Social Networks a Magnet for Malware | Интернет-журнал "Корпоративные информационные системы"
Just like the crooks robbed the banks because that's where the money is, will go where the people are.

The «clickjacking» attack on the service last week is part of a growing trend of social engineering attacks via social networks, say experts.

«We've seen a lot of these and peer to peer sites targeted in general for a bunch of different reasons,» said Sam Curry, the vice president of product management and strategy for RSA. «It's a law of large numbers in many ways.»

Curry calls the attacks through attacks «orthogonal attacks.» As users have become aware of phishing attacks and other efforts to get at their personal data, hackers have turned to social networks and «brand attacks,» like the recent CNN.com-spoofing Cease-Fire Trojan to spread that goes after the same information once installed on the victim's computer.

In the case of the service moved to block clickjack exploits last week, according to Biz Stone, co-founder of He said in an e-mail to InternetNews.com that the company is serious about blocking such attacks.

«We've found that proactive security reviews, quick reaction time when there is an incident, and communication with our users in a timely manner are effective techniques in dealing with exploits,» he wrote.

While the clickjack only spread itself and had no apparent associated with it, social engineering attacks on other sites have hardly been so benign.

The recent scareware links on Digg.com and the Koobface virus currently spreading across are both examples of social-engineering based attacks that are tailored to the habits of users, with a much more significant security threat attached.

Because of the nature of social networks, they're particularly attractive to hackers, according to Craig Schmugar, a threat researcher for McAfee. «The nature of user interaction within sites is being exploited by authors and distributors, and that’s definitely on the rise.» said Schmugar.

«Unfortunately, a lot of it is just straight social engineering,» he said. «They're not exploiting any security vulnerabilities, but they are crafting messages like 'don't click me' to capture users' attention and take them to completely different sites.»

That sort of attack puts sites in a difficult situation, he says. «Even if you test as much as you practically can to validate user input, you've got millions of users out there, a small subset of which are trying to poke holes in the application, but it still is a lot of people, and you can't assume your QA is 100 percent. So if you at least on the back end do some additional scanning you have a better chance of catching it.»

While services are being more proactive about scanning downstream sites, that can be a fairly expensive undertaking in terms of resources, «especially when you're talking about which has millions of posts a minute, and in trying to isolate the ones you really have to be worried about and keeping the rest of the traffic going,» said Schmugar.

While the risk of is certainly growing on sites, Curry thinks that the risk is tied directly to the benefit the sites offer. «The risk is greater (in social networks),» he said. "But why do people do this? They want a richer social life, they want to interact with more people, have more engaging types of interacts with people, and want to push out the cultural and social boundaries of their lives, and that creates more risk.

«The question is, is that necessarily a bad thing? Most of us want to hire the people who are interactive in those ways. The value of people who use these is probably far greater to an employer than people who don't do that sort of thing.»


Ключевые слова: , , ,

1 звезда2 звезды3 звезды4 звезды5 звезд (Еще не оценили)
Загрузка ... Загрузка ...

Google Bookmarks News2.ru БобрДобр.ru RUmarkz Ваау! Memori.ru МоёМесто.ru Mister Wong

Оставить комментарий

Вы должны войти to post a comment.