The Seven Deadliest Social Networking Hacks

Think you know who your real online friends are? You could be just a few hops away from a cybercriminal in today's social networks

A social network profile can give away some valuable tidbits –- victim’s name and date of birth –- that identity thieves can use to guess passwords or impersonate them, and even eventually steal their identity, some security experts say.

But that doesn’t mean that identity thieves are crawling all over social networks, Hamiel says. “I just think that the claims that social networks are an identity theft magnet are overblown."

Social networkers sometimes inadvertently hand over the goods themselves: In a study Sophos conducted over a year ago, about 41 percent of Facebook users in the study gave out their email address, date of birth, and phone number to someone they didn’t know.

One safety tip for social networkers is not to answer all the questions posed to them by the site, and don't provide your true date of birth, Sophos's Cluley says. “You don’t need to tell Facebook your educational background, your phone number, etc. You don’t even have to tell them your real date of birth,” he says. “I want the identity thief to get the wrong date of birth.”

You can even make up a phony maiden name for your mother. “Don’t make it something that’s a matter of public record,” he says.

Even so, social networks basically tap into human nature’s innate need to socialize, and the bad guys know it. “People aren't very good at security,” RSnake says. “We were built to work in teams, we're pack animals.”

Next Page: 7) Corporate espionage

Even if an employer blocks access to social networks from the office, the organization still could be susceptible to corporate espionage attacks via its employees’ personal profiles.

To pull off a spear phishing attack, for example, all an attacker has to do is search for Company A’s employees on a social networking site and then pose as someone within the organization -- such as the head of human resources -- and email the employee addresses he finds, for example. A phony HR spear phish could look something like this, Sophos’s Cluley says: “Dear Fred Jones, Congratulations on joining XYZ Company. Click on this link to access our HR Intranet and then log in with your regular network username and password so we can update our files.”

A newbie to the company could easily fall for the ploy and hand over access to the corporate network, he says.

The only shot at preventing this hack is for social networkers to limit what they post publicly and to keep their employer’s name out of their profile. “Keeping the name of your employer... far away from your personal profiles can reduce the chance that someone will target your employer through you,” BreakingPoint’s Moore says. “The trouble is that even with completely separate personal and professional identities, it only takes one scrap of public information linking the two to negate all of the time that went into separating them in the first place.”

That’s because the “six degrees of separation” rule applies on most social networks: You’re only a few hops away from a bad guy. “We know that there are bad people on these networks using them to steal information,” Cluley says. “You may be only a half a dozen hops from an identity thief if we’re all connected.”

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading