Disguised as a message from a trusted friend, a clever social engineering attack is almost impossible to spot, writes KARLIN LILLINGTON
THAT SILLY quiz on Facebook looks fun. One of your friends just filled it out, as you can see from a new post to your newsfeed encouraging you to fill it out, too. So you do.
Among the jokey questions you get asked are your mother’s maiden name, the name of your first pet, your childhood nickname, all used to produce a funny result, automatically posted to all of your friends’ newsfeeds. What a laugh!
A few days later you go to an ATM before heading to lunch – and your card pops back out. No money in the account. You’ve just been social engineered on your social network.
Using information posted on your profile and typed into that funny app – your mother’s maiden name was your reminder for retrieving your password on your online banking site, remember? – hackers had no problem cleaning out your bank account.
“The Web 2.0 stuff has presented a problem for some time. It relies on webs of trust as well as links that are shared and data that is shared,” says Kevin Hogan, senior manager at Symantec Security Response in Dublin.
“It’s just the sheer amount of information out there. The reconnaissance that used to need a lot of effort is now much easier for hackers.”
The goal of hackers, he says, is to “social engineer” you into handing over information or clicking on a link that leads to a malware site that might then infect your computer. If they can make a post to your newsfeed look like it came from one of your friends, you are a lot more likely to click on the link, says Symantec’s Internet Security Threat Report, published this week.
Disguised as messages from trusted friends, a clever social engineering attack is almost impossible to spot, it warns.
The report also notes that many of the links utilise shortened URLs to hide the destination of the link. During a three-month period in 2010, almost two-thirds of malicious links were in shortened form, according to the study. Of these, 73 per cent were clicked on 11 times or more, with just over one-third getting between 11 and 50 clicks, an indication of just how successful this type of social engineering approach is.
Once a user’s computer is compromised, a remote hacker can get access to files, passwords, and silently use the computer to send out spam or conduct attacks on websites. The number of web-based attacks of all sorts was 93 per cent higher in 2010 than in 2009, according to the report.
Out at Symantec’s Rapid Response Centre in Blanchardstown, Orla Cox, chief researcher at Symantec Security Response, demonstrates a Facebook app called Snapper that the company constructed – using fake profiles, of course – that reveals exactly how much information can be retrieved by application developers.
“You can trick a user into installing an app with certain permissions. An app reveals their profile information to the developer, and includes the ability to post to the person’s wall, which will go to all their friends’ newsfeeds. So you can link to a malicious site,” she says.
Legitimate apps use such information to enable users to play games, share quiz results, and so on.
“Even if users have their information locked down [using privacy settings on Facebook], just by tricking them you can get access to all this information. And anyone can create these apps.”
Social network users also may post information about their activities at work, such as software or hardware changes – that enable hackers to better understand which technologies to target during an attack.
Cox says LinkedIn profiles are a potentially rich source for hackers because they provide so much business information and can enable them to send a malicious link in an e-mail that is spoofed to appear as if it comes from a co-worker or business colleague.
A compromised work PC could provide access to sensitive customer information; the average cost to an organisation of such a data breach in the US is $7.2 million.
Symantec has been called in by the FBI to help out with a case where the chief executive of a company found that somebody had faked a user profile for him on LinkedIn. The profile was taken down, and its motive is still not known, but “probably was not good”, says Hogan.
People are hardly likely to abandon their favourite social networking sites due to such threats, but users should keep an eye on the security settings of their profiles and limit who the information is shared with, advises Symantec.
Consider carefully whether to use even an innocuous looking app, too.
Enterprises need to educate their employees about the risks of posting potentially sensitive information and should have clearly defined and enforced security policies.
But it isn’t only social networking that is an increasing cause for concern. As we grow ever more attached to smartphones, with their complex capabilities and downloadable apps that could hide malicious code, we are opening a new front for hackers to exploit in the future, cautions the Symantec report.
Some may feel this is a case of the boy who cried wolf, given that the same company warned about prospective mobile phone attacks that never actually emerged more than half a decade ago.
Hogan admits that mobile threats seemed to have disappeared by around 2006, and that Symantec wound down its focus on this area. But they are back with a unit that is specifically looking at potential mobile threats, identifying 163 vulnerabilities in mobile operating systems in 2010, compared to 115 in 2009.
“The trigger to get back into this area was the release of Android [Google’s mobile operating system],” says Hogan. Why? “It’s open [source] and it’s free – so we knew there would be a take-up [by hackers]. We watch the business factors.”
The largest threat are “trojans”, tiny malicious programs that are implanted in a user’s handset or computer when, for example, they download a compromised app.
An increasing number of third-party sites offer Android apps, with users having virtually no way of knowing whether the code has been compromised with a trojan.
Hogan says many compromised applications have originated in China, where users have no access to Google’s legitimate Android Market app store, and therefore get all their apps from third-party sites.
Still, it’s not only a third-party risk. Last month, Google said it had removed a number of malicious Android applications from its Android Market and – to many users’ surprise – had even deleted them remotely from users’ phones.
The closed nature of Apple’s iPhone operating system, IOS, and the tighter control of apps, which are only available through the iTunes App Store, has so far enabled Apple to avoid similar issues.
But Hogan thinks it’s only a matter of time before mobile hacking becomes a significant problem, as soon as users are doing a fair amount of financial transactions using mobiles, for example.
“But the threat landscape for smartphones is so immature, we just don’t know how it will pan out.”
As it is, one mobile trojan that Symantec isolated and reverse-engineered, then demonstrated at its response centre, was capable of accessing contacts, remotely ringing another mobile (enabling a hacker to run up charges on a premium phone line in the same way as if they had stolen the phone itself), sending untraceable SMSs that might include a link to a malicious website, and tracking the location of the phone.
Although the threat remains unclear, Android users can now download mobile antivirus software from the Android Market. Even so, smartphone users should stick to legitimate app stores for downloading applications.
