Spammers Scan Social Networks to Research Targeted Attacks

Social networks provide spammers with plenty of opportunities to scam
users in new and more effective ways, a security expert said.

Social networks have become ubiquitous, with over 500 million users on
Facebook, 100 million on LinkedIn, and a reported 200 million users on Twitter.
Google claimed it had 10 million users on its Google+ social network within the
first two weeks of its limited launch. That’s just the tip of the iceberg as
there are plenty of smaller social networking sites targeting niche users.

All spammers need is a list of e-mail addresses of their victims to
launch a campaign. While these lists can be bought “for a pittance”
from other criminals or from businesses that sell “leads” and other
contact information, a scammer can easily create one based on information
harvested from social networks, Asaf Greiner, vice president of products at
Commtouch, told eWEEK.

“Suddenly
e-mail addresses don’t need to be scraped from newsgroups, or guessed through
brute force; they are all around you, on LinkedIn, Facebook, Twitter, and so
on,” Greiner said.

The mass
invitation tool often used by these sites to find out if the user’s friends and
acquaintances are already on the network is “a gift” for scammers. By
creating a contact list of guessed or otherwise obtained e-mail addresses, the
miscreant can find out if any of those addresses correspond with a legitimate
user on the network. Depending on the privacy preferences, the site may also
provide photos and additional personal information. Within seconds, this
feature “qualifies” a list of random e-mail addresses by identifying
real users.

With users
sharing more and more details of their personal lives online, it is possible
for scammers to create highly targeted lists based on user demographics,
preferences and even socio-economic status. Scammers gain a fairly
comprehensive view of their victims’ online and offline habits just be looking
at places they “check in” on geo-tagging services such as Foursquare,
the kind of products and businesses they “like” on Facebook, and the
kind of jobs they’ve had on LinkedIn, according to Greiner. All this knowledge
is then used to design a spam campaign that will be more effective in getting
the victim to click on a link or open an attachment.

More than 24
million Americans on social networking sites keep their online profiles mostly
public, letting anyone see their personal details, ID Analytics found in a study released this
spring. People tend to think of the various networks as separate siloes, such
as career-related information on LinkedIn and home details on Facebook, and
book preferences on Good Reads. They don’t realize that it’s easy for a
malicious person to correlate all the information across sites, especially if
the user is using the same e-mail address to create all the accounts, Thomas
Oscherwitz, chief privacy officer for ID Analytics, told eWEEK.

Harvesting
personal information, such as the employer, name of family members, the restaurants
they visit, may sound like a tedious job to do manually. However, a number of
“off-the-shelf gray-market” software automates this process by cross-referencing
the data across multiple sites, according to Greiner.

It is fairly
straightforward to create “a comprehensive dossier on just about any
user,” Greiner said.

Cyber-criminals
are increasingly moving away from mass attacks because of low conversion rates,
according to a recent report from Cisco Security Intelligence Operations. Even though more upfront research is
required for targeted spear phishing attacks, the Cisco reported suggested
success rates as high as 70 percent. Even though they are lower-volume attacks,
spammers find the additional research results in a more profitable campaign,
the report found.

The research
makes it easier to create targeted messages that are highly personalized to the
victim, making the rate of success even more likely. An e-mail message could
begin with “It was great running into you at the podiatrist’s
convention–here is that article I mentioned to you.” The profession is
available on LinkedIn and the victim may have mentioned the conference on Twitter.
The e-mail has the victim’s name and professional or personal information,
which helps establish its “credibility,” Greiner said.

After meeting
“so many people during that short time a few names may have been missed,
and someone certainly offered to send him an article… wouldn’t you click if it
were you?” Greiner said. The “article” may result in the user
being scammed a few dollars or having malware downloaded onto the machine that
wreaks even more havoc.

Telling
people to use common sense when opening e-mails and clicking on links alone is
not enough, Greiner said. Companies to make sure users are being safe at the
office and at home by running updated security tools, patching software and
being vigilant about Internet security at the company site, on the road, and at
home, he said.

Share and Enjoy