We recently published Symantec’s Website Security Threat Report which contains a huge amount of information on the security threat landscape. In this series of blog posts we will focus on topics such as the re-emergence of phishing, the rise of malware and what you need to be aware of to keep your work and personal life secure.
Starting with Phishing…Over the past few years there has been a slight change to the type of phishing attacks we’ve seen. As sites such as Facebook and Twitter have grown in popularity, they have drawn the attention of the cybercriminal fraternity and we’ve seen a significant increase in spam and phishing with criminals following users to these popular sites. What’s equally concerning is that in the last year, online criminals have also started to target newly popular sites such as Instagram, Pinterest, and Tumblr. The typical types of threats that we see include fake gift cards and survey scams use to lure unsuspecting users. These kinds of ‘fake offers’ account for 56 per cent of all the social media attacks that Symantec sees, so they stack up to a pretty substantial threat.
To give you an example of how these work, in one scam the victim sees a post on somebody’s Facebook wall or in their Pinterest feed (where content appears from the people they follow or in specific categories) that says “Click here for a $100 gift voucher.” When the user clicks on the link, they are directed to a site where they are asked to sign up for any number of offers, sharing their personal details in the process. The spammers get a fee for each registration and, of course, there’s no gift card at the end of this process. Another trick that we’ve seen are fake or spoofed website used to persuade a victim to reveal their personal details and passwords; for example, their Facebook or Twitter account information. These phishing scams are insidious and often exploit people’s fascination with celebrities, professional athletes, film stars, or singers. In 2012, we saw more threats targeted on social media websites as well as more and more new channels and platforms opening up, especially those that are available only as mobile applications. It is likely that these mobile social channels will become more targeted in 2013, especially those that are aimed specifically at teenagers and young adults, who may not know how to recognise such attacks and may be a little freer with their personal detail.
One thing that is clear is that social media threats are a business issue. Often companies are unwilling to block access to social media sites altogether, but they do need to find ways to protect themselves against web-based malware on these and other sites. This means multi-layer security software at the gateway and on client PCs. It also requires aggressive patching and updating to reduce the risk of drive-by infections. Finally, user education and clear policies are essential, especially regarding the amount of personal information users disclose online.
In terms of user education many social media sites already follow best practice and use Extended Validation (EV) SSL certificates which make it clear to anyone visiting your site that it is the real thing. EV SSL turns the address bar on the website you are visiting green. Before you enter personal details into any site always take care and investigate that the site is exactly the one you intend it to be before proceeding.
Why do leading sites use EV SSL? One of the primary reasons for the existence of EVSSL is to make it more difficult to mount phishing and other online identity fraud attacks using SSL Certificates;
Before a certificate authority (CA) such as Symantec issues an Extended Validation SSL Certificate we follow a strict and extensive validation process which includes:
- Verifying that your organisation is legally registered and active
- Verifying the address and phone number of your organisation
- Verifying that your organisation has exclusive right to use the domain specified in the EV SSL Certificate
- Verifying that the person ordering the SSL Certificate has been authorised by the organisation
- Verifying that your organisation is not on any government blacklists
You can read more about the EV SSL issuance guidelines here https://cabforum.org/Guidelines_v1_4.pdf
We’ll be following up on this blog post next week picking up on another topic from the WSTR.