DygiScape

The Largest Threat to Social Networks, Yet to be Resolved

What annoys you more on social networks? Spam friend requests, spammy comments or other junk? Well, that’s nothing compared to malicious Windows exploits being used to dupe MySpace users now. However, this raises interest into the larger problem at hand: Users are still naive/vulnerable to phishing, ten years after it’s peak.

A lot of social networks provided have absolved the password cracking problem (for now) with CAPTCHAs. (CAPTCHAs are images that are distorted to prevent bots from brute forcing their way into accounts.) However, there are several other ways that innocent Web users are being compromised — and don’t even know it! I’m fairly certain that social networks have taken the necessary steps protecting their facility, the user data and educating their employees, but who’s left? Users.

Users are constantly being phished for their accounts. The social connections (and trust) that users on social networks offers a very high value for professional phishers. Phishing relies on trust, and thus compromising one account enables half the work to be done. There’s very little that networks have done to inform users, from my analysis. Networks haven’t done enough to educate users on the behavior or the actual functions of their Web site, they cite to simply not give their password out. This results in a lot of account being compromised, spreading more malicious content, thereby threatening the network even more.

(Well, duh, no one just gives their password out, silly.) The problem is a lot of the phishing URLs used to prey on users are aimed in looking at their photo albums or some wild video. Everyone loves to look at pictures or video, it’s what we do online. When the victim clicks the link they are prompted with a fictitious login window to see it. Bam! The account is compromised, and guess who will be posting the spam link next?

It’s exploitation of word of mouth marketing (viral) and abuses the trust that people forged on these social networks. That is, if someone trusts their best friend, they will automatically open the link without questioning its cause or basis. Understand my spirit in this: Users aren’t stupid, they are human. Human problems require human solutions to address them.

Honestly, the best thing a social network can do, is educate users — from day one — on proper account security practices. That is, inform them on various ways to check the legitimacy of messages, educate users to receive security updates from their OS, recommend secure Browsers like [gasp!] IE7 or Firefox, and be their advocate in addressing spam and viruses. Don’t wait until you shut their account down to educate them because their primary objective is to get back online to chat with friends, not heed security warnings.

What makes this the largest threat to social networks? Phishing threatens users, data integrity, and users’ trust of social networks. There is very little networks can do to address the problem other than blacklisting IP addresses (which can be obfuscated with proxies), blacklisting URLs that gain popularity quickly (moderate URLs being posted), and simply educating users. There are many drawbacks to any step they take, mainly resulting in false-positives.

Do you run a social network? What steps are you taking to secure it from phishers?

Also check out Help: What to Do if Your MySpace Account is Phished at DygiScape and MySpace: Your Account Has Been Phished!