Building a farm or joining the Mafia Wars on Facebook is just as much a part of your daily routine as checking your work email. Crappy movies, boring parties and bad break-ups are all fodder alike for acerbic Tweets. Pictures taken on your cellphone make it on your Orkut profile page at the speed of light, and padding your friends list is your favourite pastime.
Our lives today are increasingly submerged in social-networking websites, like millions of others worldwide. In the last year, the number of Indian visitors to sites such as Facebook, Orkut, MySpace and Twitter increased by 51 per cent to 19 million (according to comScore's 2009 report). And where people are,the phishers, scammers and spammers go.
Popular targets
“Social-networking sites have become one of the most popular targets for cyber criminals,” says David Freer, vice-president Consumer Business, Asia Pacific and Japan, Symantec, calling 2009 the year of attacks against social-networking sites and their users. “These sites have a huge number of users (Facebook alone has 350 million), and cyber criminals have a fairly simple modus operandi — go where the people are.”
Amit Agarwal, one of India's top tech bloggers agrees. “The threat is very real,” he says. “You often read about these things but don't know the people affected, but this is actually happening, everyday.”
For instance, he describes a recent attack on Twitter, due to which passwords had to be reset on a few thousand accounts. “The attack took advantage of people's innate laziness,” says the blogger. “Many of us use the same credentials — username and password — on multiple websites, which means that the guys at some questionable site you visited, let's call it xyz.com, can now log on to your other accounts, such as Twitter.”
Once they have access to your account by any means, your entire contact list becomes vulnerable to spam, phishing or ‘drive-by download' attacks through links or notifications that are sent out. “By their very nature, social-networking sites are about a group of people who trust each other,” explains Freer. “If you get a request to look at photos on Facebook or click on shortened URL on Twitter from a friend, you tend to trust it automatically.”
Those links could take you to imposter sites that ask you to enter your credentials again (standard phishing), or more sneakily, simply take you to a site that silently download malware onto your system, i.e., the ‘drive-by download'. “Last year, this was the fastest growing form of attack — there were18 million drive-by download attacks in all of 2008; in 2009, we hit that number just between August and October,” says Freer.
The buzzword among experts for these attacks is ‘social engineering' — using people's behaviour patterns to target them for attacks. “The actual attacks are the same as what we've seen earlier, via email, etc., but the false sense of trust and security existing in social networks makes it easier for criminals to deceive,” says Na. Vijayashankar a.k.a. Naavi, cyber law and techno-legal consultant.
Third-party applications on websites such as Facebook — those fun games and other time-pass applications you add on — are also frequent offenders, exposing your system to malware embedded in the application itself or in the ad on the side of its webpage. “The bad applications are usually banned after a few reports from users, but on day one of the attack, no one will know. There are 500,000 applications on Facebook, for example; it's just impossible for them to keep track of them all,” says Amit.
“A lot of these game apps involve money transactions, so they get your credit card details, and scams do happen,” adds Tarun Shan, a 22-year-old student of Hindustan Engineering College, and an online entrepreneur. “People think these sites are so cool and just get addicted, but they need to be careful.”
The only defence
Common sense, it would appear, is the only defence against these attacks (and an up-to-date anti-virus software on your system, of course). For instance, research shows that an alarming number of users on social-networking sites add people they don't really know as friends. “Don't get into a mad race to add more friends just for the sake of it,” says Naavi. “Use some sort of screening process when you get requests from people you don't know.”
Be cautious about opening any weird links from people already on your friends list. “If you're getting unusual messages from a friend, send them a note asking them about it,” says Freer. “And always be wary of short URLS which can mask malicious sites.”
And don't be lazy; educate yourself. “Most of these websites are doing all they can to protect you, but you have to do your bit as well,” says Amit.
Top tips
1. Be wary of adding strangers to your friends list
2. Be careful while clicking on shortened URLs
3. Use strong passwords. Create different passwords for different accounts
4. Be cautious while using third-party applications and sharing private data with them
5. If you're getting unusual messages from a friend, send her a note about them
