This post is one in a series of articles that expand on the recently released McAfee Labs 2014 Threats Predictions. In this and related posts, McAfee Labs researchers offer their views of new and evolving threats we expect to see in the coming year. This article was written by Aditya Kapoor.
In order to maximize profits, cyberattackers quickly adapt to popular forms of communication; they go where their victims go. Sometimes they even seem to get there first. Every time a new medium gains popularity, fast-moving attackers find the new medium’s flaws and take advantage of its new users. This tactic works because many new services haven’t fully worked out security measures even as their popularity skyrockets.
Email and traditional Internet messaging (Yahoo, Google Talk, MSN, and others) have seen plenty of malware attacks. When we use these “old” systems, most of us know to not open attachments or click on links from strangers. But new systems often seem fresh and different when we first use them.
A survey by McKinsey’s iConsumer report (published by Forbes) confirms the obvious: email usage has been declining for years (36% of users in 2012, down from 42% in 2008), while social media usage rose to 26% in 2012 from a meager 15% in 2008. Overall, people are still communicating primarily by email, but its use continues to drop. More and more people now connect and interact via services such as Facebook, Twitter, Snapchat, Instagram, LinkedIn, WhatsApp, and others. These services are available on any device.
As we flocked to Facebook, it was new and seemed safe. But starting in 2008 and peaking in late 2009, Koobface malware was one of the primary threats against Facebook users. Until it lost steam in 2011, Koobface employed a lot of advanced features in its botnet: using URL-shortening services to send malicious links, hijacking users’ accounts, autoresolving CAPTCHAs, and other methods. Many of these features are still present in similar but much smaller threats.
Three categories of attacks on social media are the most prevalent: data theft, money theft, and profile and network-identity theft. This triumvirate isn’t likely to diminish because its appeal is fundamental to the goals of cybercriminals.
Data theft: malware installation
Social media features change rapidly; many users have a hard time determining what is legitimate versus what is not. Attackers take advantage of the confusion of ever-changing applications and policies. Recently we have seen numerous social-engineering tactics that trick users into installing an application for a service that does not exist. These campaigns use a similar tactic: Users receive an email purportedly from a social media company with a link to a “new” app. After clicking the link, they are asked to download a plug-in, which installs malware and steals information. For example, one recent attack sent an email with a “voice message notification” apparently from WhatsApp. Listening to the message, however, added the user’s machine to a botnet. These methods are not new, but mixing the malware message with social media often confuses users who don’t know what the norm is.
Money theft: spam and scam
Scammers also use fake notification systems that masquerade as updates from social media sites. A notification email apparently from a social media site claims there are unread messages. Clicking the message redirects users to fake pharmaceutical items, for example. Some users buy these items, sending money to crooks.
Scammers are quick to use new communication mechanisms and abuse them to generate money or steal personal information. Recently criminals used Snapchat in a pay-per-install affiliate model: Users received nude pictures and in order to see more snaps, they had to download an application, which in turn paid the spammer money for the installation.
Snapchat has become very popular for the wrong reasons—such as sending explicit images—because the service promises to delete the images after a set time. Recently scammers used Snapchat to show “leaked” pictures; users had to enter their Facebook login credentials to access the information. You can guess where the login information went—to the scammer’s server.
Profile and network-identity theft: Spearphishing on social media
Social media sites like Facebook have done a lot of work to keep their users safe. It is difficult for scammers to pose a malicious link to another user who is not in the friend network. But a social network is only as strong as the weakest link, which can compromise the entire friend network because we tend to trust our friends and what they post. (Security blogger Dancho Danchev writes about one example in “Continuing Facebook ‘Who’s Viewed Your Profile’ Campaign Affects Another 190k+ Users, Exposes Malicious Cybercrime Ecosystem.”)
LinkedIn has become fertile ground for attackers. By watching for the updated status of executives or sales people and their new connections, online spies might gain a competitive edge or knowledge of unannounced products.
What’s coming
The social media landscape is changing rapidly, with new services being introduced faster than they can be secured. Scammers and malware authors abuse these services and make the most of them while people are still learning about the new security risks. When the security bar is raised high enough, these scammers move on to newer mass communication methods. Their methodologies and motives remain largely the same.
In the coming year we are likely to see an increase in corporate espionage via social networks such as LinkedIn. It’s a good idea to verify a message even when a known person tries to contact you on social networking sites. A simple IM or email to verify identity is enough to keep scammers at bay.
Scammers will use apps like Poke and Snapchat to prompt victims to “win a free iPad,” for example, by visiting a website within 10 seconds. Some unsuspecting users will give out their information as fast as possible, succumbing to rush tactics.
A continuing worry about social media services is the false sense of privacy they encourage. We will continue to see children and adults become complacent and share private pictures and other information. Parents need to talk to their kids who use social media about safe sharing practices.
In the coming year social media attacks will continue and mature, as attackers find new ways to craft their attacks. We expect spam and phishing attacks will gain momentum. In the corporate world, stealing data related to business social networks and contacts will become a greater target than passwords or credit card information.