October 6, 2010

What’s Hiding Behind that Tiny.cc Link? Social Media Attack Methods and Prevention By Robert Ayoub, Frost & Sullivan

In the recent years social networks have become a new generation Web tool for corporate environments, offering sophisticated business intelligence, marketing, and analytical capabilities. The rise of Web 2.0 has predominately been steered by the prolific penetration achieved by social network engines such as Facebook, MySpace, and LinkedIn amongst diverse user groups, satisfying both business and common-user needs. Today, social networks boast a subscriber base that includes entrepreneurs, business executives and celebrities in addition to the younger generation of Web-users.

Social Networks as a Vehicle for Attack

Since social networks are self contained messaging platforms, it should be no surprise that many of the same threats that have plagued users for years have found their way onto social networks. Some of the most popular methods for attack include:


Until recently, e-mail was the chief mechanism used by spammers for spreading malware.  With social networks gaining immense popularity among Internet users, spammers have started leveraging social networking platforms such as LinkedIn, Facebook, MySpace, and Twitter for spreading spam and ultimately, malware.

Shortened Links

The increasing popularity of microblogging sites such as Twitter has led to an explosion in the use of link shortening services such as tiny.cc, bit.ly, and others.  These services offer click tracking and are an invaluable tool for microbloggers.  Unfortunately, an end user has no way of knowing what is on the other end of the shortened link without clicking on it.  This gives criminals the potential to send legitimate sounding links that actually lead to malicious sites.

Malware on Third Party Applications

Social networks such as Facebook, MySpace, and others encourage the development and deployment of third party applications.  According to industry estimates, Facebook alone has over 24,000 third party applications and more than 70 million users on the network utilize such applications for entertainment or for adding flare to their profiles. Attackers are looking towards leveraging the third party applications as a vehicle for spreading malware.

Defending against the attack

Social networks by their nature provide a difficult environment for enterprise administrators to defend.  The networks are hosted by a third party and the enterprise has no control over the security of the sites.  As pointed out previously, it only takes a single click by a single user to infect the entire enterprise.  Enterprise IT administrators are in the difficult position of having to allow social networks without having the means to protect those networks.  This means that IT administrators have to taken different steps to protect their user base.  Some industry best practices are illustrated below.

User Awareness Campaigns

The lack of awareness of users towards the diverse types of attacks thereby presents a major challenge, impeding the establishment of adequate security in social networking engines. If users abstain from opening malicious links, the scale of malware propagation could be reduced significantly. Similarly, users need to exercise caution even if a URL is provided by a trustworthy friend on the buddy list as hackers often exploit the buddy lists of users to spread spam and malware. In addition to that, users on social networking platforms need to be vigilant about installing third-party applications on their profiles.

Redefinition of Security Policies

The need for a redefinition of security policies is one of the most critical challenges for the businesses. In many cases, existing security policies were not designed with social networking in mind.  While social networking sites can provide enterprises with an open channel to interact with millions of public-users, it is important for enterprises to understand the significance of governing the use of social sites.

Robust Security Technology Integration

Finally, social networks need to employ malware and spam filtering technologies.  These can be in the network, or from the cloud. Typically, these security solutions are capable of efficiently thwarting the majority of malware and spam that propagates through social networks. Additionally, data loss prevention solutions that prevent sensitive data traveling outside the corporate network can be extremely valuable in keeping corporate data from leaking out to a social network either accidentally or intentionally.  On the flip side of protecting their users, it is also important that organizations secure the content that is posted to their social networking platforms – whether they host these platforms themselves on their corporate site, or in the public domain on sites like Facebook.  As organizations leverage their online presence to connect with customers, partners, and grow their business, they should be mindful of how they control and secure the content that is publicly posted.   No business wants their data or brand compromised.


Social networking is here to stay.  There are too many advantages to enterprises in terms of marketing, recruiting, and information sharing for organizations to ignore social networks, but that doesn’t mean that enterprises should allow their users to run rampant.  A careful implementation of user awareness campaigns, security policies, and security technologies can ensure a safe environment that allows enterprises to safely tap into the power of social networks.

Robert Ayoub, CISSP, is a Global Program Director for Network Security at Frost & Sullivan.

The content featured in the Industry Analyst Corner is the sole representation of the author, independent of Websense, Inc.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.