The marriage between social networking and social engineering could be one of the top security threats in 2011. Social engineering is hardly a new issue, but as social networking becomes more mainstream both in the home and in business, it goes to follow that the bad guys will do whatever they can to be one step ahead of users.
According to the folks from Zscaler:
Attacks on end users virtually always involve social engineering-a user must be convinced to visit a web page, open an attachment, etc. Spam email has valiantly served this purpose for many years, but just as everyday users are migrating away from email and toward social networks such as Facebook and Twitter for communication, so too are hackers. This is far from a bold prediction as attackers have been abusing social networks since they first came online. For example, XSS vulnerabilities on Twitter have been used to push malicious tweets, while Likejacking has emerged on Facebook as a means of promoting malicious profiles.
Social engineering schemes will be like this one I stumbled across today at MountainRunner.us:
Some colleagues are reporting a phishing expedition to identify and engage Information Operations experts on LinkedIn. They've reported invitations from "George W." who purports to be "Colonel Williams", an "IO professional" in the DC area.
Invitations, with a number of wording variations, has been received by a number of active duty IO personnel recently. Investigation by several others has shown that the profile is for a nonexistent person.
In my own professional network, a person was friending everyone, yet no one knew him. Despite that, over 40 people clicked the accept button (I was not one them), so it looked like we had a wide circle of mutual friends. Turns out, the person was a scammer and his account was quickly deleted from the social network. Who knows what his intent was, but it appears he was taken care of before he could do damage. I expect to come across many more situations like that in the coming year.