First published: 12th August 2009
The hugely popular social networking sites like Facebook and Twitter have become attractive targets for phishing and scamming attacks as online criminals follow the latest Internet trends that are attracting the most users.
The latest criminal action against social networking sites including Facebook and Twitter was reported by the F-Secure Response Lab on Friday. Pro-Georgia blogger Cyxymu’s accounts were targeted by a widespread DDoS (distributed denial of service) attack, causing millions of users of Facebook and Twitter to experience problems with the sites slowing down or being completely offline on Friday.
F-Secure advises that separate passwords for e-mail and social networking are an essential precaution.
Mikko Hyppönen, Chief Research Officer at F-Secure says: “Although this attack was targeted at a specific person, it affected the whole community. We may never know who was behind the Cyxymu attack, however they had access to significant bandwidth.” However, other commentators have cast doubt on whether Cyxymu was the target, Rob Rosenberger of VMyths tweeted, '@Cyxymu speculated Russia ordered Twitter/FB attacks ... and the media reported it as a "fact."'.
Nevertheless, communication through Facebook is all about personal connections and communities of friends. It involves a high level of trust. When you receive a message on your Wall from one of your Facebook friends, it’s very different to receiving an anonymous e-mail or spam message. It is precisely this trusted environment – and the 250 million users – that makes Facebook such a tempting target for criminals. Phishing and financial scams are based on creating a false sense of trust with the target of the attack, enabling the criminals to gain access to valuable information or direct financial gain.
Sean Sullivan, Security Advisor at F-Secure says: “Weak passwords provide a common way for criminals to hack into social networking sites. Their aim is to harvest contact lists, phone numbers and other information which they can sell to spammers or use in targeted attacks to make money.”
The damage caused by a hacked Facebook account is all the greater if the same password is also used for the user’s e-mail account. This means the criminals can easily reset all the user’s online passwords, get information about banking details and find answers to security challenge questions. Sometimes the answers to personal security questions, for example middle names, house addresses and pets’ names, can even be found directly on Facebook.
“As the Facebook user name consists of an e-mail address, it is essential that different passwords are used for logging into personal e-mail accounts and for logging into Facebook and other social networking sites. It’s also a good idea to have different primary e-mail, business e-mail, social network e-mail accounts,” Sullivan advises.
This year there has been a series of bogus messages on Facebook from “friends” asking for financial help. Facebook users should always treat such requests with caution and make a thorough identity check before sending any money, even when the messages appear to come from a family member or other trusted person.
“There is also a positive security aspect to the social networking sites. Unlike classic e-mail scams like chain letters which can run for years, the wisdom of the networked Facebook crowd means that users can quickly become aware of the latest security threats. The community is good for publicizing useful security information and for taking rapid self-corrective action against security vulnerabilities,” says Sullivan.
F-Secure's Tips for safer social networking
- ALWAYS have separate and secure passwords for your e-mail and social networking sites.
- If you become aware of a Facebook security problem, post about it on your Wall so the community can take preventive action.
- Pick your friends wisely and have a security guru among your friends!
- If you are on Facebook, Fan the “F-Secure” page to get the latest news