Social media, mobile phones top attack targets

Social media has become a top target of hackers and mobile devices are expanding that target, IBM reported on Tuesday in its X-Force 2013 Mid-Year Trend and Risk Report.

Attacks on enterprises are getting increasingly sophisticated, the report said.Ã'Â Some attacks studied by IBM researchers were opportunistic -- exploiting unpatched and untested web applications vulnerable to basic SQL injection or cross-site scripting.

Others were successful, the report continued, because they violated the basic trust between end user and sites or social media personalities thought to be safe and legitimate.

"Social media has become a new playground for attackers," said Kevin Skapinetz, program director for product strategy for IBM Security Systems.

The report noted that a growing trend this year is the takeover of social media profiles that have a large number of followers. The trend continues to play a pivotal role in the way attackers are reaching their targets.

"It's one thing to get an email or spam from someone you've never heard of," Skapinetz said in an interview. "It's another thing to have one of your friends have their account compromised and send you a link that might interest you."

Traditional sources of online aggravation can't resist the siren call of social media, either. "Even if email is used in an attack, it will be under guise of coming from a social media account," he said. "Attackers are becoming more operationally sophisticated."

Social media attacks can affect more than the usual suspects, too. Social media exploits affect more than individuals; they can negatively impact enterprise brand reputation and cause financial losses, the report said.

Mobile devices are also becoming a hacker magnet. "Although mobile vulnerabilities continue to grow at a rapid pace, we still see them as a small percentage of overall vulnerabilities reported in the year," the report said.

What may be making matters worse is the proliferation of mobile devices in the workplace under Bring Your Own Device Programs. "BYOD -- what a nightmare that can be for any organization," HBGary's Threat Intelligence Director, Matthew Standart, said in an interview.

"It's difficult to protect your data even when you own all your devices and getting visibility into all your devices is a challenge in itself," Standard said. "Allowing users to bring their own devices increases the complexity tenfold."

The IBM report also noted that Distributed Denial of Service (DDoS) attacks are being used for more than just disrupting service at target sites. The attacks are being used as a distraction, allowing attackers to breach other systems in the enterprise.

[Also see: Targeted social media attacks said to be underreported]

"Both attacks and attack threats are being used as decoys," Marc Gaffan, co-founder of Incapsula, said in an interview.

"The attackers will bring down a website, get the IT people focused in a certain direction, tie up their resources on the DDoS attack while a more sophisticated breach is performed with no one paying attention," Gaffan said.

A decoy attack could also be used in conjunction with a phishing attack, he added. For example, a phishing message could be sent to a bank's customers asking them to use an alternative URL because the bank is having trouble with its common web address. A recipient may follow good security practices and paste the common URL for the bank in his browser.

Because the bank is under a DDoS attack, however, they can't connect to the institution, he said. So, in desperation, they click on the URL in the phishing message and get infected.

Those kinds of misdirection DDoS attacks, though, haven't become mainstream. "They are occurring, but they're relatively rare," said Daniel Peck, a research scientist at Barracuda Networks.

The IBM report also questioned the dedication of many organizations to sound security basics. "Many of the breaches reported in the last year were a result of poorly applied security fundamentals and policies and could have been mitigated by putting some basic security hygiene into practice," the researchers wrote.

"Attackers seem to be capitalizing on this 'lack of security basics' by using a model of operational sophistication that allows them to increase their return on exploit," they wrote.

"The idea that even basic security hygiene is not upheld in organizations, leads us to believe that, for a variety of reasons, companies are struggling with a commitment to apply basic security fundamentals," the researchers wrote.

Barry Shteiman, senior security strategist with Imperva, said in an interviewÃ'Â that the lack of adherence to basics could be due to a fundamental misunderstanding of security by companies. "They don't understand the difference between a safety belt and auto insurance," he said. "They don't understand that it's more important to protect themselves than to preserve their reputation after a breach has been made."

Read more about social networking security in CSOonline's Social Networking Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IBM X-Forceapplicationsmobile malwareIBMsecurityData Protection | Social Networking Securitymobile securitysoftwaredata protectionsocial media security

More about Barracuda NetworksIBM AustraliaImpervaSecurity SystemsThreat IntelligenceX-Force

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts