Phishing on Social Networks: What’s the value of your small biz Twitter account?

Social networking is a great way to find and keep customers. In fact, social media use by small businesses with fewer than 100 employees jumped from 44 percent to 53 percent last year, according to the SMB Group. But, brand building online can go horribly wrong quickly if cybercriminals hijack your accounts – the effects of which a number of well-known brands have experienced recently.

Attackers can do this any number of ways. They can go straight to the social network provider to try to steal your credentials, by pretending to be you. They may also try to exploit potential weaknesses in the lost password feature with information that can be obtained relatively easily on the Internet, such as where you were born or went to school. Attackers may also try using Trojans to pick-up login and password credentials and harvest passwords that are stored or cached in the Web browser. But by far the simplest way to steal account details is with a well-crafted phishing attack.

You may be looking out for phishing attacks asking for your bank account or credit card details online, but too few are as cautious when entering account details for social networking sites. Attackers know this and use it to their advantage – my colleague details a recent direct message phishing attack that spoofed a popular social network: http://www.symantec.com/connect/blogs/phishing-easy-way-compromise-twitter-accounts. Phishing on social network sites is an easy way to trick users into giving their credentials away. Attackers also use fake emails that purport to originate from a social network and contain a link and a message to pique the user’s curiosity into clicking on it. Attacks of this type have been tried and tested, and found to be effective. In fact, Symantec’s Internet Security Threat Report, Vol. 18 (ISTR) found that the number of phishing sites that spoofed social network sites increased 123 percent last year.

You may wonder if this is really a big deal. After all, it’s not likely that attackers can drain your bank account with the credentials to your Twitter login. However, the damage that can be inflicted depends on the machinations of the attackers. By hijacking your social network accounts, cybercriminals can run scams, send spam, post false messages or infect other users with malware. Your small business account could be used to promote wacky diet plans, which though a nuisance probably won’t put you out of business. But what if your customers find malware being installed after clicking-thru to a link sent from one of your or your employees’ accounts? Worse yet, that malware goes undetected for a period of time by your customer and siphons valuable information. Small businesses are the path of least resistance and attackers prey on them as a means to gain access to a larger company.

Security problems that originate with humans don't have easy technical solutions. However, with proper user education, you can reduce the risk of successful phishing attacks on the social networks you and your employees use both professionally and personally. Here are a few tips to consider:

1. Check the social networking site’s address – typo squatting sites are often used to attempt to capture user credentials.
2. Scrutinize the site’s security certificate to ensure you are logging into legitimate services and look for “HTTPS” in the address.
3. Be suspicious of links sent from unknown users and even emails that claim to come from a social networking site, as this is a popular phishing tactic. And, don’t click on links in messages, even direct messages from a known “friend” or “follower,” that seem strange or out of character. A common method used by attackers is to pose as a friend/follower and send messages with links to sites that are infected with malware.
4. Install security software on user machines that protects against phishing attacks.
5. Use different passwords for each account; that way, even if one account is compromised, the others will stay safe. Passwords or passphrases should be difficult to guess and not in the dictionary. Ideally a combination of upper and lower case letters, numbers, and special characters should be used. And remember to change your passwords regularly.
6. Don’t answer yes when prompted to save your password to a computer or browser. Instead, rely on a strong password committed to memory or stored in a dependable password management program. Using a phrase known to you with some combination of characters from the URL is one approach to creating an easily memorable password for each site.
7. When the site offers it, use two-factor authentication that requires not only your user name and password, but also a trusted device (like a mobile phone) that can be used to confirm the identity of the account holder.
8. Report any suspicious or potentially malicious activity to the social networking site’s administrators.

Looking forward, attackers will be smarter and their phishing attacks more convincing. We’ll see more sophisticated site replicas and SSL-encryption phishing sites. As your brand and your employees engage on these platforms, remember that social networks are a great way to make a connection, and ultimately a profit, but they are not without risk from attackers that exploit the medium’s virality and trusted messaging. With social networking you may only be as secure as the weakest password in your circle of friends and business partners. Remind employees of best practices for safe use of social networks and set clear policies for what kinds of company information can be shared.