Social Media has been the buzz word recently. While I am writing this post, there are more than 500 million active users accessing Facebook and 50% of active users log on to Facebook at least once a day from their office, home , coffee-shop , school, or while on the move. Today most of the organizations have active presence over Linked In, Facebook or Twitter. Social Media has emerged as an effective marketing tool to engage with mass audience. As Natalie Petouhoff, Senior Researcher with Forrester Research Inc said, “Social media isn’t a choice anymore – it’s a business transformation tool”.

The advent of new means of communication opens new channels for scammers to conduct social engineering attacks. Scammers have started using the Social Media as the prominent way to retrieve vital information from the users. They also make usage of specific social networking malwares for financial gains. Message or web links coming from immediate connections over Facebook or Twitter make users believe that they are genuine and nothing wrong clicking them. Scammers leverage on this fact and exploit human parameters like greed, trust, fear and curiosity etc. to conduct wide variety of phishing attacks. As per the latest Anti-Phishing Q2 2010 Report, there is definite rise observed in social networking phishing attacks. As the statistics illustrate, the attacks were accounted for nearly 3 percent of reported attacks in Q2 which was almost negligible in Q1 of 2010.

(Read more:  Database Security Vendor Evaluation Guide )

Any current hyped political situation, news stories, videos or mishaps are good enough to make the user click on the link and redirect to the desired (malicious) website.  The message is defined to pull your curiosity or it is made strong enough to create sympathy towards tragedy affected people. It is very unlikely that you have not seen these kinds of messages on your wall or twitter box-

“Did you see how will u look like in 20 years from now? lol:

“They need your help, Pls donate

“Hey, I am your old college mate! Just joined your company, Why not reconnect? – http://biz.ty/23424

“I bumped into some of your old friends the other day; they wanted me to send you this – http://facebooklink

 The above websites could be asking for your net-banking credentials for donation to affected people, sensitive information about your organization or any other personal information which is valuable to scammers. By clicking on this link, malware / virus get downloaded on your systems and the system gets compromised. Many a times, scammers target one social networking site user account, compromise it using script and the same script gets propagated to his / her friends’ accounts. These are better known as self-replicating malwares which make usage of application vulnerabilities like Invalidated redirects, click jacking, and cross site request forgery etc. to spread across multiple user accounts. For mobile users, it becomes even worse as it is not easy to verify authenticity of URLs.

(Read more: Tips for Vendor Management)

I am sure you will agree that it is not easy to stop usage of social media completely even though there are definite risks involved. The organizations need to look beyond traditional technology controls as the continuous education and awareness is the only solution to fight against phishing attacks.

An organization can take following steps to fight against phishing attacks:

  1. Establish a social media strategy. Clearly document and enforce what is allowed / not allowed to discuss and disclose in social networking sites
  2. Conduct social media awareness programs which should include the rewards and risk of social media. It should also cover how to identify phish websites and differentiate between original and fraudulent website

    Watch more : Checklist: How to choose between different types of Application Security Testing Technologies?

As an employee, following best practices can be adopted to evade becoming prey of phishing attacks

  1. Never click on a link or a bookmark which is associated with financial transactions or asking for any sensitive information; instead always have a practice to manually type URL in the address bar.
  2. Do not click on links which ask to download ActiveX or software on your system as they could be Trojan / malware which later becomes the control center to remotely control your and other systems inside the network.
  3. Ensure that the site is authentic and using secure layer (https) before providing any sensitive information about self or your organization.
  4. Report suspected links to internal security team as well as particular social networking sites so that they can work with the hosting provider to bring down the phish website

Both, the organization and its employees have to play their part to fight against phishing risks over Social Media.

Original Blog Post at :

More:  Want to be an author? Nominations open for co-authors of CISO Handbook    



E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

RSAC Meetup Banner

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)