Kaspersky: We Know What You Did Last Summer
September 2010 by Kaspersky
Thanks to a clever combination of a variety of web services, abstract cybercrime is entering the real world with a flourish. As these services can be used to trace specific individuals, caution is advised when it comes to social networks that use current data on the whereabouts of users.
Social networks such as Facebook and Twitter have adopted a very simple approach. They provide users with a simple method of telling their friends what they are thinking or doing at any given time. Foursquare  was not so well known up until now, even though this service now also has three million users worldwide. This service also allows users to send short status messages to keep their friends up to date. However, these messages are not about the user’s frame of mind, but rather about the user’s current whereabouts. If users visit a cafe, they can "check in" with this service virtually. Friends then receive a status message that says "Friend x has checked in at cafe y". The innocent idea behind all of this: whoever happens to be close by can drop into the cafe and meet up with their friend. However, as innocent as this information may appear, it is anything but.
"Fraud to go please!"
How explosive information from social networks can become in real life was shown by the website Please Rob Me  that cleverly combined Foursquare data and Twitter messages. Those accessing the site could quickly determine where the members of these social networks actually live and whether they were currently at home. The perfect itinerary for any burglar. However, as those behind the website had established it with information security in mind, the service was discontinued after it had been given a considerable amount of publicity in the media. The upshot of all of this: seemingly harmless information from different social networks can be combined to pose a threat in real life.
Facebook knows where you are
However, Foursquare is certainly not the only location-based service. Google also offers a service called Latitude, while Gowalla is yet another such service provider. In the United States, Facebook has also recently started its own geo-service called "Places". In Germany, this function is simply called "Orte" and offers the same functionality as Foursquare. Users can check in virtually at certain locations, and their whereabouts is then automatically posted on Facebook in the form of a status message. The Facebook blog entry announcing Places  illustrates the idea perfectly: it is titled "Who, What, When and now Where". So not only do Facebook users know who is doing what and when they are doing it, they now also know where it’s all happening. The iPhone app was also updated for this new functionality, since checking in obviously only makes sense when you are out and about.
The risks are many and varied
Those who reveal small snippets of information about themselves in various places must assume that resourceful third parties will combine this information to create a complete picture. If your email addresses, telephone numbers, hobbies and preferences are publicised on the Internet, it should hardly come as a surprise if you are bombarded with advertising. Such data is often not intentionally made available to prying eyes. However, the default settings on social networks are simply not strict enough. Social networks are also often subject to phishing attacks, for example trawling for passwords or access IDs. If this data can be acquired, then identity theft is just a few steps away. Accordingly, there are known cases of identity theft where hackers took control of an account and then feigned an emergency in order to ask friends for financial aid. A website such as Facebook with around 500 million users is trusted implicitly by many users. Crooks take advantage of this to send messages containing links to manipulated websites. These websites are then used to spread malware. A well-known example is the Koobface worm, which was spread via Facebook and MySpace, for example. Invitations to look at a video were sent to users from accounts that had been hijacked beforehand. However, when recipients clicked on the specified link, they were directed to a counterfeit Facebook or YouTube page where they were required to download the Flash Player. However, the download turned out not to be a player, but a worm that could continue spreading in this way. Sometimes malware is also hidden in add-on applications for social networks, known as apps. Very popular for example are mini games, which users can also play across a network. The problem is that these applications originate from third-party providers whose security standards do not necessarily have to correspond to those of the social networks.
How to protect yourself
Up-to-date virus protection with a firewall is mandatory for a PC (for example, Kaspersky Internet Security 2011 or Kaspersky PURE). Automatic Windows updates should also be activated and installed programmes and associated plug-ins should always be up to date. In the case of social networks, stringent security settings are possible with just a few adjustments. "Scan for Privacy" , for example, allows Facebook account settings to be tested for weaknesses. Additional tips:
• Refrain from publishing personal data. Even your friends do not need to find out your personal telephone number on Facebook as they probably know it already. You should also exercise caution when it comes to publishing information on your whereabouts.
• Choose your contacts carefully. You don’t have to add everybody as a friend. Those who do not wish to upset their boss by declining an invitation can create different lists of friends with varying access levels.
• Choose secure and above all varying passwords for your social networks.
• Social networks are no place for confidential information.
• Be vigilant even if links are sent by a friend, and in case of doubt, simply do not click on them.
Additional useful links: