2009: The Year of the Social Media Hack
In the fall of 2009, something curious happened to Shanon Murray’s Facebook account.
Judging from her status updates on the popular social networking site, Murray, a public relations professional based in Washington, D.C., had been mugged in London and was now being held hostage. Terrified, she was sending distressed messages to friends and family via her Facebook account.
Naturally, those who viewed Murray’s messages were concerned — but only for a moment. That’s because Murray’s account, it turned out, had been hacked.
“When I pull up Facebook, I can actually see the hacker messaging all my contacts. And I’m like, ‘Hey, everyone, not only am I safe but I’m not in London. I’m being hacked,'” Murray recalled.
This year, these types of attacks became more common among users of social networking sites such as Facebook, MySpace and the micro-blogging site Twitter.
“One of the biggest threats from social media sites is hackers getting users to click links that they don’t know and might not trust,” said Corey Thomas, vice president of products and operations for IT security firm Rapid7. “The threat to businesses is that a hacker has the same access to a company system as the employee who has been hacked.”
The use of social media grew exponentially in 2009; based on data from Cisco’s 2009 security report released in December (PDF), more than 2 percent of all Web traffic for businesses comes from employees accessing social networking sites.
While social networking has opened new possibilities for communicating over the Internet, it also gives hackers more vectors through which to attack.
Murray, who uses Internet Explorer to access Facebook, got hacked while she was logged in at an office workstation with her Facebook window open. She said Facebook investigated her incident but still doesn’t know how it happened.
However, Cisco’s report gives some clues. It suggested that most Web-based attacks, particularly those on social networking sites, are not due to vulnerabilities in browsers or the applications they run. Usually, the trouble comes when users develop a tendency to trust communications from friends.
“More commonly, these threats originate from individuals who place an unwarranted amount of ‘transitive trust’ in the safety of these communities,” the report said.
Experts say the most frequent causes of social networking hacks are spoofing and phishing. Both of these methods rely mostly on users clicking Web links or logging in via fake Web sites.
Spoofing is the more pervasive of the two. It involves hackers sending phony alerts or messages supposedly from friends (or, in the case of Twitter, followers). But once a user opens them, there’s a possibility of being re-routed to malicious sites or triggering automated viruses or remote code execution, which gives a hacker control of a user’s browsing session. Worst-case scenario: Hackers could release intelligent worms onto a user’s system that search profiles and send messages to all contacts.
Phishing, meanwhile, usually uses more innocuous-seeming bait. Examples include Murray’s Facebook messages, a “video of you” from a friend or an error message from a social networking site that requires the user’s action. With phishing, users are lured into clicking on a spoofed link or page (often designed to look like the homepage of a trusted Web site, like Facebook) where unwitting users enter log-in information or click on page links from people they know — or think they know.
Links are becoming an important component of social networking security. Recently, the heavy use of condensed Web addresses (such as those from TinyURL and bit.ly) to post on Twitter and Facebook has made it easier to surf but nearly impossible to identify the links’ domain or origin. This increases the chances of clicking on a spoofed or malicious link.
“Whether it’s ‘TinyURL’ or ‘bit.ly’ technology, users are getting into the habit of clicking links that they don’t know or trust,” Thomas said. “This makes it much easier for a hacker to hijack the target’s system.”
As it continues to grow in popularity, social media will also increasingly become a staging ground for hackers. This presents a range of challenges for businesses with employees who have accounts on one or more social networking sites.
Ideally, users at the office wouldn’t use social media when they should be working. “A little common sense on the part of users won’t hurt either,” Thomas said. “Although there is no perfect solution, there are best practices, which include training users on what to click on and what not to click on.”