The newest battleground for malware attacks? Facebook and Twitter. And, according to the experts, it’s one of the most productive for the attackers. Why? Well, people can’t help but click social links.
Last December, the anti-virus firm Sophos discovered that 40% of social network users had encountered malicious attacks. Despite Facebook’s demurrals (“Despite constant attacks, our data shows that the vast majority of people on Facebook have never experienced a security issue on the site,” counters Facebook spokesman Frederic Wolens), another network security company has proven how easy it is to spread malware through social networks with a recent experiment. Employees of the firm, Dasient, set up accounts at 11 different social networks and posted links to malware sites. And the result? Only two networks succeeded in blocking links to sites contained in Google’s list of known “poisoned” websites. In a feat of understatement, Dasient’s CTO Neil Daswani said “The social networks we tested have some work to do on their malware countermeasures.”
Of course, Google can’t be expected to save people from malware all on its own. As Gunter Ollman, research VP at security company Damballa says, “Bypassing Google’s safe browsing list and similar technologies is trivial. While public awareness of the threat has been increasing, the capabilities of the attackers has been increasing at an even faster rate.” It doesn’t help that we apparently make it easy for them; Anup Ghosh, chief scientist at security firm Invincea says that “the faith users put into social networks is providing an enormous universe of opportunity for nefarious actors.”
On that note, here are a few security tips to keep in mind while using Facebook or Twitter:
- Know who your friends are, and be skeptical if they post a link to something that seems out-of-character (say, an outrageous celebrity video posted by your 80 year-old uncle).
- If you’re about to install a Facebook app, check the URL bar on top of your browser. If you’re at a website other than facebook.com, that’s a bad sign. If the app is asking for your e-mail and password, that’s even worse.
- When someone posts a shortened URL on Twitter, you can hover the mouse over it to see the full link.
- Beware of links accompanied by vague, direct messages, along the lines of “hey, check this out!” If there’s no personally identifiable information, the message may not be trustworthy.
- When a Facebook status update comes from a third-party source, such as Tweetdeck, it’ll say so underneath the update, but you can use this signifier to sniff out malicious activity as well. For instance, Facebook’s “dislike” scam spread last year through bogus status updates, but eagle-eyed users would have noticed “via The Official Dislike Button” under those updates and stayed far, far away.
As always, the best solution is our common sense. Think before you click, as the saying goes, and always try to remember that it’s very unlikely that you really need to see that apparently salacious new video of the celebrity of the moment behaving improbably badly.
More on Techland: