Vir­tual Re­al­ity: Net­work­ing sites be­com­ing new face of phish­ing

Fraud­sters Turn At­ten­tion To Sites Like Face­book & LinkedIn

Economic Times - - Emerging Business & It - Anirud­dha Ghosh

RO­HIT Dubey is an in­vest­ment banker, who has just joined Face­book. One of the 100 peo­ple on his friends-list sends him an in­vite to a cor­po­rate golf tour­na­ment to be held this week­end. Ro­hit is ex­cited at the prospect of play­ing golf over the week­end and net­work­ing with more ibankers; he im­me­di­ately ac­cepts the link.

He goes on to fill the reg­is­tra­tion form, which asks him for his email ad­dress, credit card de­tails for a pay­ment and even to make a pass­word of his own. Not sus­pect­ing any foul-play, our man goes on to fill in all the de­tails and even in­puts the same pass­word as his email ac­count, so that he doesn’t for­get it next time he needs it. Lit­tle does he know that th­ese de­tails are go­ing straight to a fraud­ster who’s been track­ing his ac­tiv­ity on Face­book and LinkedIn for a while now.

Gone are the days when phish­ing was re­stricted to emails sup­pos­edly from your bank. Fraud­sters are in­creas­ingly turn­ing their at­ten­tion to so­cial net­work­ing sites like Face­book and LinkedIn and try­ing to use it as a tool to steal sen­si­tive in­for­ma­tion from pro­fes­sion­als like in­vest­ment bankers and other cor­po­rates. With the grow­ing pop­u­lar­ity of such sites among older and high net-worth pro­fes­sion­als, on­line se­cu­rity firms warn that th­ese sites are prov­ing to be soft tar­gets for so­phis­ti­cated phish­ing at­tacks. Peo­ple are gen­er­ally off-guard when deal­ing with so­cial net­work­ing sites, and tend to ac­cept friend-re­quests pretty eas­ily. Ac­cord­ing to Mahin­dra Spe­cial Ser­vices Group chief ex­ec­u­tive Cap­tain Raghu Ra­man, a so­phis­ti­cated fraud­ster who has iden­ti­fied his vic­tim will try and get into his friends-list by ei­ther pos­ing as an ac­quain­tance, or a ran­dom ad­mirer. An­other trend that’s catch­ing up amongst fraud­sters is hack­ing into peo­ple’s Face­book or LinkedIn ac­counts and us­ing it to gain ac­cess to peo­ple on the vic­tim’s friend-list. Hav­ing gained ac­cess to the friend-list, our fraud­ster sends the vic­tim a link for a seem­ingly harm­less event, like a cor­po­rate golf tour­na­ment. The link could po­ten­tially in­stall a Tro­jan onto the vic­tim’s com­puter which would con­tin­u­ously trans­mit sen­si­tive in­for­ma­tion like user­names and pass­words. Al­ter­na­tively, the link could open into a reg­is­tra­tion page for the event where the per­son is asked to in­put his email ad­dress and make a pass­word. Ac­cord­ing to Mr Ra­man, “most peo­ple use the same pass­words for all their ac­counts so they don’t need to re­mem­ber mul­ti­ple pass­words.” This will au­to­mat­i­cally put his or her email ac­counts at risk. “Par­tic­i­pa­tion in so­cial net­work­ing sites is in­creas­ing at an alarm­ing rate. Though we haven’t re­ceived any re­lated com­plaints from the en­ter­prises we deal with so far, it is a po­ten­tial route that hack­ers are now tak­ing,” says Amuleek Bi­jral, coun­try man­ager, RSA se­cu­ri­ties.

Ac­cess to an in­vest­ment banker’s email would open up a plethora of op­por­tu­ni­ties for fraud­sters. The fraud­ster hacks into an email ac­count or trad­ing ac­count and in­stead of di­rectly steal­ing money, looks out for in­sider in­for­ma­tion or trades that are be­ing car­ried out. He then car­ries out sim­i­lar trades on his own ac­count or uses the in­sider in­for­ma­tion to buy or sell stocks ac­cord­ingly. This process is be­ing termed as ‘slip stream­ing’ — sim­i­lar to what hap­pens when a boat takes ad­van­tage of the low pres­sure cre­ated just be­hind a fast mov­ing boat.

Though al­most all in­vest­ment banks and fi­nan­cial in­sti­tu­tions have barred ac­cess to so­cial net­work­ing sites from through their of­fi­cial fire­walls, there’s noth­ing stop­ping their em­ploy­ees from us­ing th­ese net­work­ing sites from home or any­where else. Cor­po­rate es­pi­onage is be­com­ing a big rev­enue gen­er­a­tor for hack­ers as well. Ac­cord­ing to Mr Ra­man, “hack­ers try and dig out in­for­ma­tion on bid-sizes for large-value deals and sell it to a coun­ter­bid­der at a huge sum.” While in­ter­net se­cu­rity providers are con­stantly de­vel­op­ing anti-virus and spy­ware sys­tems to stay ahead of fraud­sters, they stress that the most ef­fec­tive way to com­bat phish­ing and data theft is ed­u­ca­tion of the po­ten­tial cus­tomers. It’s not just over the in­ter­net that phish­ing takes place; fraud­sters are also us­ing tele­phones to ex­tract sen­si­tive credit card in­for­ma­tion from peo­ple.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.