Click to Print

Hackers Find a Social Invitation

Social networking sites are the latest threat to your company network because employees use your computers to access them.
June 10, 2008
URL: http://www.entrepreneur.com/article/194806

By: Paul Korzeniowski
bMighty

Looking for the latest threat to your company network? Take a close look at the growing number of business and personal social networking sites, which are now attracting hackers in droves.

As a general rule, "where users go, hackers follow." Right now, users are flocking to social networking sites -- it's an industry phenomenon. Daily, hundreds of millions of individuals log onto Bebo, MySpace, and Facebook to see who has checked out their pages. Nipping at their heels is an army of hackers, armed with malware of all kinds: spyware, viruses, online scams, and phishing expeditions. In fact, social networking sites have quickly become hackers' third most popular target, trailing only Microsoft Windows and messaging systems.

"Why should you care?" Because your employees are probably accessing social networks and odds are they're using your computers to do it (at least on occasion). Plus, hackers' interest isn't limited to consumer social networking sites; popular business sites, such as LinkedIn, are just as prone to the problems.

The bad guys attack social networks in several ways. They probe the sites' foundations. In January 2008, hackers exploited flaws in Microsoft ActiveX controls, which are used on Bebo, Facebook, and MySpace, to snatch control of users' PCs. The vulnerabilities were found in a pair of ActiveX controls that these sites rely on to upload images to their Web pages via Microsoft's Internet Explorer browser.

A second area that hackers are trying to exploit is the move by social networking sites to encourage third-party application development. MySpace and Facebook have begun licensing their developer platform to other organizations and individuals, so they can develop their own social networks. These new sites are becoming launching pads of malware, something that happened in May with MySpace.com. In response, Tom Anderson, president of the company, notified developers about changes in its platform.

The nature of social networking, where users freely share files, also has attracted hackers. Unsuspecting individuals frequently download data, which could contain malware such as viruses and Trojan horses. In fact, the National Cyber Security Alliance (NSCA) found that 83% of users downloaded unknown files from other people's profiles, which potentially opened their PCs to attack.

In addition to infecting users' PCs, hackers use the sites to steal personal information, and the friendly, casual nature of these sites simplifies their work. Although 57% of people who use social networking sites admit to worrying about becoming a victim of cybercrime, many divulge information that could put them at risk. Close to three out of four users have given out personal information, such as their e-mail address, name, or birthday that can be used to perpetrate identity theft, according to the NCSA. Amazingly, 4% have even listed their Social Security numbers somewhere on their social network page.

Social networking sites also are becoming sanctuaries for phishing expeditions, instances where hackers create fake Web sites that mimic places like banks and credit card companies. After users input their personal data, criminals use it to perpetrate identity theft. The NCSA found that 31% of adults who use social networking sites have responded to unsolicited phishing e-mail or instant messages.

These problems are coming in the back door at many smaller businesses. That's because top managers aren't usually the folks who troll these sites and younger employees are often oblivious to the dangers. So, what's a smaller business to do?

The first step is monitoring where your users are going. Blocking them from these sites when they use company computers is possible with the different Web site monitoring tools. In fact, many large companies already have taken that step.

Education also is needed. This process must start with the executive team and then filter down to the employee ranks. Hackers already understand the impact of social networking sites; the time has come for your organization to recognize the threat and protect itself from their malware.