Cybercriminals imitating social networks to spread malware
The results of new research conducted by Websense Security Labs reveal a growing domain-name cloning trend among cybercriminals seeking to take advantage of the huge number of social networking users, particularly those using Facebook, MySpace and Twitter.
Criminals are increasingly using domain names that include words like Facebook, MySpace and Twitter, with no official connection to the real sites, to trick unsuspecting visitors to visit fake Web sites and lure them to input sensitive information or download malicious code.
In fact, Websense Security Labs research indicates that in a research sample taken from the Websense URL database, more than 200,000 phony copycat sites were found, all using the terms Facebook, MySpace or Twitter in their URLs.
Further research shows that the hackers are taking steps to create these cloned domains to circumvent security measures put in place by organizations to filter the original domain in a business setting. Many of the domains are proxy avoidance sites which are used to try to evade traditional Web filtering technology.
Taking advantage of the huge increase of social networking-savvy “Millennial” users entering the workforce, and the 276 percent growth of Facebook use among the 35-54 year old segment over the past six months, Facebook was the most popular domain used to dupe users, with more than 150,000 known fake URLs charted during the research period.
“These new threats illustrate that attackers will continue to target Facebook, MySpace and Twitter, along with other social networking sites, for three reasons,” said Charles Renert, senior director, advanced content research, Websense. “First, these Web sites are popular so fraudsters are able to target lots of victims; second, people trust the content on it because they think it’s from other people in their network; and third, they are easy to compromise because they allow anybody to create and post content. Traditional Web filtering is not enough to protect users from threats on trusted sites, and isn’t enough to keep up with fraudsters generating new URLs almost instantaneously to avoid detection. Only real-time analysis of Web content can prevent users from being exploited by these attacks.”
This isn’t the first time Facebook users have been targeted by hackers. In late April, Websense Security Labs detected a phishing campaign targeting Facebook users. The scam, labeled “FBStarter” by security researchers redirected users to a phishing page that spoofs Facebook’s sign-in page. By entering their user name and password, they unknowingly gave attackers the information necessary to log into their account and spam their friends.
Data gathered from the Websense Threatseeker Network shows that sites that allow user-generated content comprise the majority of the top 50 most active distributors of malicious content and that more than 70 percent of these sites have hosted malicious code in the last six months, as well as malicious comment spam and the URL and domain spoofing noted in the most recent research.