Social Networking Sites as an Attack Vector

Riskgame

I saw this article over on AccountingWeb about how social networking sites are increasingly becoming vectors for identity theft and other attacks.  Echoing something we have discussed on this blog before, they noted that having a lot of information about yourself online has drawbacks – specifically allowing identity thieves (and CIA) to collect it in support of their identity theft attempts.  Also, social networking sites can host links to malware.

In the article they mention one attack where clicking on a MySpace friend request results in a pop up windows that is supposed to look like a Windows Update window.  I was particularly amused by McAfee‘s somewhat silly suggestion “One way to guard against such attacks is to minimize your browser. If the dialogue box disappears, it is probably an impostor.”  Now that is some useful, general purpose online security advice!  If we can’t teach people to look for lock icons when the browser is talking over HTTPS, I don’t think we’ll be able to train them to make decisions based on which windows minimize at various times.

If you recall, more attacks on and via social networking sites was one of my Top 5 predictions for 2008.  Barely a week after that post we’re already seeing some confirmation.  Making predictions is easy!

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

One Response to “Social Networking Sites as an Attack Vector”

  1. SoniaC

    Nice post Dan – Social Networks can certainly be viewed as sitting ducks… With the white labeling frenzy, it sometimes feels like we’re just making it easier.

    There are some interesting security measures that are being developed in the SN space though. Maybe they’ll help counter this issue?

Leave a Reply

Your email address will not be published. Required fields are marked *