Facebook Users Face Critical 'Stepping-Stone' Threats

Hijacked accounts can also be used to collect psychographic information on individuals for use in future targeted attacks
Hijacked accounts can also be used to collect psychographic information on individuals for use in future targeted attacks

With literally billions of users that log in at least once every month for the sole purpose of sharing links and interacting with one another, Facebook provides a social-engineering rich environment for criminals to go hunting for cyber-victims. So perhaps it’s no surprise that a study from Kaspersky Lab reveals that Facebook remains the preferred target for cybercriminals who specialize in stealing social network accounts. But the damage, the firm points out, can range far beyond the social world.

As of the first quarter 2014, Facebook had 1.28 billion monthly active users, according to Statista – a wide target by any standard. By capturing a victim’s Facebook login and password, cybercriminals are using this data to access victim’s accounts on other sites for which they use the same login details. And, smartphone or tablet owners who visit social networks from their mobile devices are also at risk of having their personal data stolen.

Kaspersky’s defense statistics show that in the first quarter, fake sites imitating Facebook accounted for 11% of all instances when the heuristics anti-phishing component was triggered in its software. Only fake Yahoo pages sparked more phishing alerts, leaving Facebook the prime target among social networking sites. It’s worth noting that today’s Facebook fakery is also a global business, with cybercriminals attacking the site in a variety of languages: English, French, German, Portuguese, Italian, Turkish, Arabic and others.

“However, it’s not only Facebook accounts that are at risk here, there is also the issue of stepping stone attacks,” the company said, in a blog. “This demonstrates why it’s so important to have separate passwords for each account.”

In addition to using the credentials to try for higher-value account access, like for online banking, unauthorized access to accounts in Facebook or any other social network can be used to spread additional phishing links or malware, because cybercriminals can also use stolen accounts to send spam to the victims’ contact lists. They can also publish spam on their friends’ walls where it can be seen by other users, or spread messages asking their friends to send urgent financial assistance. Hijacked accounts can also be used to collect psychographic information on individuals for use in future targeted attacks.

“Cybercriminals have developed a number of ways to entice their victims to pages with phishing content,” said Nadezhda Demidova, web content analyst at Kaspersky Lab, in the posting. “They send links to phishing web pages via email, within social networks or in banners placed on third-party resources. Fraudsters often lure their victims by promising them ‘interesting content’. When users follow the link provided, they land on a fake login page that contains a standard message asking them to log in before viewing the page. If users don’t become suspicious and enter their credentials, their data will immediately be dispatched to cybercriminals.”

On the mobile side, Kaspersky pointed out that some mobile browsers hide the address bar while opening the page, which makes it much more difficult for users to spot fake resources. If consumers regularly access their social networking sites on mobile devices and don’t protect your device with a PIN or passcode, they are essentially leaving all your social network (and other) accounts wide open to cybercriminals, the firm pointed out.

Users of Facebook and other social sites should take basic precautions: if you receive an email notification from Facebook or a message that your account may be blocked, never enter your credentials in a form attached to that message. Facebook never asks users to enter their password in an email or to send a password via email. Also, the Kaspersky advises that users place the cursor on the link and check if it leads to the official Facebook page. Moreover, they should manually type the Facebook URL into the address bar – cybercriminals are capable of concealing addresses, after all. And, once manually entered, the URL should be checked again after the page has loaded to make sure it has not been spoofed.

“Remember that Facebook uses the HTTPS protocol to transmit data,” Kaspersky added. “The absence of a secure connection probably means that you are visiting a fraudulent site even if the URL address seems to be correct.”

What’s hot on Infosecurity Magazine?