David Baxter PhD
Late Founder
Online criminals target Facebook and virtual worlds
by Jonathan Richards, The Times Online
September 17, 2007
Social networking sites and other online communities are being mined for personal information, a report warns
Organised criminals are increasingly targeting online communities such as social networking sites and multi-player computer games, a security report has warned.
The vast amount of personal information stored on sites such as Facebook has made them a rich source for fraudsters, who use the details to create highly specific threats, according to Symantec, the security firm.
Information which may not typically be considered confidential - such as an employer, hobbies, and details of weekend activities - is now being incorporated into malicious e-mails as a way of launching more focused attacks, and encouraging recipients to take unsolicted messages more seriously, Symantec said.
There was in general an "increasing professionalisation and commercialisation" of internet crime, it said, which was also evident in the sophisticated "toolkits" which allowed fraudsters to build multiple 'phishing' websites simultaneously, and the use of accounts within 'virtual worlds', such as the computer game World of Warcraft, to launder money.
"What we've seen with so-called 2.0 technologies is that they don't go through the standard procedures that most sites do, meaning that when new features are added, a series of warning flags - to do with security and privacy - aren't necessarily being raised," William Beer, director of security practice at Symantec, said as the firm released its six-monthly Threat Report.
"There is an increasing trend towards attacks on social environments like Facebook and Linkedin, where the quality and quantity of private information is such that attacks can be more focused."
Having read a Facebook profile, a fraudster sending a subsequent e-mail could, for instance, address the recipient as a lawyer, and make reference to events they have attended, giving the message an air of authenticity, Mr Beer said.
Criminal groups were now also setting up accounts in virtual worlds - where the total trade is estimated to exceed $10 billion (?5 billion) annually - as a way of laundering money, an issue which has already been raised by the Fraud Advisory Panel in Britain
"Since thousands of accounts may engage in millions of transactions, each with small profits or losses, it would be difficult to trace the true source of the funds when they are withdrawn," the report said.
The 217 million people who play 'massively multi-player online games', or MMOGs, were also at risk from programs which purported to give them an advantage within the game but in fact installed 'keyloggers' - software which records every stroke of a keyboard, and other malicious code, on their machines.
Credits card details were still the most common type of personal information advertised on illicit websites, the report found, the overwhelming majority - 85 per cent - having been issued by US banks.
The number of computers unknowingly distributing spam e-mail and other malicious code around the web - so-called 'bots' - fell by 17 per cent, while the number of phishing messages rose by 18 per cent to 196,860.
Among the other key findings from the Symanetic were:
by Jonathan Richards, The Times Online
September 17, 2007
Social networking sites and other online communities are being mined for personal information, a report warns
Organised criminals are increasingly targeting online communities such as social networking sites and multi-player computer games, a security report has warned.
The vast amount of personal information stored on sites such as Facebook has made them a rich source for fraudsters, who use the details to create highly specific threats, according to Symantec, the security firm.
Information which may not typically be considered confidential - such as an employer, hobbies, and details of weekend activities - is now being incorporated into malicious e-mails as a way of launching more focused attacks, and encouraging recipients to take unsolicted messages more seriously, Symantec said.
There was in general an "increasing professionalisation and commercialisation" of internet crime, it said, which was also evident in the sophisticated "toolkits" which allowed fraudsters to build multiple 'phishing' websites simultaneously, and the use of accounts within 'virtual worlds', such as the computer game World of Warcraft, to launder money.
"What we've seen with so-called 2.0 technologies is that they don't go through the standard procedures that most sites do, meaning that when new features are added, a series of warning flags - to do with security and privacy - aren't necessarily being raised," William Beer, director of security practice at Symantec, said as the firm released its six-monthly Threat Report.
"There is an increasing trend towards attacks on social environments like Facebook and Linkedin, where the quality and quantity of private information is such that attacks can be more focused."
Having read a Facebook profile, a fraudster sending a subsequent e-mail could, for instance, address the recipient as a lawyer, and make reference to events they have attended, giving the message an air of authenticity, Mr Beer said.
Criminal groups were now also setting up accounts in virtual worlds - where the total trade is estimated to exceed $10 billion (?5 billion) annually - as a way of laundering money, an issue which has already been raised by the Fraud Advisory Panel in Britain
"Since thousands of accounts may engage in millions of transactions, each with small profits or losses, it would be difficult to trace the true source of the funds when they are withdrawn," the report said.
The 217 million people who play 'massively multi-player online games', or MMOGs, were also at risk from programs which purported to give them an advantage within the game but in fact installed 'keyloggers' - software which records every stroke of a keyboard, and other malicious code, on their machines.
Credits card details were still the most common type of personal information advertised on illicit websites, the report found, the overwhelming majority - 85 per cent - having been issued by US banks.
The number of computers unknowingly distributing spam e-mail and other malicious code around the web - so-called 'bots' - fell by 17 per cent, while the number of phishing messages rose by 18 per cent to 196,860.
Among the other key findings from the Symanetic were:
- China accounted for 29 per cent of the world's 'bot-infected computers' - the highest percentage of any country
- The education sector accounted for 30 per cent of all known 'data breaches' that could lead to identity theft, replacing government as the most compromised sector. (The government sector accounted for 26 per cent of breaches, and health 15 per cent)
- Microsoft's Internet Explorer (IE) was still the most compromised web browser, accounting for 39 of 105 browser-based vulnerabilities, though the percentage was lower than in the previous six months, when IE accounted for 54 of 102 vulnerabilities (Admin note: This statistic is misleading, since it's also the case that 70-80% of all surfers use IE)
- The number of vulnerabilities in web-based 'plug-ins' - programs which interact with web browsers - increased by 74 per cent to 237, suggesting that criminals were now targeting the 'edges' of websites, rather than their core platform
