Social network sites originated threats to organizations

The use of online social networks such as Twitter, LinkedIn, FaceBook, MySpace, Orkut and Friendster by the mass public from the young to the old has provided an assistive environment for individuals to learn, play and to keep in touch with long lost friends and collegues. However this new "country" allows those who want to find out the best means to attack big corporations for various nefarious intensions, to carry out research in order to do so.

Generally, new recruits of companies that are intended to be targeted, are prime candidates for such exploitation. Why is this so? New recruits are normally in the process of “fitting in” to their new work-environments, they are more trusting and reliant on others and less likely to know about the company culture and security procedures [1]. This fact leaves them vulnerable to the possibility of someone pulling out sufficient information, from their different social media accounts, to end with a successful attack on the intended target, namely the organization that they work for.

For example let us say Mr. P, has been hired by XYZ, ABC’s (a multinational corporation) underhanded competitor to confirm rumors whether ABC is going to expand its business into India. P looks at ABC’s linkedIn page and sees that a Ms. M has been recently recruited by ABC as an Offshore Marketing Executive. On finding M’s personal profile, he notices that M had conveniently given the link to her Facebook account; in which photos of her trip to India are posted and on her facebook wall she has written:

“Hi guys just got back from India, went on work related matter… Lovvvveeeed the country and the food, mmmmmm. Sorry did not inform you guys early of my departure as it was a sudden thing, new venture and all, suppose to be hush, hush”.

P now has evidence of a project in India and knows that M is working on it.  However this is just the first steps. By calling her up or going through her company’s boss’s facebook account Mr. P could glean more “insignificant” pieces of information, in the point of the user, through which a rough project plan could be created, thereby justifying P’s salary and helping the strategy of ABC’s competitor, XYZ.

However, social networks can not only be used just to conduct research for evil intent, but they can also be the means to actually perpetrate an attack on the unsuspecting corporation.

Even though the social networks seem to be the interactions between friends, colleagues, university batch mates, etc,  they are actually physical interactions  between computers connected to the World Wide Web. Hackers having understanding of this fact have now developed what are known as Social Networking Worms [2]

These worms use an inherent weakness of  social network site users - our readiness to extend trust [3] - in order to entice us to carry out a task that would ultimately lead to our computers being infected. By clicking on a link which seems to be, for example, a video clip of a favourite music artist, or a picture of a celebrity, a malicious script could then be downloaded into the unsuspecting user’s computer which can in turn compromise the user’s operating system. On successful infection, these worms can hijack the user's computer and lead a succession of events that can lead it to turning this victim’s computer into a Zombie or Host Computer. Furthermore, this could also lead to set a series of events that could end with the hacker being able to steal valuable information from the user's organization. This is what is termed "Spear Fishing" in today's  hacking jargon. Some recent attacks on several United States top companies are said to have  been carried out by using similar methods.

Once the user's computer is turned into a Zombie, it can also be used to perpetrate further attacks on other more valuable systems of top multinational corporations, without the user knowing that he or she is doing so. As the unsuspecting user would not complain (since they are not aware that this is happening to them)  and the relevant authorities once getting wind of this would not know what or who they are supposed to prosecute, the perpetrator generally goes unpunished. This type of crimes are coined as “Victimless Crimes”. However, the revenue earned by these type of criminals would span millions of dollars [3].

In short, social networking has given birth to a new aspect of interaction between various peoples in the online world. However, even though these social networks are virtualized in nature and seem to be of a different world, the impact on the lives of the individuals are real.

References:

1. Michael Pike, “Social Engineering”, BCS, http://www.bcs.org
2. Aditya K. Sood, Richard Enbody Ph.d, “Chain Exploitation Social Networks Malware”, ISACA, http://www.isaca.org
3. Nart Villenuve, “Koobface: Inside a Crimeware Network”, 2010, http://www.infowar-monitor.net/ Koobface

Author:

Kumar is an Information Security professional who is currently working as an Information Systems Auditor at SJMS Associates, an esteemed firm of Chartered Accountants backed by Deloitte Touche Tohmatsu. Kumar is a CISA and C|EH certified professional with a Bachelor’s Degree in Computing from Staffordshire University, UK and possesses a Diploma in Information System Security Control and Audit obtained through a joint program conducted by ICA-Sri Lanka & ICA India. Kumar is also a professional Member of the BCS (The Chartered Institute of IT).