1300 222 547
Cyber-Crooks Exploit Shared Links
Glance at any business magazine or financial newspaper these days and you’ll spot at least a couple of references to the spread and impact of social networking. Often a new threat is revealed, one that not only shocks the reader as an individual but also alarms business people who quickly recognise the implications for their company. That’s why it pays to have the cell-phone number of an experienced team of experts in computer forensics close to hand. If you fear you might already be in trouble, you’ll need to call straight away.
A good coverage of this evolving challenge came in The Financial Times on September 2 in a lengthy article examining how friends and not editors were shaping internet habits. Traditional portals are being spurned as sharing makes news personal. The problem is that cyber-crooks have picked up on the growing trend among users of social networks to share links. The technological ease of doing so brings with it a security risk that can have a knock-on effect on the popularity of such sites. That’s the view of the FT’s San Francisco correspondent, Joseph Menn, who defined the dangers involved.
He explains how spammers and cyber-crooks are using the new conventions to disguise their dangerous programming and get around online security policies at the same time. The problem stems from the habit among users of the likes of Facebook to use shortened web addresses, or urls, when they forward items of interest to friends. On Twitter, such shorthand is essential, since traditional urls – often composed of long combinations of numbers, letters and forward slashes – can eat up most or all of the 140 characters allowed for each tweet.
Many people do this via easy-to-use services such as TinyURL and bit.ly, which replace the words in a link with a short collection of letters and numbers. While making the practice of forwarding links convenient, it has lulled recipients into not looking before they leap, even if they do not know the sender. Spammers have picked up on the shift. According to security company Symantec, more than 9 per cent of unwanted e-mails contained shortened links by the end of July, up from below 0.5 per cent six weeks earlier.
Link-shortening services provide “a perfect way to get an unsuspecting user to click”, said Bill Gardner, of security company Websense. Several websites have even suffered temporary shut-downs after being inundated with bad links. Some such links lead to ads for pharmaceuticals, while others attempt to install programs that record personal financial data. Worse, weak security at Twitter and other social networks has made it possible for hackers to take control of personal accounts This means that links appearing to come from trusted friends are actually coming from spammers or hackers.
Perhaps because the phenomenon has spread so rapidly, security services have yet to catch up fully. The proliferation of deceptive links might be contributing to Twitter’s difficulty in keeping new users active, and may have prompted others to scale back their use of Facebook. If such issues persist, it might be to the benefit of old-media sites, where users see information as coming from a trusted source.
Bigger companies have inside corporations, some “gateway” software which from such suppliers as Websense and Finjan automatically investigates what is behind a link. But smaller companies and not all companies offer that, and consumers are almost completely on their own about whether or not to click on links.
The shortening trend exacerbates a pre-existing problem, which is that the blacklists of bad websites used by Google, McAfee and many other companies simply aren’t good enough. The blacklists aren’t refreshed in real time, so that new bad sites can appear and infect visitors for days.
Joseph Menn’s advice is sobering: there’s a challenge around every corner. Regardless of the extent to which the staff in your business might be addicted to social networking, if they’re unaware of the sorts of security threats that Menn outlines, then they’re going to be even more hopeless when it comes to your firm’s security. And that’s something that nowadays they’re often influencing 24/7 rather than just when they’re physically at your business premises. Today, computer forensics is a sophisticated art and it pays to be in contact with an experienced team of professionals who can help you stay ahead of the game – not just come in to sort through the wreckage after the event.
