Phishing e-mails, which aim to dupe targets into revealing financial and other personal information, are increasingly targeting high-level executives, according to recent reports. For one major e-mail managed services firm, the main culprit is clear: social networking sites.
Users of sites such as Facebook often make new contacts without verifying their legitimacy, says Mark Sunner, chief security analyst at London-based MessageLabs. Facebook and similar sites also make all information public by default, he says. Other sites such as LinkedIn can provide a wealth of information on issues such as employment history.
The trouble with such information sharing is that it makes users more vulnerable to come-ons from nefarious characters. In phishing, just a touch of familiarity in an e-mail makes targets far more likely to bite, says Sunner.
“Social sites are a goldmine for phishers,” he says. In 2007, MessageLabs intercepted about 10 targeted attack attempts daily, according to the firm’s 2007 annual security report. That’s up from about one per day the year before and two per week in 2005. All of the messages showed some familiarity with either the targets or their functions. Many of last year’s messages contained the recipient’s full name and job title in the subject line. Many had either a .Zip file or Microsoft Word attachment with an embedded spying Trojan.
In a recent poll, MessageLabs found that about 75 percent of its customers said the number of visits to social networking sites by their employees had increased in the prior six months. A recent Silicon.com survey says 8 percent of employees admitted to spending between one and five hours a week visiting the sites. Two percent admitted to visiting for five to ten hours a week.
To mitigate their risk, firms should have a policy governing the use of the sites, says Sunner. This can range from learning who receives networking site e-mails to banning the sites’ use, he says. And firms should educate employees, “even if just by sending a memo,” about some of the risks of divulging too much information. They should also employ at least a minimal form of site monitoring.
Many companies already filter the sites. One major e-mail and Web security firm, Barracuda Networks, says that more than 50 percent of its Web Filter customers block either MySpace or Facebook. Web filtering in general is also on the rise, according to the Campbell, California-based security firm. In a study of 228 IT professionals, Barracuda found that 53 percent of businesses use automated Web filtering. A growing number—65 percent—intend to do so by the end of 2008. Seventy percent of respondents named virus and spyware blocking as a top reason for site blocking, while 52 percent named productivity drain.
While acknowledging the sites’ risks, Forrester Principal Analyst Chenxi Wang says it may be too soon to know the extent of the risk. “Part of the concern may be because [the sites] are new.” she says. “I haven’t seen proof that that’s where criminals get their information.”
Sunner disagrees with that view. “There are crooks who are just as interested in the data you share as the people looking for friendship.”