Remember the announcement of Facebook’s new “Graph Search” feature? No? I don’t blame you. Until most folks can get their hands on it and see what it can do with data from people they know, it’s hard to envision how Facebook’s “innovation” is important. Security analysts, of course, eat and breath this stuff, and as they are trained (and expected) to do, they have extrapolated how this powerful social media search tool could be put to nefarious use. Christopher Hadnagy (Social-Engineer.org) put it succinctly:
Usually, a phisher or spammer collects a couple hundred email addresses and they’re hoping 10 percent of those who get it have an interest in what the email is about. With this tool, it gives a malicious person the ability to figure out whom to target with a particular message because they know their interests.
In case you aren’t aware how “phishing” works, the core conceit is focused on fooling the reader into clicking on links and providing confidential information to a counterfeit website. Phishing is most effective when the target gets an email that seems legitimate, e.g. using graphics and fake address from bank with which they already do business. Instead of having to rely on statistical probability, phishers can now target with ruthless efficiency any data available through Facebook’s Graph Search.
What this means for you:
If you are an avid user of Facebook with a tendency to openly share just about everything through social media, your data is already out there and viewable. If you are a casual Facebook user, but haven’t taken the time to adjust your privacy setttings, your data is already out there and viewable. Nothing has changed in that regard. However, up until now, you had a very, very thin layer of protection through the concept of “security through obscurity”. In other words, the sheer, overwhelming amount of data that is available greatly reduces your chances of being randomly identified and targeted. Think of it as wandering into the Library of Congress where the only way to find something was to know exactly what it was called and where it was located physically in the building.
Facebook’s Graph Search gives anyone the ability to search for anything in Facebook using a natural language query like, “Show me all the books on 19th century bridges built in the US with wood.” If those books are in the library and are viewable to the public, then they would be delivered in a tidy page that could be reloaded and refreshed whenever the search was needed. Here’s the key: the data is viewable only by those to whom you’ve granted permission to view. If you allow the public to see your contact information and “Likes”, that data will be viewable by not only your friends, but the internet, including the aforementioned phishers. If you haven’t reviewed the privacy and security permissions on your Facebook account, now is a good time to do so.
A recent study by security firm NSS Labs shows that Google’s Chrome browser still has the best detection rate (94%) for spotting phishing URLs, and on average, new malware sites are reported and blocked by all browsers within 5 hours of discovery, a significant improvement over the 16+ hours that same process would have taken in 2009. Firefox showed the best response time to reporting and blocking new sites at 2.3 hours – more than twice as quick as IE10.
What this means for you:
All of the major browsers have significantly improved their ability to protect users, to the point that there is very little statistical difference in their security capabilities. Many of my clients still ask me if one is better than the other, and the answer is always, “It depends on what you need the browser to do.” I still use Chrome for most of my work, but there are still enough times when I’m working with online apps that only work with Internet Explorer. The most important factor to consider is making sure whatever browser you do use is kept up to date, and that you practice safe and cautious surfing whenever working with unfamiliar websites.
Now that the public’s overall awareness of phishing is much greater, getting people to click phony links in an email isn’t as easy as it used to be. However, phishers, now motivated (and possibly funded) by organized criminal elements, are investing more time in actually fooling people, producing very authentic-looking emails intended for audiences with accounts worth compromising, such as the ones that control payroll or bank accounts for small companies. A recent phishing campaign dissected by Webroot details a focused targeting of Intuit’s popular Quickbooks platform. Using a combination of scare tactics, actual Intuit branding and realistic-sounding text, actual Quickbooks users may be lulled into a false sense of security and click through to malware-laden sites which quickly compromise their computers.
What this means for you:
Whenever you receive a request from a known service provider via email, always, ALWAYS! check the integrity of the links they ask you to click, especially if the communication wasn’t expected. How do you check the links in an email? Read my previous post “Ransomware Virus Targets Skype Users” for details on how to check if the links are valid. Even if the email seems to be legitimate, skip clicking the links altogether and go straight the the website in question by typing in the URL yourself, or pick up the phone to call the company. Your computer and financial security are worth a few more minutes and keystrokes!
- 1
- 2