Hijacking and Phishing
Social networking, by its very nature, is about socializing, which means users are letting their guard down and sharing information. They're expanding their professional networks, connecting with old friends, and communicating in real time with pals and peers. And for bad guys who favor social-engineering and phishing attacks, taking advantage is like shooting fish in a barrel.
Beware Friends Seeking Money
Most people know enough to not respond to e-mail requests from exiled Nigerian royalty promising millions of dollars if only you will help them smuggle the money out of the country. Anybody who doesn't know better probably shouldn't be on the Internet; such people are a danger to themselves and others.
But what if your good friend from high school whom you haven't seen in 18 years sends you a message on Facebook explaining how their wallet was stolen and their car broke down, and asks you to wire money to help them get home? You might not be as apprehensive--but you should be.
Attackers have figured out that family and friends are easy prey for such sob stories. Using other attacks or methods, they gain access to a Facebook account and hijack it. They change the password so that the legitimate owner can't get back in, and then they proceed to reach out to the friends of the hijacked account and attempt to extort money from those friends through social engineering.
How do you resist such techniques? Assume that a relative or friend close enough to ask you for money would probably have your phone number, and that Facebook or e-mail would not be the first choice for contacting you in an emergency. If you get such a Facebook message or e-mail plea, and you aren't sure, pick up the phone and call the person directly to confirm.
What's Behind That Tiny URL?
Another threat that has emerged as a result of social networking is the tiny-URL attack. Some URLs are very long and don't work well in e-mail or in blog posts, which created a need for URL-shortening services. Twitter, with its 140-character limit, has made the use of URL-shortening services like Bit.ly a necessity.
Unfortunately, attackers can easily exploit a shortened URL to lure users into accessing malicious Web sites. Because the shortened URL is a random collection of characters that has nothing to do with the actual URL, users cannot easily determine whether it is legitimate.
Tweetdeck, a popular application for Twitter, provides a 'Show preview information for short URLs' option, which offers some protection. The preview window shows details about the shortened URL, including the actual long URL it leads to.
If you aren't using Tweetdeck for Twitter, or if you need to deal with shortened URLs on other sites and services, maintain a healthy dose of skepticism and remain vigilant about what might lie behind that obfuscated address.
Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as @PCSecurityNews and provides tips, advice, and reviews on information security and unified communications technologies on his site at tonybradley.com .