Social Networking Security Threats

Facebook: Self-XSS, clickjacking and survey scams abound

With so many users, Facebook is a target for scams; it can also expose your personal information far beyond your group of friends.

Users need to remember that Facebook makes money from its advertisers, not users. Since advertisers want to get their message out to as many people as possible, Facebook shares your information to everyone, not just your "friends." And most recently, Facebook's facial recognition technology automatically suggests that friends tag you, unless you turn it off.

Scams on Facebook include cross-site scripting, clickjacking, survey scams and identity theft. One of the scammers' favorite methods of attack of the moment is known as cross-site scripting or "Self-XSS." Facebook messages such as Why are you tagged in this video? and the Facebook Dislike button take you to a webpage that tries to trick you into cutting and pasting a malicious JavaScript code into your browser’s address bar. Self-XSS attacks can also run hidden, or obfuscated, JavaScript on your computer allowing for malware installation without your knowledge.

Facebook scams also tap into interest in the news, holiday activities and other topical events to get you to innocently reveal your personal information. Facebook posts such as “create a Royal Wedding guest name” and "In honor of Mother’s Day" seem innocuous enough, until you realize that information such as your children’s names and birthdates, pet’s name and street name now reside permanently on the Internet. Since this information is often used for passwords or password challenge questions, it can lead to identity theft.

Other attacks on Facebook users include "clickjacking" or "likejacking," also known as "UI redressing." This malicious technique tricks web users into revealing confidential information or takes control of their computer when they click on seemingly innocuous webpages. Clickjacking takes the form of embedded code or script that can execute without the user's knowledge. One disguise is a button that appears to perform another function. Clicking the button sends out the attack to your contacts through status updates, which propagates the scam. Scammers try to pique your curiosity with messages like "Baby Born Amazing effects" and "The World Funniest Condom Commercial – LOL". Both clickjacking scams take users to a webpage urging them to watch a video. By viewing the video, it’s posted that you “like” the link and it’s shared with your friends, spreading it virally across Facebook.

Clickjacking is also often tied to “survey scams” which trick users into installing an application from a spammed link. Cybercriminals take advantage of news topics, such as the Osama bin Laden video scam, which takes you to a fake YouTube site in an effort to get you to complete a survey. Scammers earn commission for each person that completes it. Taking the survey also spreads the scam virally to your Facebook friends.

In theory, new Facebook security features provide protection against scams and spam—but unfortunately they’re mainly ineffectual. Self-XSS, clickjacking and survey scams essentially did not exist just a few years ago, but they now appear on Facebook and other social networks on a daily basis.

Our recent social networking poll also asked computer users which social network they felt posed the biggest security risk. Facebook is clearly seen as the biggest risk with 81% of the votes, a significant rise from the 60% who felt Facebook was the riskiest when we first asked the question a year ago. Twitter and MySpace each received 8% of the votes this year, and LinkedIn only 3%.

Twitter: Beware of shortened URLs

Twitter is a valuable source of real-time information. During the devastating Japanese earthquake and tsunami in March, Twitter users shared information and helped raise funds. Unfortunately, as often happens, scammers try to channel that goodwill for their own gain. A Twitter scam impersonating the British Red Cross asked tweeters to send money via MoneyBookers to a Yahoo email address in one Japanese tsunami charity scam. In another scam, emails resembling Twitter notifications included dangerous links disguised as a tsunami video. If you clicked on this link, malicious JavaScript could infect your computer.

Twitter users often shorten URLs via bit.ly and other services to keep tweets within their 140 character limit. Hackers can also create shortened URLs to easily redirect you to malicious sites, since the URL itself gives you no indication of the site name. Although most shortened URLs are legitimate, if a link brings you to another page that asks for a Twitter or Facebook password, leave immediately.

Similar to Facebook scams, Twitter messages promise such curiosities as the “Banned Lady Gaga Video,” which takes users to a fake YouTube page. If you click the play button, a window pops up and seeks permission to access your Twitter account. If you grant access, you allow third parties to post messages in your name. Another recent scam, “TimeSpentHere,” promises to tell you how many hours you’ve spent on Twitter. Since it appears to come from a Twitter friend, you may think about clicking on it. But this rogue application actually wants your email address, which could be used later for a phishing campaign or spam.

LinkedIn: Threats remain low

Although cybercriminals more frequently target users of Facebook and Twitter, the business networking site LinkedIn is also a target.

The biggest threat with LinkedIn is data-mining. Cybercriminals take information about companies and whom they employ, and then use that information to launch spearphishing attacks. Corporate directories also exist online, providing a wealth of information for spearphishers.

Malicious LinkedIn invitation reminders pose another threat. These links can redirect you to a webpage that installs a variant of the Zbot malware (also known as Zeus) onto your computer. If you click, remote hackers can now compromise your computer and potentially steal your confidential data.

Google Plus: Early users demand privacy

Google Plus, a recently launched social network that aims to compete head-to-head with Facebook, is learning the ropes as far as privacy is concerned. Google currently restricts the social network to a "limited field trial" so they can gather feedback, patch bugs and identify privacy holes before making the site available to a mass audience. Privacy experts say that Google Plus is designed to let people have better control over privacy with respect to sharing with family, co-workers and friends.

In response to initial user feedback, Google Plus recently changed its privacy options around gender, so that users do not have to reveal their gender online.

Protection strategies for social networking

Facebook has its own Facebook Security page. But we also recommend reviewing the Sophos best practice guidelines for Facebook privacy settings with your organization’s staff and setting up ongoing security training and awareness. You can also keep up to date with the real threats on Facebook by encouraging all users to join the Sophos Facebook page. Our Facebook page alerts you to the latest rogue applications, scams and malware attacks threatening social network users. You can also learn how to clean up your Facebook profile after a survey scam in this Sophos YouTube video.

Facebook security best practices: A summary

• Adjust Facebook Privacy settings
• Read the Facebook Guide to Privacy
• Think carefully about choosing your friends
• Show “limited friends” a cut-down version of your profile
• Disable options, then open them one by one

If you’re a victim of rogue Twitter applications, you can remove their rights by going to the Twitter website and visiting Settings/Applications and revoking the offending app’s rights. Twitter also has a Safety Center within its Help center and blog posts on how to Avoid Phishing Scams. You can get regular status updates on Twitter by following @safety and @spam. And, be sure to follow @SophosLabs to get regular updates to protect your business.

LinkedIn’s blog discusses security issues and includes posts such as Protecting yourself from hackers and Quick tips on Security and Privacy.

Consider working with your communications team to put a Social Media Policy in place for your company that includes not only how to communicate using social media, but also how to protect yourself on these sites. Also realize that some sites let you broadcast your messages between different social networks. For instance, you can choose to have all of your LinkedIn updates also sent out as tweets, but remember that your audience on Twitter can be anyone, whereas only your own network can view LinkedIn updates.

Finally keep your antivirus software up to date, install the latest security patches and if you’re looking for news, go to the legitimate news websites, rather than clicking on a link that sent by a friend.

For more information or to read the Sophos Security Threat Report Mid-Year 2011 in its entirety, download now.