Sally, the accounting manager of a medium-sized business, regularly checked her Facebook account while at work. One day she received an e-mail. The e-mail said that a long-lost friend, Bob, had added her as a friend in Facebook.
“How great.” thought Sally. “An email from Bob. Let me just follow this link and we can be friends again.”
There was a link in the email for Sally to follow to confirm the friend’s request. Sally clicked the link. Suddenly, a Trojan Horse was installed.
Over the next week, cyber-thieves withdrew nearly $1 million from her employer’s bank account.
How the thieves did it
Bob is on Facebook just like Sally is. That’s how the cyber-thieves found them and discovered that they might know each other.
Her Facebook page is also where they learned that Sally worked in the accounting department.
Welcome to the newest nastiest twist in cybercrime.
You see, the e-mail wasn’t from Bob and the link didn’t go back to Facebook.After that it was a simple matter to set the trap by sending Sally, a friend’s request from Bob.
Sally is a pseudonym for the victim. The story is an actual client-case of Dr. Stan Stahl, Ph.D., an information security expert at Citadel Information Group in Los Angeles.
His credentials are lengthy and he is president of the Los Angeles chapter of the Information Systems Security Association (ISSA-LA), a nonprofit, international organization of information security professionals and practitioners.
Dr. Stahl says the bank did not return the $1 million to Sally’s company.
Welcome to the newest nastiest twist in cybercrime.
No Protection for Business Bank Accounts
Regulation E of the Federal Deposit Insurance Corporation (FDIC), stipulates consumers are protected by cyber crime involving their banks. The FDIC regulation protects consumers, if they report such discrepancies in their bank accounts within 60 days.
However, businesses are not insured.
So, Dr. Stahl knows crimes involving hackers who attack social networks, including Facebook and Twitter, are a major threat to business.
When did social-network attacks first become an epidemic?
Breach Security in Carlsbad, CA, reports Internet security-crime jumped 30 percent in the first six months of 2009. Breach reports 19 percent of the attacks involved social networks. Ironically, social networks were not even mentioned in Breach’s 2008 report.
“Making matters worse, many of these attacks succeed by taking advantage of missing patches and using obscure technology like ‘0-day exploits’ that get past traditional antivirus and antispyware defenses,” says Dr. Stahl.
What is a 0-day exploit? Hackers are so cunning they are able to use security vulnerabilities to their advantage immediately – the same day before protection measures can be implemented.
He recommends five security precautions:
1. Prohibit use of social network sites from the office.
These sites can be blocked at the corporate firewall. This can become particularly challenging if employees work remotely as it may not be feasible to block access to social networks from home computers. Making matters worse, Trojan horses are like communicable diseases and Sally’s work-at-home computer can be infected from her son’s. That’s why the next four recommendations are so important.
2. Go the extra mile in security.
In addition to antivirus / antispyware defenses, add advanced defenses like intrusion detection and prevention designed to block internet-based attacks like the link in Sally’s email and 0-day exploits.
3. Screen bad links.
You can block known internet-based attacks by comparing links — see: Free Online Tools for Looking up Potentially Malicious Web sites.
4. Keep your systems patched.
This means not just Windows patching but all your applications, those you know about — like Office and Adobe Reader — and those you might not even know about — like Flash and Java. This also includes your Macintosh computers as they are every-bit as vulnerability-prone as Windows PCs.
5. Finally, don’t expect to rely on technology alone.
Users are often the weakest link so it’s very important to train them to detect the subtle signs of an attack so they can keep from becoming victims. They also need to be given guidance on what information is safe to put on a social networking site.
“There is no one thing you can do to keep from being victimized from a social network attack,” says Dr. Stahl. “Even doing all five of these isn’t a guarantee, just like a flu shot doesn’t guarantee you won’t get the flu. But if you are diligent you can significantly affect the odds and this should be your objective.”
From the Coach’s Corner, are you Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist.
Mobile banking is pushed by banks because it increases their profits, but Dr. Stahl has long warned that it’s dangerous, consider: Our Mobile-Banking Warnings about Security Prove Prophetic.
To learn more about Internet security:
Dr. Stahl’s Web site and security blog: www.citadel-information.com.
For more on ISSA-LA, visit: www.issa-la.org.
“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”