Social-Media Safety Beyond Facebook and Twitter
CREDIT: Felix Mizioznikov/Shutterstock.com
Cybercriminals love attacking social-media websites like Facebook and Twitter, and it's easy to see why.
"There are three reasons why social-media sites continue to be a prime target for cybercriminals: the vast amount of personally identifiable information housed on these channels, the tendency of users to let their guard down when using social-media tools and the regularity with which users visit their favorite sites," said Chris Boyd, senior threat researcher with the international computer-security firm GFI Software.
The pool of information to choose from makes it even more tempting for bad guys, Boyd added, as social-media use spills over from personal connections to business connections.
Facebook and, increasingly, Twitter get the bulk of the news coverage, both for their popularity as social-media sites and for the frequency with which the two social-media darlings are attacked.
The two services are a primary target for cybercrooks for the same reason malware developers prefer Windows machines instead of Macs — they're what most people use.
Just the beginning
But Facebook and Twitter are only two out of dozens of social-media sites covering a wide variety of interests and ways to interact.
Well-known alternatives include Pinterest (sharing and organizing items of interest), LinkedIn (business networking), Tumblr (blog hosting), Foursquare (location-based social networking), Flickr (photo sharing), Google+ (social networking) and Goodreads (book discussions).
With the exception of Pinterest, which has skyrocketed in its popularity over the past year, most "second-string" social-media sites are under the radar for the vast majority of users — and, you would think, for cybercriminals as well.
But, said Boyd, we are starting to see cybercriminals expand their playing field by hitting newer sites. The theft of 6 million lightly encrypted LinkedIn passwords earlier this month may just be the tip of the iceberg.
The benefit of attacking smaller sites is that — as with any new target or attack method — users aren't as aware of or as educated about potential threats, which ultimately enables scammers to catch victims off guard.
"Because social media is all about being social, and most interactions occur within a network of confirmed 'friends,' users often let their guard down when using these sites," Boyd said. "This is a common tendency whether users are on Facebook, Twitter, Pinterest, Tumblr or another social media channel.
"The difference is that there is now an abundance of research on Facebook and Twitter scams, so users are more aware of the security risks involved and have a greater sense of vigilance when using these sites. For this reason, we are starting to see attackers target new social media platforms as well."
Smaller sites, bigger rewards
These lesser-known sites also have very valuable information, points out Nicholas Arvanitis, principal security consultant in the New York office of the South African IT provider Dimension Data.
"Consider Foursquare as an example," Arvanitis said. "As an attacker, understanding my target's physical movements is very promising. I can profile their habits, at any given time I can pinpoint their location, and I can use this information in many different ways.
"For example, if I wanted to rob someone's home, I'd love to know when they're not home. Foursquare gives me that."
People also tend to project different profiles on different social networks. Someone's profile on LinkedIn might be very professional, and his or her Quora profile could be similar, but a completely different side of that person may be shown on Pinterest, Path or Flickr.
"If I want to truly get to the core of information that I could use to better understand, profile and target a victim, I want a better understanding of the entirety of their image, especially the bits they feel are of a more personal nature," Arvanitis said.
Stumble in the jungle
For example, Boyd said, Tumblr users stumble through reward offers for fictional gift cards. Tumblr encourages users to repost content quickly and easily — an ideal scenario for scammers who can think up a good ruse.
Many of the most popular Tumblr threats involve fake "official" Tumblr staff blog entries serving up "free" offers, such as airline tickets and Starbucks gift cards, to users who complete a reward offer or survey.
Since users typically don't check the validity of content sources — likely a result of the "rapid reblog" Tumblr mindset — they are misled into divulging personally identifiable information that is often used for malicious gain.
YouTube viewers, on the other hand, often hit "play" on phony videos. Cybercriminals take advantage of YouTube's video platform to lure users into downloading malicious files. The promise of video game cracks, music videos and sneak-peek movie trailers are popular scams that pique users' interests.
YouTube scams can end in any number of ways, including installing malware on users' systems, prompting them to fill out surveys, or tricking them into entering personally identifiable information for account validation.
LinkedIn has been in the news recently for its stolen passwords, but there's another danger: Malware can slink in through LinkedIn.
While LinkedIn arguably hosts the most valuable information to cybercriminals, before this month it was perhaps the least targeted major social media platform.
Why? Because the site's user base is generally more tech-savvy and aware of social media threats and attack methods — making it harder for attackers to penetrate and resulting in lower payoff when they do.
When LinkedIn is targeted, the schemes often involve fake invitations and other mail messages that aim to drop malware onto users' machines.
Stay alert, stay safe
The bottom line, Arvanitis and Boyd agree, is that even while a given social-media site may not have the high profile of Facebook, and attacks against it may not be front-page news, users still need to be aware of the full gamut of risks, and how attackers target social media.
"Vigilance, education and awareness are the keys to staying safe when using social media sites," Boyd said. "Consumers should be extra cautious when using social-networking tools and think twice before clicking or sharing links or downloading videos or applications they are unsure about.
"Additionally, understanding what types of attacks are most common on different social media platforms — and why — can help users identify and defend against malware lurking on them."