Sign in with
Sign up | Sign in

Social attacks: Don't trust your friends

Scariest Security Threats Headed Your Way: Special Report
By

Have you checked Facebook lately? About 1.28 billion people use Facebook at least once a month, according to the company's 2014 first-quarter earnings report.

But between 4.3 and 7.9 percent of those users are "duplicate accounts," according to Facebook's own estimate in the April 25 Form 10-Q Quarterly Report it filed to the U.S. Securities and Exchange commission. Between 0.4 and 1.2 percent of those users are "undesirable," i.e., spammers or worse. Those numbers might look small, but 0.4 percent of 1.28 billion is 5.12 million.

How much personal information do you post on social media? Can your online "friends" put you at even further risk?

What it is: "One thing that I think continues to be an issue is social network security, and people's inability to believe, for whatever reason, that what they put on social networks isn't automatically going to someday be public," said Dave Aitel, chief technology officer of security firm Immunity Inc., in Miami Beach, Fla.

Yet revealing too much personal information, unwittingly or not, may not be the worst security aspect of social networking. Social networks are also excellent platforms on which online criminals can develop and disperse attacks.

"It doesn't have to be someone hacking into Facebook to hack into your Facebook account," Aitel said.

It's the difference between someone breaking through a website's security to access its back-end database and simply getting hold of a single user's login credentials. Even if it's not your own account being hacked, you might fall prey to a scam or attack that's running through a friend's account.

"The big advantage for bad guys of spreading over a social network is that the attack comes with the 'endorsement' of one of your friends," says Graham Cluley, an independent security expert and blogger. "It's not a complete stranger — it's your friend Mary, and you see her smiling face in her avatar next to the message.

"People are lulled into a false sense of security," he added. "As a result, spam and malware attacks aren't uncommon at all on links for Twitter and Facebook."

MORE: How to Stop Your Smartphone from Stealing Your Identity

And just because you practice good online security doesn't mean you're safe; criminals often target the people around a high-profile target in order to get what they want. "You are the weak link in your security," said Robert Siciliano of McAfee, a Santa Clara, Calif.-based antimalware company

"Social network" means more than you think. An online video game that lets players communicate with each other is a "social game," and attackers can use it to spy, stalk or steal money. If the likes of "World of Warcraft" and "Second Life" are good targets for the NSA and GCHQ, they're good enough for savvy criminals, too. A hacker could also get a lot of money selling in-game resources such as gold, armor or even an entire character to other players.

Social network security is no laughing matter.

"We … expect to see attacks that employ the unique features of the social platforms to deliver data about user contacts, location or business activities that can be used to target advertising or perpetrate virtual or real-world crimes," McAfee wrote in its 2014 yearly forecast.

Twenty-two percent of social media users have experienced or perceived a security issue, according to a November 2013 survey sponsored by McAfee. What will that number look like at the end of 2014, when McAfee predicts that "social attacks will become ubiquitous"?

Being too free with your personal information could lead to identity theft or other kinds of privacy violations, such as "sextortion" involving hijacked Facebook accounts. Spies have used LinkedIn to identify targets for spear-phishing attacks. As for damages resulting from social-networking malware, the damage depends more on what the malware does than on how it reached you.

Reality Check: Social media-related scams are easy to avoid. Be aware of what you post online, and be skeptical of links, app invites and other things your friends post.

Aitel recommended you enable two-step verification whenever possible — Twitter, Facebook, Google and LinkedIn all allow it. He further recommended that people "compartmentalize" their information, so that no single website or service knows everything about you.

"That's the theme of the year: How do you compartmentalize your personal information?" he said. "Maybe I only use Google+ for friends and family, and I never use Google+ for work."

React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter