Social networking sites supply valuable information to criminals

Social networking sites are attracting not only more and more users from around the world, but also more and more criminals. Security specialists say that MySpace, Facebook, Orkut and other sites for making and preserving contacts often contain extremely valuable information that can be abused to facilitate targeted attacks on users. E-mails with malicious contents, for example, can be made to look far more credible and thus persuade a victim to open an infected attachment. The sender might pose as a business partner or colleague. Phishing E-mails, too, could be formulated more specifically - and spam E-mails compatible with addressees' hobbies could be sent.

It's a remarkable fact, said Mary Landesman of the security firm ScanSafe to British media, that users of social networking sites give away details of their lives, loves, jobs and hobbies that they would never entrust to a stranger in a bar. This lays them open to attack. Security firms reported in mid-2007 on the first targeted attacks on people in business, industry and politics that made obvious use of information gathered beforehand from profiles on Facebook and Linked-In.

Sites such as MySpace and Orkut also offer great potential for the distribution of worms. As recently as the end of last year a JavaScript worm wound its way through Orkut. According to new information, while doing so it not only infected the profiles of many users, but also spied on banking credentials. Security specialists, however, don't advise against the use of social networks, because they simply offer too many advantages to normal users. The right approach, they say, is to minimize or manage the risk. How precisely this is to be done remains an open question, although there are some basic principles that should be obvious:

• do not give out real "critical data" such as your date of birth or address
• use a different pseudonym on each site you sign up to
• create and use a different anonymous email address for each site you sign up to
• avoid providing a "complete profile" on any site you use
• do not link between sites you use
• think "would I shout this out in a crowded street?" and "would I tell my boss?" before posting any content
• be just as particular with other peoples' information (e.g. friends' names)

See also:

• JavaScript worm wriggles its way through Orkut social networking page, heise Security news
• Targeted Trojan attacks executive PCs, heise Security news

(mba)