phishing attack, "that could be a foothold--that could be the thread you use to unravel a whole bunch of stuff you wouldn't have known about otherwise," he said.

Follow David F. Carr on Twitter @davidfcarr. The BrainYard is @thebyard and

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.