ShmooCon: Inside FarmVille's Sinister UnderbellyBy Bill Brenner, CSO
You see it all the time on Facebook: A friend moving on up in FarmVille. Another friend trying to expand his posse in Mafia Wars. Everyone thinks of them as harmless third-party applications, free from the crooks and cooks of cyberspace.
Unfortunately, that's not the case.
The sad fact is that these applications are susceptible to malware pushers and those looking to steal your personal information. It's not much of a stretch for hackers to impersonate people you think are trusted, fellow players, as is the case with a lot of online gaming. And the more you expose yourself, the bigger the target you become.
The dangers of these games were part of a larger talk on social networking dangers at the 2010 ShmooCon security conference. Indeed, social networkers are in danger from all corners, be it from malicious Twitter bots you think is a celebrity following you or that hot model who friended you on Facebook, hoping you wouldn't notice that she's nothing more than a phishing hook.
In their talk, "Social Zombies II: Your Friends Need More Brains," security practitioners Tom Eston, Kevin Johnson and Robin Wood continued what they started in their "Social Zombies: Your Friends want to eat Your Brains" presentation at DEFCON 17.
They presented new techniques and tools used to exploit people on these social networks. They also examined how all your profile information is being used against you and eroding your privacy [related story: 6 Ways We Gave Up Our Privacy].
"Facebook has 350 million users with 12 million logging in daily. Twitter is getting 6.2 million new users a month. The target base keeps growing," said Eston, a penetration tester for a Fortune 500 financial services organization.
In one of their more colorful examples, the trio explained how actress Jessica Biel is the most dangerous woman on the Internet because of all the fake profiles of her scattered throughout the social networking landscape.
People on Twitter are easily duped into thinking Biel is following them in Twitter. The Facebook folks proudly count her among their friends, not realizing the page is really under the control of a malicious operator who wants you to click on malicious links on the page.
Then there's Blippy, a social network billed as a "fun and easy way to see and discuss the things people are buying." The presenters noted that penetration testers absolutely love this platform because of the naked insight it offers into the spending habits of specific individuals. They also shared a favorite quote making its way around the infosec community: "I joined Blippy and all I got was jacked at the ATM."
Another example is Foursquare, a social networking program that lets you keep track of where your friends are, literally. If someone in your network is in South Korea or in front of the Alamo in Texas, Foursquare will tell you so. Want to use it on your iPhone? There's an app for that. And for BlackBerries, too.
While it's becoming increasingly difficult for people to turn away from social networking, especially since it's become a critical, legitimate business tool for many professionals, there are still ways to protect yourself, the presenters noted.
For one thing, you can avoid Facebook and Twitter pages purporting to be from famous people. A good way to tell if that Twitter page is really a malicious bot is to look at its follower/following ratio. If they're being followed by 50 people but are following over a thousand, that's a pretty good indication that something stinks.
And, they noted, if you must use apps to get around certain places and find the shops you're looking for, remember that too much information can be enough for someone evil to track your specific whereabouts and come after you.