The Dark Side of Social Networking

************************************************************************
A formatted version of the OUCH newsletter can be found at https://www.sans.org/newsletters/ouch . You can subscribe to OUCH on the same site. Send your comments to OUCH@sans.org .
************************************************************************

1. The Dark Side of Social Networking
If you are not already engaging in social networking, statistics indicate you will be soon. Visits to social networking sites now account for 10% of the total time people spend on the Internet, according Nielsen Online. Two-thirds of Internet users in the U.S., Europe, Brazil and Australia visit social networking or blogging sites. Internet users total almost 156 million in the U.S. alone. Add in over 29 million in the United Kingdom and over 25 million in Brazil, and the numbers are just too large for the Bad Guys to ignore.

Ordinary Internet users have fallen in love with social networking. While the amount of time users spent on MySpace decreased from April 2008 to April 2009, the use of Facebook increased by 700% and of Twitter by 3,700% during the same period. Cybercriminals love social networking sites, too, because they have to remain easily accessible in order to grow their memberships. That means social networkers are in effect attending an open party where just about everybody is welcome, and who knows if anybody is watching the door.

The openness of these sites is an invitation to the Dark Side. No email verification is required, for example, when new users set up a Twitter account. It’s hard to imagine an easier system in which to create counterfeit accounts. Social networking sites rely on a username and a password for security, which means that anyone who finds out your username and password can gain access to your account, assume your online identity, use it mischievously or maliciously, and leave you with little, if any, control over the situation. Until social networking site security evolves with time and improves by necessity, here are 12 Tips for Safer Social Networking.

* Think about how a social networking site works before deciding to join it. Some will allow only a defined community of users to access posted content; others allow anyone and everyone to view postings. Don’t join any social network that asks you to share your address book or contacts.

* Always think before you click. Be wary of visiting the blog or webpage of other members because that other "member" may be a scammer, whose blog or webpage has been rigged to deliver a drive-by download of malware to your computer. If you think you have clicked on the wrong thing, contact your local computer support staff, your Internet Service Provider, or a computer consultant knowledgeable about security.

* Don’t click on shortened (or "condensed") URL’s, like those created by TinyURL and Bit.ly. There’s no telling where these links lead to, and that makes it easy to funnel you to malicious websites. Watch out for "misspelled" links, like www.yuotube.com . Could be a typo or a trick.

* Keep control over the information you post. Consider restricting access to your page or postings to a select group of people, like friends, members of your team, your community groups, or your family.

* Keep your information to yourself. Don’t post your full name, or any personal information about yourself or about anyone else. Be cautious about posting information that could be used to identify you or locate you offline, such as where you work or work-out.

* Make sure your screen name doesn’t say too much about you. Don’t use your name, your age, or your hometown. Even if you think your screen name makes you anonymous, it doesn’t take a genius to combine clues and figure out who you are and where you can be found.

* Post only information that you are comfortable with others seeing – and knowing – about you. Many people will see your page or postings, including the people who will be interviewing you for a job five years from now.

* Remember that once you post information online, you can’t take it back. Even if you delete the information from a site, older versions are stored on other people’s computers and may be archived for years by Web search services.

* Think hard before posting your photo. It can be altered and broadcast in ways you may not be happy about. If you do post one, ask yourself whether it’s one you’d include in your professional resume. Posting pictures of children invites exploitation and could expose them to real-world danger.

* Flirting with strangers online could have serious consequences. Some people lie about who they are; you never really know whom you’re dealing with.

* Be wary if a new online friend wants to meet you in person. Do some research about them. If you decide to meet them, be smart about it: meet in a public place, during the day, accompanied by friends you trust.

* Twitter Message Could be a Cybercriminal at Work Spain-based anti-virus maker Panda Software has been monitoring an onslaught of links with malicious software on Twitter that tag hot topics such as the Air France crash, the NBA finals, "American Idol" runner-up Adam Lambert, and the new iPhone 3GS. Cybercriminals have been targeting Twitter users by creating thousands of messages (tweets) with words involving trendy topics and embedded malicious URL’s. More information: http://edition.cnn.com/2009/TECH/06/21/cyber.crime.internet/

* Trust your gut if you have suspicions. If you feel threatened by someone or uncomfortable because of something online, report it to the police and to the operators of the social networking site. You could end up preventing someone else from becoming a victim. More information:
http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec14.shtm
http://www.pcmag.com/article2/0,2817,2348052,00.asp
http://en-us.nielsen.com/main/news/news_releases/2009/june/time_on_facebook
http://www.technewsworld.com/story/67366.html

************************************************************************
2. Scams and Hoaxes
– – New Phishing Attacks against Facebook Users
Cybercriminals have again launched attacks against Facebook to attract account holders to fake websites by sending phishing emails so they can capture usernames and passwords. The new attacks include sending a message to the victim’s Facebook inbox and an email notification entitled "Hello" or "Hi" to the Facebook user’s "real world" email address. The phishing emails, designed to appear to come from friends of the targeted Facebook account holders, contain text and a URL prompting them to visit a fake Facebook page where the phishers steal their login credentials.  More information: http://www.spamfighter.com/News-12588-Symantec-%E2%80%93-New-Phishing-Attacks-Against-Facebook-Users.htm

– – Friend Stranded in Foreign Country Scam Emails
You receive an email from a friend or colleague claiming that he or she is stranded in a foreign country and desperately needs your help to get home. The email originates from the friend’s real email account and may even include the same email signature that your friend usually uses when emailing you. The emails can be a clever scheme by Internet criminals designed to trick people into sending them money. Be wary of any email that you receive that asks you to wire money, even if the message appears to come from a friend. More information: http://www.hoax-slayer.com/stranded-scam.shtml

– – Enter your PIN In Reverse to Call Police?
This spam email claims that if criminals force you to withdraw money from an ATM, entering your PIN in reverse will automatically alert police. The technology that makes this possible exists, but banks have not implemented it.  If you are ever forced to withdraw money from an ATM against your will, co-operate fully and let law-enforcement pursue the matter. There is little chance the reverse-PIN technology will be installed. More information: http://www.hoax-slayer.com/reverse-pin-ATM.shtml

– – Web Sites Offer Bogus Swine Flu Products
The U.S. Food and Drug Administration (FDA) released another warning about bogus flu products that are targeting consumers via websites. The FDA has issued more than 50 warning letters to offending websites, and 66% of those have removed the offending claims or products. Examples include: a shampoo that claimed to protect against the swine flu virus, a dietary supplement that claimed to prevent infants and young children from contracting swine flu, a "new" supplement that claimed to cure swine flu infection in 4-8 hours, a spray that claimed to leave a layer of ionic silver on your hands that killed the virus, and several tests to detect the virus not approved by the FDA. More information: http://www.newsinferno.com/archives/6935
[Editor’s Note (Wyman): Everyone can help stem the tide of email scams by reporting them to the Federal Trade Commission at http://www.ftc.gov/spam/ .]