T 5.158 Abuse of social networks

Social networks are very successful platforms that are attracting more and more members. However, besides various advantages, there are also certain security risks which the users should not loose sight of:

• The identity used by users in social networks or virtual worlds (e.g. user profile or avatar) is often closely connected to the users' real identity. Other persons may be able to misuse a virtual identity, for example, by performing actions in this role under false pretence without the owner being aware of this.
• Users of social networks disclose a large amount of information about themselves in order to be noticed and to be able to participate in these networks. Depending on the intention of the social network, this may be the name and photo of the user, one or several e-mail addresses, place of residence, employer as well as personal background and professional history. This information is accessible to large groups of users and the user can no longer control its distribution.
• Information on users can be used as a basis for social engineering attacks. The aim of such attackers is to gather as much background information as possible in order to obtain the victim's trust and to convince the victim to execute further actions, e.g. to open certain files.
• Confidential information can be disclosed, for example, because the general idea of a "social network" reflects close relationships and trust between the participants which does not always exist.
• The data accessible via social networks can be used for skilful guessing of passwords. Typically, data such as date of birth, place of birth, schools, universities visited, and places of work are already provided upon registration with such services in order to establish interesting contacts. Nowadays, many Internet providers and applications directly register personal information upon assignment of passwords which is queried in case someone has forgotten their password. For example, in telephone banking, it is often sufficient to know the correct date of birth, which can be easily found out via social networks.

Example

"Evil twin": A social network was used by a data phisher to create a forged profile of a celebrity. Due to the publicly available images and the quick creation of a seemingly authentic web page it was not easily possible for the visitors of the online profile to discover that the identity was falsified. The attacker placed a link, supposedly to a video, on the profile page. In fact, this link lead to a forged log-in page on an external website. The attacker stored the victim's log-in data obtained in this way in a so called drop zone.
In general, spying out access data of a social network does not mean a financial loss for the users. If, however, the data falls into the wrong hands, a loss of image may be a possible consequence of an online profile manipulated by phishers. In the present case, the attacker did not exploit a vulnerability in the web application. This phishing variant is possible on any online platform which does not verify the identity of the users. More significant damage than manipulations to profiles can be caused by sending messages within the online platform which contain links to websites manipulated with malware. Due to the basis of trust between the users, the attacker should have a high success rate. The same rule as for phishing e-mails applies to social networks: links contained in messages should be encountered with a healthy scepticism.