An old virus with new tricks, attacking new assets

by Ondrej Krehel

The recent “Twitter” hack was only live for about five hours, but in that time , including the White House press secretary Robert Gibbs and Sarah Brown, wife of the former British prime minister.

The attack didn’t even require users to click a link or download software. It activated simply by hovering the mouse over the malicious java-coded tweet. This demonstrates a new trend with viruses online: When it comes to web vulnerabilities, the operating system doesn’t matter, it will work on Mac as wells as Windows or Linux.

Though the attack hasn’t caused any financial damage—at least not any reported so far—it highlights a new kind of violation in the social network age: an attack on the user’s online identity.

With Twitter, Facebook, MySpace, LinkedIn, Foursquare and all the other social media applications available online, we’re all designing, modifying and pruning a digital self, whether we’re conscious of it or not. Some younger people seem to spend more time attending to their virtual life than real life outside. We’ve all met them.

Social media attacks happen often, and in many forms. Take ., a young woman decidedly not on Facebook, with a declared “distaste for the world of social networking websites,” who found herself the representative face of an 800,000-member strong Facebook group.

Then there’s the Lori Drew MySpace trial. The overprotective mom established a fake online identity to bully her teenage daughter’s school rival. The result: A judge has criminalized the act of creating a fake persona online.

Hackers are even profiting on social networks using these tactics, by compromising Facebook, Linkedin, or other login credentials so the original account owners are locked out. In one case the original owner’s friends were messaged “stating that while on a vacation in London thieves mugged him just when he was preparing to return home; therefore he needed $500-$1,000 to clear the hotel bills.”

Now consider that many people use the same username and passwords across the Internet, logging into online banks, credit cards and all their social media sites.

These kinds of crimes, manipulating digital identities to get into physical wallets, are only growing. And they’re attacking a new type of asset – our digital identity.

All of us are quite aware how a Social Security number or our credit card number can be breached. But do we pay the same amount of attention to protecting our online identity? Facebook in July accounted for 12.8% of all phishing e-mails, a three hundred percent increase since June 2010.

Other social media threats in past have included traditional Trojan worm viruses, spread through links, pictures and multimedia content. But in this coming age of over-sharing and the online self, future attacks will likely not be so blunt. The new viruses will manipulate your online identity. They’ll be you, tweeting away, telling all your friends about this great new Russian site that has real Rolexes—real!—for a paltry $20. Don’t worry, you won’t have to click the link, the message can do all that for you.

As I type, Facebook and other online personal accounts are being sold as a commodity among hackers and scammers. Early this year were on black market, ranging for $1-20 per account.
As users share more and more data, and personal information, they’re only making their accounts more valuable to those who would like to manipulate them. And not necessarily illegally. There are rumors that financial lenders are starting to monitor social networks for information on consumer behavior and creditworthiness.

The old proverb, “Tell me what you read, and I will tell you who you are,” could be changed to “If you Google me then you will see who I am.” Don’t let hackers or online marketers take that away from you. Know the value of your digital self.

Ondrej Krehel, Chief Information Security Officer,

Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.

Leave a Reply