Spike in Social Media Malware, Phishing Attacks

 

Spike in Social Media Malware, Phishing Attacks

E-mail scams targeting users of social media sites like Twitter and Facebook are blurring the lines between traditional phishing attacks and those designed to plant password-stealing malicious software on the victim's PC.

For the past week, scammers have been blasting out e-mails that at first glance appear to be run-of-the-mill phishing scams aimed at stealing user names and passwords from Facebook users. The messages urge recipients to "update" their information by clicking a provided link and entering their Facebook user name and password at a counterfeit Facebook login page.

Facebook users who fall for the ruse are "logged in" to the fake Facebook page and then prompted to install a "Facebook Update Tool," which is in fact a copy of the Zeus password stealing Trojan.

A study released in October found that 54 percent of U.S. companies have banned workers from using social networking sites. The author of that survey cites the impact that social media sites can have on worker productivity, but a growing number of businesses are becoming attuned to the potential for these sites to introduce malware into corporate networks, said Rohyt Belani, chief executive of Intrepidus Group, a security consulting firm in New York City.

"When you click a link in a phishing [e-mail] it could be a regular phishing site or it might lead to malware," Belani said. "Companies are being forced to train employees to help protect their networks."

Intrepidus offers the Phishme service, which helps companies test how susceptible their employees are to phishing attacks by sending workers mock phishing e-mails and then recording how many employees take the bait. Employees that fail the test are immediately presented with training materials to help them better spot a phishing scam the next time around.

Intrepidus customers have tried to phish roughly 100,000 employees using social media sites as bait, and so far the initial results are not good: 61 percent of employees clicked links included in mock phishing attacks that spoofed Facebook, LinkedIn and Twitter.

Intrepidus found that on average only 18 percent of employees who fell for the initial phishing test were vulnerable in follow-up tests.

Figures released by Microsoft this week about cyber crime trends in the first half of this year also suggest that Internet users are far more susceptible to phishing and malware scams that use social media sites as a lure. Using the phish filter in its Internet Explorer 7 and 8 Web browsers, Microsoft can track phishing "impressions," or how many times people click through to a known phishing Web site. According to Redmond, May and June saw a massive increase in the number of people clicking through to phishing sites.

This spike also corresponded to a shift in the targets of phishing sites: Microsoft found that the share of phishing impressions at bogus social networking sites grew from about 10 percent in April to more than 70 percent in June.

By Brian Krebs  |  November 4, 2009; 12:30 PM ET