How well do you know your social network? Chances are you didn’t attend Sunday school with everyone you’ve friended over the years, and there are often a few people you’re not entirely positive you ever met. But with the way our online identities are increasingly linked, all it takes is one less-than-discriminating friend in your circle for a hacker to gain access to and destroy your online life.
By obtaining personal information from your account—simple details like your birthday, your phone number, or your geographical info—hackers can often unlock the “account recovery” features of other online accounts, thereby beginning the ladder of access to your credit card information, bank account, and hoards of other online identities. Unfortunately, it’s as easy as it sounds.
On the popular TV game show The Weakest Link, the biggest link-breaker was booted off the show, and publicly had to take a long walk off the short pier of shame. But when it comes to social networks, the weakest link—your aunt Thelma who still uses Windows 98?—can be just the gateway these criminals need, and very likely won’t even know that she is being played by a pro.
For years, people have assumed that online security was only necessary for the highest security sites, the financial institutions and government agencies where directly monetizable assets were just a single click away. Recently, though, we’ve seen a crop of cybercriminals willing to invest in the long con: multistep attacks to acquire personal data they then leverage for more pernicious crimes down the road. These online hijackers “phish” for personal data they can then utilize to add credibility to their second-level attacks. At this point in the evolution of the Internet, you might not be foolish enough to send sensitive information to a wealthy Nigerian prince or a bank with a Hotmail handle, but what if the request appears to come from your coworker Charlie, who is just looking to fill out a “company spreadsheet”? Or your spouse, who wants you to click on a link to some “party photos”? When these messages are personalized with a few reasonable details, the effectiveness rates can go through the roof!
So how do these virtual grifters get ahold of your personal account details? By going after vulnerabilities on much-less-protected social networks, online games, and the like. These sites, many of whom could previous treat account security as a nice-to-have, are seeing a spike in two forms of attack: hackers registering fraudulent accounts expressly for the purpose of ensnaring innocent users, and criminals taking over existing, legitimate accounts. We recently addressed the fact that even the cleanest social networks experience at least a 5% fraudulent signup rate, and that Facebook—the grandaddy of them all—admits to more than 8% fake accounts across its network, a whopping 80 million accounts worldwide.
Starting with freshly-created accounts, hackers begin by sending friend requests to legitimate users. When the first user accepts the request, the hackers immediately gain access to a wealth of that user’s friends’ “personally identifiable information” (or PII): birth dates, phone numbers, email addresses, etc.—in other words, information that many users might naively think are standard, public profile fodder, unworthy of additional security.
But one user’s standard profile fodder is virtual gold to a hacker. A study by the University of British Columbia analyzed how cybercriminals might use a few personal details to build an entire network designed specifically to steal PII, and use it to surprisingly devastating ends. For this particular study, a team of students built a “socialbot” with 102 Facebook profiles to see how fast and how deeply the bot could penetrate a group of random Facebook users and capture sensitive information. Results of the eight-week campaign are as follows:
- The socialbot built an extended social network of one million people, successfully friending 3,055 individuals from a total of 8,570 invites sent — a mind-boggling 35% acceptance rate.
- Once the socialbot made some friends, it in turn targeted those friends’ friends. As the bot’s network grew, so did its friend-acceptance rate — that is, as its pool of friends expanded, the bot’s robust circle of pals made it seem more trustworthy and therefore more “friendable.”
- The bot collected 250GB of personal data, including 35% of all the personally identifiable information found on friend pages, and 24% from extended friend-of-friend networks.
These findings are both astonishing and daunting. It’s particularly unnerving that even if you’re discriminatory when accepting friend requests, all it takes is one of your friends to slip up—the afore-noted weakest link—and all of your information could be in the hands of cybercriminals.
If a dozen university students doing a side project can compile this much sensitive information, just think what sophisticated cybercriminals might accomplish. And, if one of the largest, most trusted social sites is this vulnerable to account hackings and personal data-mining, malicious infiltration of fraudulent accounts can happen to any site, on any scale, to anyone. Just ask Wired magazine’s Mat Honan, who recently wrote a feature entitled “Kill the Password” after being a victim of a lightning-fast cyber attack. In Honan’s case, the hackers used information gleaned from Honan’s Amazon account to delete his Google account, then hopped to his Apple ID to remotely wipe his iPad, iPhone and MacBook of all data, and finally moved to take over his Twitter handle, which they used as a mouthpiece for spewing racial epithets to Honan’s 20,000+ followers. It took the hackers 10 minutes and a simple call to AppleCare asking for a password reset to destroy Honan’s digital life.
Yet an even more pernicious problem is the issue of account takeover, whereby hackers break into your existing account, thus inheriting your friend list and potentially destroying your reputation in the process. No need for the hacker to upload photos, create timeline posts, or dupe people into becoming “friends” to establish credibility—you’ve already done all the heavy lifting. Moreover, real profiles already have tons of PII to pilfer from. Do a simple search for “Facebook hacked” or “Facebook account stolen” and you’ll begin to see the massive scale of this problem.
How does such account hacking take place? Through three main methods:
• Phishing (i.e., a method of conning people into giving up sensitive information via electronic communications) and its clever cousin spear phishing (i.e., phishing attempts directed at specific individuals and companies). The social web is replete with short, innocent messages to “click here for more information,” and if one of those pages directs you to what looks like a Twitter login page first? Who would be wiser?
• Malware that steals a user’s credentials. Malware is short for malicious software, invisible programs used by hackers to disrupt computer operations, gather sensitive information, or gain direct access to computer systems. Here’s looking at you, New York Times.
• Vulnerabilities in the website itself. If you know your tech-speak, terms like XSS, CSRF, and SQL injection won’t just sound like awesome Scrabble draws. Using these methods to exploit vulnerabilities in common nternet protocols, hackers go after the web servers, databases, and applications themselves. In other words, instead of just picking a lock with your password, the cybercriminals use cyber-dynamite to blast a hole through the site wall.
Once cybercriminals have access to an account, what can they do?
- Distribute their twisted message to your friend list, whatever it may be (hate-speech seems to be in vogue, as are those fake-login phishing pages); use PII to hack into your bank account and transfer your life savings away; directly steal your top-secret documents
- Acquire more friends (then go to step #1)
- Acquire access to more accounts (then go to step #1 or #2)
- Lather, rinse, repeat.
So now that you know how easy all of this is, you also know why it’s critical that sites take action before creating more victims. As the saying goes, an ounce of prevention is worth a pound of cure.
But don’t just take our word for it. Look at Wired’s Mat Honan, who covers technology for a living. Honan used a random password generator secured with “military grade encryption” for his accounts, but in the end the hackers snuck in by exploiting lapses that are endemic to these so-called security systems. If you consider these indirect uses for the data in every social network and online portal—LinkedIn, Twitter, Dropbox, Skype, and the gazillion more social sites spawning like salmon everywhere we look—you see myriad reasons that long con artists are now targeting accounts on sites of all types. As more and more information migrates to the cloud, the more valuable each site in the web becomes. For users, this means pay attention not only to what you’re storing online, but to how well the sites protect your information; it’s not just your bank password you have to pay attention to. And for the people who operate these sites, who previously thought “we’re just a social network; who’d want to hack our accounts,” unfortunately we’ve entered a new reality out there, where nobody is safe.
As always, be prepared: It’s not just for the Boy Scouts any longer.