Webroot Survey Reveals Social Networkers’ Risky Behaviours

Bracknell, U.K. – June 24, 2009 – Members of online social networks may be more vulnerable to financial loss, identity theft and malware infection than they realise, according to a new survey from Webroot, a leading provider of Internet security software for the consumer, enterprise and SME markets.

Surveying over 1,100 members of Facebook, LinkedIn, MySpace, Twitter and other popular social networks, Webroot uncovered numerous behaviours that put social networkers’ identities and wallets at risk.

Among the highlights:

• Two-thirds of respondents don’t restrict any details of their personal profile from being visible through a public search engine like Google;
• Over half aren’t sure who can see their profile;
• About one third include at least three pieces of personally identifiable information;
• Over one third use the same password across multiple sites; and
• One quarter accept “friend requests” from strangers

“The growth of social networks presents hackers with a huge target. The amount of time spent on communities like Facebook last year grew at three times the rate of overall Internet growth,” said Mike Kronenberg, chief technology officer of Webroot’s Consumer business. “Three in ten people Webroot polled experienced a security attack through a social network in the past year, including identity theft, malware infection, spam, unauthorised password changes and “friend in distress” money-stealing scams. The first step to staying protected is being aware of what the threats are and knowing how to help prevent them.”

Social Networks Present New Opportunities for Cybercriminals

Cybercriminals employ various types of trickery and malware to capitalise on risky behaviours. One common tactic is phishing, which hackers use to entice victims into downloading an infected file, visiting a disreputable site outside the social network, or wiring money to a “friend in distress.”

In recent months, Webroot has seen an increase in these types of attacks on social networks, including “Trojan-MyBlot,” which targeted users of MyYearbook.com, and others targeting Facebook users including “Koobface” and several spread through the domains “mygener.im,” “ponbon.im” and “hunro.im.”

“Hackers lure users into taking actions they shouldn’t by making it appear as if a friend within their social network has sent them a message – only the message is from a hacker who’s hijacked the friend’s account,” continued Kronenberg. “We’ve seen instances where a salacious yet poorly worded message like, ‘This video of u is evrywhere’ includes a link that, when clicked, prompts the user to download a seemingly legitimate file which, once on your PC, can do a number of things — spam your friends, monitor your online activity or record your personal information.”

Hackers can also use less sophisticated means to execute attacks on social networks: The Webroot survey respondents who reported experiencing identity theft, a hijacked account and unauthorised username or password changes may have been victimised by hackers who were able to access their profiles and guess their passwords based on the personal information they included.

Summary of Key Findings

Results indicate a general lack of awareness of the security risks on social networks and the tools available to protect personal information, as well as higher rates of risky behaviours exhibited by younger social networkers.

Social networkers make private information public:

• 80 percent allow at least part of their profiles to be searchable through Google or other public search engines; 73 percent don’t restrict any profile information from being visible through public search
• Over half (59 percent) of respondents aren’t sure who can see their profile
• Over one quarter (28 percent) accept friend requests from strangers; of those, one third (36 percent) do not cloak any of their profile information
• About one third (32 percent) include at least three pieces of identifiable information

Privacy concerns outweigh protective actions:

• 78 percent expressed some concern over the privacy of the information they share in their profiles
• However, 36 percent use the same password across multiple sites
• And 30 percent do not have adequate protection against viruses and spyware

Younger users take more risks – 18-29 year olds are more likely to:

Use the same password across multiple sites (51 percent, versus 36 percent overall)
• Accept a friend request from a stranger (40 percent, versus 28 percent overall)
• Share more personal information that may compromise online privacy (67 percent share birth date, versus 52 percent overall; 62 percent share home town, versus 50 percent overall; 45 percent share employer, versus 35 percent overall)
• Experience a security attack (nearly 40 percent, versus 30 percent overall)

Tips for Safe Social Networking

• Guard your personal information – Use privacy settings to restrict who can see your sensitive information, or consider omitting all personal information from your profile
• Be skeptical — E-mails, friend requests, Web site links and other items from sources you do not know could be laced with malware
• Choose passwords wisely — Use different passwords for each of your sites; select a randomised combination of numbers and letters
• Have antivirus and antispyware protection – Even if you think you’re not infected, scan your machine for dormant viruses with a free scan; and protect your PC with an Internet security suite that includes antivirus, antispyware, and firewall technologies
• Always install updates – If you’re already using antimalware software, be sure to install updates which include the latest malware definitions; do the same with updates to your operating system
• Even with security in place, remain vigilant – Malware authors are continually writing new programs to avoid detection, so pay close attention to suspicious behaviour