McAfee director warns of social networking perils

Security firm demonstrates how using Twitter et al greatly simplifies targeted phishing and malware attacks

McAfee warned users to beware of how much data they share on sites like Twitter

Social networking sites have dramatically increased our vulnerability to cyber-crime, as McAfee demonstrated at its Focus 2010 conference in Las Vegas this week.

Dave Marcus, director of security research and communications at McAfee, explained that typical mass-emailed spam attacks operate at a success rate of around one per cent.

This means that only one in 100 people are expected to click the poisoned links included in their emails. These links could download malware to the user's computer, with the ultimate aim of making money for the cyber-criminal.

Marcus stated that criminals can vastly improve their success rate using open-source intelligence, which is publicly available data from social networking sites.

"No code needs to be written. Cyber-criminals just use what's out there to own your machine and steal your data," he said.

Marcus explained that in Web 2.0, people are openly sharing information in a non-solicited way, now with attached GPS data on Twitter, for example.

"Social media tells me what people are talking about now, not five minutes ago. That's very powerful from a marketing perspective and from an attack perspective. I need to know what you're mad about right now, because that's going to motivate you," he said.

Marcus demonstrated Twitscoop, a site which shows the most popular topics being discussed on Twitter in real time.

"These topics become the building blocks for what we want to use to target people. You poison the information you send back to get them to do something you want them to do," he explained.

Once you've found the hot topic to motivate people to click your link, the next step is to find the tool to distribute it. Twitter itself can be the distribution mechanism.

Attacks can even be specifically targeted to an individual, with little effort. Marcus showed how easy it is to use free site Twitterbot.

"You enter the username of the user you want to monitor, click 'build' and you've got a bot," he said. "There's no way to knock it offline, there's no central command or control."

Marcus then demonstrated how much information can be found on an individual using only data that the person has freely elected to share with the world, and the world's cyber-criminals.

Marcus picked on an individual at random from those tweeting near the conference in Las Vegas and including GPS data with their tweets.

"When we start looking and drilling into one individual, you quickly find out an awful lot. You can see the platform he uses, the device and where he is. You can see the route he drives, and where he lives and works, and even where he buys coffee," he said.

Marcus explained that this information makes targeted phishing very easy because all the information needed is made freely available across the internet. "It's very, very simple to do," he added.

The message from the demonstration was clear: be vigilant when protecting your personal information.