Facebook: the hotbed of cybercrime?

People are too willing to click links, warns security expert

Graham Cluley

We meet Graham Cluley from Sophos – and occasional TechRadar columnist – in a central London hotel. We're here to talk about Sophos' new six-monthly report on the state of cybercrime across the globe, and social networks with people proliferating information are at the forefront of his mind – as well as international cybercrime and his wife's iPad.

"There's a new kind of cybercrime – for want of a better word – which is occurring on social networks," he says, talking about the recent rash of viral messages on Facebook that "your friend endorses, he's 'liked' it. There was one saying there was a secret message in Toy Story 3".

Usually, the link – which purports to be something of interest but just takes you to a survey – enables the originator to make a few cents.

Facebook's weak point remains security, believes Cluley. "You can't report an individual link. We see umpteens of these every day. Because Facebook's privacy settings are so rubbish, you can pick them up just by searching people's status updates."

It's ironic that security researchers take advantage of Facebook security lapses to search for these. Cluley searches for 'shocking' and 'video' – some more quickly appear from the last hour.

Platform agnostic

Rogue apps are also a problem: "Facebook apps aren't vetted, they just ask for a credit card or mobile phone number."

Cluley says that the proliferation of dodgy Facebook links is because the action of spreading them isn't strictly illegal and is a "grey area".

"The beauty of [these links] is that they're completely platform independent," says Cluley. "They don't need Windows and just run in the browser. There's 500 million people on [Facebook], many of whom are all too willing to click on a link."

Cluley believes the proliferation of non-Windows devices merely makes this social networking manipulation more attractive – not least on the iPad he bought for his wife.

"I think with touchscreen devices like the iPad, there's another contributing factor – you don't know where links are going. The whole concept of hovering over a link doesn't really exist with a touchscreen and people are just in the habit of clicking [on links].

Too much information

"We're seeing more activity on Facebook than we are on Twitter – there's a bigger pool of people. Obviously, there's still potential for the spreading of a link. There's also the issue of whether your Twitter client is secure, though I don't think we've actually seen that yet.

Again, people are sharing too much information, such as people's precise date of birth. There are issues regarding [geolocation] – the likes of Foursquare are beginning to rumble away and become more successful."

Cluley talks about the example of a woman in the States who got burgled and realised that the offender was one of her new friends on Facebook. Extreme perhaps, but Cluely is just indicating that people need to be more careful when posting location-related information.

State-sponsored cybercrime

We ask Cluley whether about the remainder of the threat landscape. "There are interesting things that happen from time to time, but normally they happen in an isolated way…Blackhats say they can hack the Nintendo Wii. Well, yes you could. Frankly, cybercriminals aren't very inventive. We continue to see SEO poisoning, identity theft, things like that."

Cluley brings up the issue of state-sponsored cybercrime – one of the key issues in the report where 63 per cent of people think it's okay for the UK to spy on other countries using hacking and malware. Although 40 per cent of them added the proviso 'only if we're at war with them'. the general consensus was that it's fine to use cyber-spying at the government level.

"There's an interesting endorsement of state-sponsored cybercrime among the general public. I think over the course of time we've seen more and more accusations of this kind of thing," says Cluley, referring to China being under the spotlight.

Cluley believes that we're entering the third era of cybercrime – economic, political and even militarily motivated. "First we had the hobbyists, and then there were the financially motivated [cybercriminals]" says Cluley.

"We're seeing more attacks [on individual companies] in the form of malformed Word documents or boobytrapped PDFs coming in to break into your company and steal information.

"There's been a real growth in that over the last 12 months. Is it all state sponsored? Probably not, but we'd be naïve to think that countries [don't indulge in this]. Secret services have used every trick in the book – why would the internet be different? Secondly, there's less physical danger. Thirdly, it's a cheap way to spy."

But surely it's ridiculously difficult to prove the origin of an attack? "Yes, extremely," says Cluley. "Google had evidence to say that [an attack] had come from China. It's very difficult to prove that it's state sponsored and very difficult to prove that it's of Chinese origin – spammers take over computers all over the world every day. But why wouldn't it be happening? It's easy, it's cheap and it's effective."


Liked this? Then check out 10 tips to protect your privacy on Facebook

Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at http://www.techradar.com/register

Follow TechRadar on Twitter * Find us on Facebook

Article continues below