This presentation explains the nature of social media threats and the risks they pose to individuals and schools.
Beware! Some of the information is pretty scary!
In this session we’re going to look at:
What is social media? Risks associated with social media How the threats work Social media spam Social media phishing Social media malware How to use social media safely
Social media is a growing part of today’s world. Also called social networking, it gives you an easy way to stay in touch with friends and family, and also make contact with people who share similar interests and activities.
Social media sites include Facebook, LinkedIn, YouTube, MySpace, Twitter, Bebo and Friendster … although there are many others out there too.
The last few years we’ve seen a massive growth in use of social media – a Cisco survey in 2009 revealed that almost 2% of online clicks are on social networking sites, with two thirds of these being on Facebook.
Many people use social media for work purposes: - connect with customers and promote their products - make new work contacts - research subjects
Presentation suggestion: Ask everyone who uses a social networking site to put their hand up – or if more effective, put their hands up if they don’t. This will give an indication of the extent to which your audience uses social media.
For those who are not familiar with social media, here are a few key facts.
It allows users to become a member of an online community Key features are “Profiles” and “Friend lists” The most commonly used social network is still Facebook 2009 saw the rapid emergence of Twitter – which is now taking the world by storm Also called social networking
Significantly, social networking sites now more popular than web based email
Generally the threats can be split into two camps
Information volunteered by users – either deliberately or inadvertently Social networking attacks
Let’s now look at these two aspects in more detail
The first type of threat, information from users, is by far the simpler – because it’s all about an individual’s direct actions.
Revealing sensitive information on a social networking site is a big threat. Examples of the type of information include - confidential sales figures – which are gold dust to the competition - negative comments about colleagues – which can be intimidating and bullying - industry secrets – which destroy the organisation’s competitive advantage - personally identifiable information on customers – which has data protection implications
This information can be made public both deliberately – such as a revenge attack – or, most commonly, inadvertently. Often lax privacy settings mean that when you think you’re sharing information with just a select group of people it is actually visible to wider groups, including complete strangers.
By their nature social networking sites want to encourage sharing and openness, and this is reflected in the default settings . However from a security perspective, this is a dangerous approach and opens up a huge security hole.
The end result can be damaged reputations – both for the individual and their organisation. It can also be wider damage to the organisation such as through lost business, or fines from regulators.
The other element, social networking attacks, is much more complex as it’s now become real big business. We’re going to spend a bit of time looking at the motivation for these attacks and how they work in practice.
Back in the days when computers were in their infancy, most hackers just wanted to show off skill and knowledge.
Cybercrime has now evolved into organised criminal activity, with the lure of large amounts of money. A whole economy has sprung up around the abuse of other people’s computers and their data.
And as the digital generation continues to embrace social media for personal and work or study purposes, so hackers are targeted social networking sites with their financially-motivated attacks.
When personal glory was the goal, attacks were invariably highly visible so the hackers could show-off their achievements. However now that the main motivation is financial the threats are often silent and hidden – the hackers don’t want you to find out as this would hamper their activities.
Social networking accounts are valuable to hackers
They can use them to send spam, spread malware, steal identities..
… and their end goal is usually to steal data in order to make money
The end-goal for most hackers is to get personal data. Because personal data = money.
Once they’ve got the data there are many ways criminals can use it to make money. For example, they can:
Steal your money directly e.g. use your details to access your bank accounts or purchase items using your funds Sell your data so others can steal your money (as previous) Trick your friends and family into supplying personal data in order to steal their money e.g. the criminals pretend that they are you and get those close to you to hand over sensitive information like their bank account details. Sell your identity so other criminals can pretend to be you – and then incur financial and legal liabilities in your name. Use your accounts to spread spam, malware and more data theft scams! Sell your organisation’s data or sensitive information Blackmail individuals and organisations – this is particularly pertinent for organisations when customer lists or industry secrets can be held to ransom
Social media threats split into three main categories:
Spam – unsolicited commercial emails, the electronic equivalent of the junk mail that comes through your letter box. Phishing – criminals trying to trick people into revealing sensitive information Malware – malicious software, including viruses, Trojans, worms and other threats. Many people say computer viruses when in fact they are referring to a range of different malware. We are going to use the term malware in this presentation as it represents the range of malicious software threats.
Let’s take a look at spam …
Here is an example of spam on a social network
In this case it’s Twitter
See the spam in the top left? That claims to be offering a $500 gift card for Victoria’s Secret, the sexy lingerie store.
In fact, if you click on the link you get taken to a “make money rich site” from a “crazy internet multimillionaire”, and he doesn’t look that sexy.
On this page is spam which tries to con you out of money – by tricking you into believing you are getting a job with Google (the link takes you to a fake news page)
This spam promotes a website which claims it will help you add more followers on Twitter. Of course, you shouldn’t follow the links and provide your username and password – as they could then exploit your account to send spam or steal identity information.
Criminals are very persistent and if one criminal website gets shut down they just create another one – in less than a week in 2009 this particular campaign created more than half a dozen sites:
Spammers are getting clever. In this example they realised that Twitter might spot it if they included their spam in profiles or messages so instead they put their spam INSIDE their profile picture instead.
In this case, sexy photos were used (the real photo was MUCH worse than this example here … I’m sure you’ll be disappointed to know!). The objective was to trick people into having a Hotmail conversation which would ultimately lead to an adult webcam site.
Facebook is not immune to spam either.
Here a Facebook account has been compromised. As you can see, the spammers have posted a message on this poor victim’s wall to promote their dodgy pharmaceuticals. They hope that visitors to the wall will read about the pills, believe that the victim (who the visitors trust) is actually endorsing the pills, and then click on through to make a purchase.
Suggested question: Ask who in the audience has been a victim of social networking spam.
In 2009 there was a massive increase in social networking spam, with now over half of all users being hit through these services.
Now let’s turn our attention to phishing …
With phishing, criminals are trawling the web, trying to hook unwitting victims for their attacks. Their aim it to get people to reveal sensitive information.
In this example, we can see a number of tweets encouraging people to click on a link.
However let’s see what happens if you do as they suggest …
Clicking on these Tweets took you to tvvitter.com
Note that’s T.V.V.I.T.T.E.R dot com, not TWITTER.COM
The site pretended to be Twitter in order to steal usernames and passwords.
As you can see, phishers are cunning and the fake site looks professional. The fact that the site looks so professional is another indicator of the financial motivation behind the scams – it’s worth them spending money on a high quality site as they will reap the rewards afterwards.
This is a Facebook phishing page
If you check the url you can see it’s not the real Facebook address. Criminals have created this site to trick Facebook users into providing their email and password, thinking that it’s the legitimate site.
Once they’ve got your details they can then use them to access and exploit your real Facebook account.
Phishing is also on the increase – in fact almost a third of social networking users report phishing attacks via the sites. And as social media use grows, we can expect the phishing attacks to increase also.
And now it’s the turn of malware …
Malware, or malicious software, can have a range of effects, from displaying irritating messages on screen, stealing data or enabling others to take control of your computer.
In a quest to infect people’s computers with their malware, in this example criminals have created bogus accounts on sites like LinkedIn. Here are two celebrity profiles, however their links point to dangerous websites. Clicking on the links takes you through to sites where you can be infected with malware.
In this example, spammed out emails claim to point to Facebook. Clicking on the link actually take you to a page which pretends to host a “sexy” video of a model dancing. However rather than giving you a video, the page actually delivers malware which can infect your computer.
In this example we have a Koobface message and clicking on the link leads to a “funny’ image. However with Koobface all is not as it seems …
Koobface is very sophisticated malware. It can create bogus accounts, verify them via Gmail, randomly choose friends and post messages to their walls… pointing (typically) to a malicious video page
There were many versions of the Mikeyy Mooney worm which spread extremely rapidly across Twitter in 2009. Once this worm infected a user’s account it altered their profile to reference Mikeyy.
Incidentally there was a lot of controversy over this worm as it emerged that the original Mikeyy Mooney, the 17 year-old hacker who admitted writing the original attacks, had been offered a job in web applications development. Although the original Mikeyy Mooney was not responsible for subsequent outbreaks, he did open the door to other copycat attacks – behaviour which shouldn’t be rewarded.
We’ve seen the risks from social media and how then work. Now let’s turn our attention to how to use social media safely.
You don’t have to stop using it! The important thing to remember is to follow these simple safety guidelines so you and your organisation stay secure.
KNOW THE RULES - check your organisation’s policy on social networking. Make sure you stick within your organisation’s rule
USE SECURE PASSWORDS - minimum 14 characters including non-letters. The onus is on you to ensure the hackers can’t crack your passwords and access all the valuable information they hide.
CHECK THE DEFAULT SETTINGS - don’t providing personal information by default. By their nature social networking social networking sites want to encourage sharing and interaction, so often the default settings leave you open to strangers accessing your information. Make sure you check the defaults and where necessary update yours to make them more secure.
BE PICTURE PRUDENT - think before posting images that might cause embarrassment to either you or your organisation. Although the photo might be funny, do you really want everyone to see it!
BEWARE OF BIG BROTHER - assume everyone can read your posts, including hackers! Always play safe and work on the assumption that your posts are not secure, so only share information you are happy to be in the public sphere.
SECURE YOUR COMPUTERS - use up-to-date security software and firewalls. Malware is a serious threat through social media and it’s essential to make sure any computer you use is protected against viruses, Trojans and other malware threats.
THINK BEFORE YOU CLICK - if the email looks dodgy it probably is. Resist the urge to automatically click on a link. Check before you click – does it look legitimate, is it realistic that the person who appears to have sent it really did.
STRANGER DANGER - beware of unsolicited invitations from spammers. Responding to a spam email confirms to the spammer that your email address is live, and therefore can be sold on to other cyber criminals. If you are unsure about the sender, think before you click or respond.
To sum up, financially-motivated criminals are increasingly using social media sites to steal identities, spread malware and send spam.
Although social networks are getting better at protecting users against these threats –there’s still a long way to go.
The onus is on YOU to use social media sites safely – follow the top tips for staying secure.
Social media has arrived
Social networking sites are now more popular than web-based email
Social media – key features
• Allows users to become a member of an online community
• Key features are “Profiles” and “Friend lists”
• The most commonly used social network is still Facebook
• 2009 saw the rapid emergence of Twitter
• Also called social networking
Two main types of threat
Users publishing information
• Reveal sensitive information
• Defamation of others/school system
This can be inadvertent or deliberate
And the repercussions include:
• Reputation damage
Social networking attacks
Social networking attacks
Social networking accounts
are valuable to hackers
They can use them to send spam,
spread malware, steal identities...
… in the quest to acquire personal
information for financial gain
Data = $$$
• Steal your money directly
• Sell your data
• Trick your friends and family into
supplying personal data
• Sell your identity
• Use your accounts to spread spam,
malware and more data theft scams!
• Sell your school’s data or
• Blackmail individuals and organizations
Top tips for staying secure
• KNOW THE RULES - check your organization’s policy on social
• USE SECURE PASSWORDS - minimum 14 characters including non-letters
• CHECK THE DEFAULT SETTINGS - don’t providing personal information
• BE PICTURE PRUDENT - think before posting images that might cause
• BEWARE OF BIG BROTHER - assume everyone can read your posts,
• SECURE YOUR COMPUTERS - use up-to-date security software and
• THINK BEFORE YOU CLICK - if the email looks dodgy it probably is
• STRANGER DANGER - beware of unsolicited invitations from spammers
• Financially-motivated criminals are increasingly using social
media sites to steal identities, spread malware and send spam
• Social networks are getting better at protecting users against
these threats – but there’s a long way to go
• The onus is on YOU to use social media sites safely –
follow the top tips for staying secure