Virtual Reality: Networking sites becoming new face of phishing
Fraudsters Turn Attention To Sites Like Facebook & LinkedIn
ROHIT Dubey is an investment banker, who has just joined Facebook. One of the 100 people on his friends-list sends him an invite to a corporate golf tournament to be held this weekend. Rohit is excited at the prospect of playing golf over the weekend and networking with more ibankers; he immediately accepts the link.
He goes on to fill the registration form, which asks him for his email address, credit card details for a payment and even to make a password of his own. Not suspecting any foul-play, our man goes on to fill in all the details and even inputs the same password as his email account, so that he doesn’t forget it next time he needs it. Little does he know that these details are going straight to a fraudster who’s been tracking his activity on Facebook and LinkedIn for a while now.
Gone are the days when phishing was restricted to emails supposedly from your bank. Fraudsters are increasingly turning their attention to social networking sites like Facebook and LinkedIn and trying to use it as a tool to steal sensitive information from professionals like investment bankers and other corporates. With the growing popularity of such sites among older and high net-worth professionals, online security firms warn that these sites are proving to be soft targets for sophisticated phishing attacks. People are generally off-guard when dealing with social networking sites, and tend to accept friend-requests pretty easily. According to Mahindra Special Services Group chief executive Captain Raghu Raman, a sophisticated fraudster who has identified his victim will try and get into his friends-list by either posing as an acquaintance, or a random admirer. Another trend that’s catching up amongst fraudsters is hacking into people’s Facebook or LinkedIn accounts and using it to gain access to people on the victim’s friend-list. Having gained access to the friend-list, our fraudster sends the victim a link for a seemingly harmless event, like a corporate golf tournament. The link could potentially install a Trojan onto the victim’s computer which would continuously transmit sensitive information like usernames and passwords. Alternatively, the link could open into a registration page for the event where the person is asked to input his email address and make a password. According to Mr Raman, “most people use the same passwords for all their accounts so they don’t need to remember multiple passwords.” This will automatically put his or her email accounts at risk. “Participation in social networking sites is increasing at an alarming rate. Though we haven’t received any related complaints from the enterprises we deal with so far, it is a potential route that hackers are now taking,” says Amuleek Bijral, country manager, RSA securities.
Access to an investment banker’s email would open up a plethora of opportunities for fraudsters. The fraudster hacks into an email account or trading account and instead of directly stealing money, looks out for insider information or trades that are being carried out. He then carries out similar trades on his own account or uses the insider information to buy or sell stocks accordingly. This process is being termed as ‘slip streaming’ — similar to what happens when a boat takes advantage of the low pressure created just behind a fast moving boat.
Though almost all investment banks and financial institutions have barred access to social networking sites from through their official firewalls, there’s nothing stopping their employees from using these networking sites from home or anywhere else. Corporate espionage is becoming a big revenue generator for hackers as well. According to Mr Raman, “hackers try and dig out information on bid-sizes for large-value deals and sell it to a counterbidder at a huge sum.” While internet security providers are constantly developing anti-virus and spyware systems to stay ahead of fraudsters, they stress that the most effective way to combat phishing and data theft is education of the potential customers. It’s not just over the internet that phishing takes place; fraudsters are also using telephones to extract sensitive credit card information from people.