By Allan Liska, Senior Solutions Engineer for Symantec Managed Security Services
Just about anyone who has a Facebook account has seen them: Innocuous-looking, yet dangerous links posted to the Wall of one of your friends inviting you to watch a video of a famous movie star caught cheating, the Osama bin Laden raid or any number of other topics. On a bad day, you may see the same link posted on the Wall of several of your friends, each friend inadvertently passing on the infection to those gullible enough to click on the link. This is what John Harrison, Manager of Symantec’s Security Technology and Response (STAR) team calls Likejacking, and it is on the rise. According to the 2010 Internet Security Threat Report (ISTR), released in April 2011, web attacks were up 93% and social media sites are a big focus of those attacks. The use of shortened URLs accentuates the effectiveness of these attacks; in fact, during a three month period in 2010 65% of malicious URLs on social networks were shortened URLs.
What does this have to do with Managed Security Services? The fact is that most Facebook users access the site at some point during work hours. Some companies have tried to stop this by blocking access to Facebook, but many of these companies have had to relent or face a revolt. According to a study done by Robert Half Technology in 2009 54% of organizations blocked access to social media sites. A similar study done by Webroot in November of 2010 showed that only 39% of organizations blocked access to social media sites.
This creates a quandary for security professionals within an organization, and one that I hear repeatedly: How do you share security concerns with employees who may be using Facebook from a computer owned by the organization without sounding like you are condoning the use of Facebook? Many organizations can’t find that happy medium, so they don’t talk about it, and users get infected.
There are several ways Symantec’s Managed Security Services can help. The first is integration of Endpoint security in our overall approach to security monitoring/management. If your organization is running Symantec’s Endpoint Protection (SEP) we can correlate endpoint activity with other network events to better identify threats and we can help you develop policies and enable the services on the desktop that are most likely to stop an employee from being infected by one of these errant links.
The second way we can help is through our Web Security Monitoring. This service takes the log stream from your web proxy and compares the URLs that come through that feed against known bad URLs gathered from our Global Intelligence Network (GIN); if a match is found, an analyst is notified and we contact you. In addition, Web Security Monitoring looks at both the domain portion of a URL as well as payload information. So, if a bot is calling out to a new or previously unlisted domain using its existing command and control patterns, we will catch that as well. A great example of this is the koobface worm. The koobface worm uses many different URLs, but the worm always uses the same pattern to call out to its command and control host: “?action=[fbgen&/ppgen&/ldgen&] by looking for “?action=” and “fbgen&”, “ppgen&” or “ldgen&” in the same URL the Symantec SOC is able to isolate koobface activity with very few false positives.
As social media continues to grow in popularity its appeal as an attack vector will continue to grow. Watch this space for more ideas about how Symantec can help protect your organization from threats originating through social media sites.