Analysis: Rogue Facebook friend 'as bad as malware'

Criminals using fake 'friends' and groups to lure victims.

Accepting a friend-request or joining a group on Facebook could be more dangerous than clicking on a malicious link in a phishing email or even opening an untrusted attachment.

Once you accept a Facebook friend request, unless you specifically adjust your privacy settings to restrict access, that person can see all your personal information and easily familiarise themselves with your closest friends and associates. The same is true when joining a Facebook group or installing an application to your profile.

Access to an individual's social network provides cyber-criminals with the tools required to launch various attacks against that individual as well as everyone else who is part of their social network.

Attacks originating from within a social network are far more likely to succeed than random attacks because there is already a high level of trust, according to Wing Fei Chia, senior manager at F-Secure's security response team.

"Since 2008/9 we have seen social networking sites as the preferred platform for sending links and phishing scams. The level of trust between that network of your friends is much higher compared to searching for something on Google and falling for a poisoned search result.

"The majority of attacks related to social networking sites are sophisticated to a point that they socially engineer you - that is the biggest problem we see because there is no protection - the human is always the weakest link," Chia told iTnews.

Project NOSCAM is a group on Facebook designed to alert users to known scams and encourage users to report suspicious groups or users. We asked Robert Williams, founder of the group, how difficult it would be to create a fake profile for the sole purpose of social engineering.

"How difficult? I think you mean, 'how simple'," replied Williams. "The answer is
extremely simple... I know it has already been done ... the recent string of 'Stranded in London' phishing attacks is a good example," said Williams.

The Stranded in London attack is where a person receives a Facebook message from one of their friends, who is asking for help because they are stranded after losing their passport, wallet and mobile phone.

There are a number of variations on this scenario but essentially, the victim is asked to wire their 'friend' some money via Western Union or a similar service.

The 'friend' is usually a contact whose Facebook account has been hijacked because they were using a simple password. A more sophisticated version of this scam requires criminals to create phoney profiles.

"When the victim realises they have wired money to someone who is not their friend, it is already too late," said F-Secure's Chia.

According to Chia, it's important that before responding to a friend request - or joining a group, or becoming a 'fan' - it's wise to be a little distrusting.

"People have hundreds and sometimes even thousands of friends and they just don't know who are their real friends. Very often people don¹t confirm if the friend request is authentic," he said.

Upon receiving a friend request that is suspicious - or from someone unfamiliar - Chia suggested it might be worthwhile to "ask a personal question", which should indicate if that person is genuine.

He also advises Facebook users to regularly look through their list of 'friends' and remove any that don't need to be there.

"That is something everyone should be doing. If they haven¹t been doing it from the very beginning they should start doing it now - they should look at the friend-set they have," added Chia.

Project NOSCAM's Williams believes that it is just as important to rigorously cull groups and applications that are not in constant use.

"What is most important is removing oneself from all the Groups, Pages, Events, and Apps
that you don't use and don't communicate with on a regular basis," said Williams.

At the time of writing, Project NOSCAM had identified 467 scams with more than 41 million victims.

"That's nearly 12 percent of all Facebook users", said WIlliams, who suggested Facebook could make life easier by including an "always ignore" option for applications or groups. "The reason so many people get pulled into these scams is because they're tired of clicking 'Ignore' hundreds of times. It's simply easier to click 'accept' and not ever have to worry about it again."

Mitnick: The 'human firewall' is crucial

The threat from social engineering is nothing new. For over five years, analyst firm Gartner has suggested that social engineering, which it describes as exploiting people rather than technology, has been the biggest threat to IT security.

Infamous hacker Kevin Mitnick has often talked about the need for a 'human firewall', which is where a company's employees are educated about social engineering techniques and create an additional barrier against attack.

Earlier this year, Facebook inked a deal with McAfee to help educate its members to use the site safely through the www.facebook.com/security page and provide free software to protect their computers from malware.

At the time, McAfee's director of sales, engineering and services in APAC Michael Sentonas said "We have found that about 78 percent of consumers do not have core security protection. We are going to provide Facebook users with security software, education and cleanup tools."

Just weeks later, rival security outfit Websense launched Defensio 2.0, an application designed to keep Facebook profiles - as well as blogs and websites - free from unwanted spam.

How many 'friends' do you have? How paranoid are you when accepting friend requests or joining groups? Do you know anyone who has fallen victim to a social networking scam? Let us know using talkback below or start a conversation with me on Twitter @mkotadia.