Friday, January 04, 2008


Friendly fire

There’s an increasingly common phishing technique that’s aimed at social-networking users, and which requires close watch to notice. This post, from the Finnish anti-virus company F-Secure, shows a good example of what it looks like.

The basic way it works is by making you, the victim, think that a “friend” has posted something on their social networking site for you to see. When you try to look at it, you actually wind up at the phishing site and they present you with a copy of the normal login page... and then steal your login.

There’s nothing new about this — it’s pretty much the same as when an attacker spoofs your bank’s login page — but a few things make it harder to defend against:

  1. To get to you to go a replica of your bank’s web site, the phishers have to make up a story, and it’s a story you can usually see through, if you apply reasonable skepticism. But with social networking, you’re expecting people to post things for you to look at, so the natural level of skepticism goes down. Way down.
  2. If they can see who your friends are, they can make an attack look — quite realistically — like it’s from a friend, making you drop your guard even more.
  3. Making the “friend” thing worse, once they compromise the social page of one of your friends, you’ll actually find these traps on your friend’s page, and not just, say, in email. Now they don’t have to actively attack you. And you’re very unlikely to be suspicious about a link that you find directly on your friend’s page, so once the phishers get in, they’re likely to hit a whole social circle.
And, of course, by the “six degrees of separation” principle, once they get into your social circle, they’ll quickly invade the others that connect to each of your members.

They’re not stealing your bank accounts, of course, only your identity on Facebook, MySpace, LiveJournal, LinkedIn, or whatever. But considering the way we’re using these social networks these days, that might be quite a serious problem for some people. And the more the attackers get, the more other things they gain access to. Maybe they can find your credit-card number as well, and maybe you use the same password for both, hm? (Hint: Don’t do that!)

The conventional wisdom is not to trust things that come from sources you aren’t sure of. The new wisdom is to be suspicious even of things that appear to come from people you know. Learn to look carefully at the URLs. Put your cursor over links and look at the destination URL in the status line at the bottom of the browser window. Pay attention to the URL in the address field after you get to the web page. Look for the signs that you’re on an encrypted web page (the lock symbol in the browser frame, for instance), but understand that that doesn’t mean the page is legitimate, or safe. Refuse to use services that normally present you with confusing URLs, because that makes it hard to tell when they’re faked.

Caveat surfer.

No comments: