Study: Pick Your (Online) Friends Wisely

By John Wagley

It isn't always easy to turn down a request to be friends—especially in the context of online social networking. That was one finding of a recent study by security research firm Sophos. The trouble is, according to security experts, a growing number of networking messages are coming from scammers, phishers, and malware distributors.

Sophos created two fictitious profiles for the study. Daisy, represented by a picture of a rubber duck, was 21 and single; Dinette, posting a picture of two cats on a rug, was 56 and married. Sophos sent 100 friend requests from each profile to random contacts in similar age ranges.

After two weeks, 46 and 41 percent of requests were accepted for Daisy and Dinette, respectively. Dinette actually gained 49 new friends, as some users friended her on their own. The amount of new friendships generated in the study, conducted in Australia, was comparable to that of a similar England-based 2007 Sophos study. The new study shows how social networkers remain vulnerable to a variety of scams, says Sophos senior technology consultant Graham Cluley.

In 89 percent of cases, “Daisy” was able to learn her new friends' dates of birth. “Dinette” could so 57 percent of the time. E-mail addresses were discoverable in 100 and 88 percent of cases, respectively. Gleaning such information frequently serves as a “starting point” for further scams such as phishing and social engineering, according to Paul Ducklin, Sophos head of technology in the Asia Pacific region, who conducted the study.

In some cases, hackers will use basic information to try to break into other accounts. “Friends,” claiming to be in trouble, will sometimes ask for money; others will send links to Web sites that download malware. Hackers frequently gain access to one social networking account and then contact many of that person's friends. About 21 percent of networking users have been targeted by phishing and other attacks, according to Sophos.

Many people should ask themselves whether it's necessary to post information such as a date of birth or e-mail address, Cluley says. Although users are required to provide a date of birth when registering with Facebook, it can be hidden with the site's privacy settings. Users might also consider providing false information or revealing only a birth year, Cluley says. People might also reconsider sharing their e-mail address, as people can already be contacted via social networking.

As a rule, people should avoid posting anything online they do not want public, according to Cluley. Hacking aside, social networking and other sites have numerous privacy-related risks, he says. A site could accidentally leak data, for instance.

At least one analyst says some users are starting to exercise more caution in the broad range of information they post. Job applicants, for instance, particularly younger ones, are realizing that many potential employers are viewing their networking pages, says Claire Schooley, a Forrester Research analyst. “Many are realizing it's time to clean up [their] Facebook.”

Online friending should be more selective, say Ducklin and Cluley. In the study, the younger group had 220 friends on average; the older group had 932. But no one has 932 “true friends,” says Ducklin. A friend is someone you “know, like, and trust.... Not merely a button you click on.”

♦ Photo of Facebook friends by mahlness/Flickr


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.