The Internet scammers often referred to as "phishers" are using smarter tactics and tapping into social networks to spread malicious software and obtain personal information from Internet users.

Share story

The Internet scammers often referred to as “phishers” are using smarter tactics to get around protection services and obtain personal information from Internet users. Instead of preying on victims through email, cybercriminals are tapping into the dark side of the latest online phenomenon: social media.

At the end of 2010, nearly 85 percent of recorded phishing attempts used social networks as a lure, up from 8.3 percent at the start of the year, Microsoft Malware Protection Center reported.

Phishing, which is the act of tricking someone into surrendering private information over the Internet, follows the idea of actual fishing — you throw out bait with the hopes that while some ignore it, others will bite. Attacks most commonly come in the form of emails or messages that contain viral links.

Tim Rains, director of product management for Trustworthy Computing at Microsoft, said social-media sites make it easier for attackers to spread malicious software through links, photos and applications because those users are typically more trusting.

A reasonably savvy Internet user may be unlikely to open an email from an unknown correspondent and click on the attached link. But if someone on Facebook sees a link from a friend, he or she may be more inclined to believe it to be safe.

When the information is shared by a user the victim knows, attackers assume the attempt will be “more successful than anonymous email,” Rains said.

For example, you see a message from a friend or a link on your Facebook news feed. You click on it only to find a second window that pops up asking for your log in, credit card or other personal information. You may trust it because you think it came from your friend. But security experts say these are common Internet scams, used to get you to input your information.

Some 43 percent of social-networking users were thought to be victims of such attacks, according to a report by ZoneAlarm, a software technology company. Tabatha Marshall, founder of nonprofit organization Phishbucket, which seeks to protect job seekers from phishing attacks, said she gets many comments from people who have fallen for attacks via personal messages on Facebook. Many of these messages contain job offers and are from someone the victim has mutual friends with, she said.

“It’s relatively easy for a scammer to get into someone’s daily life on social networks,” Marshall said.

Internet Identity, a Tacoma security company, said password reuse, willingness to click on bad links that look legitimate, and poorly controlled databases are becoming well-known problems for businesses and organizations.

Rod Rasmussen, president and CTO of Internet Identity, said criminal phishing groups act like real companies with strategies and areas of specialization that allow them to be successful.

“It’s a double-edged sword,” he said. “We are highly connected and are all sharing information, but at the same time, that makes it far easier, quicker and more effective for them to spread their virus.”

Dave Dittrich, senior security engineer at the University of Washington, said phishing will likely be even more of problem as more people go online and use smartphones. Cybercriminals will shift their attack from one platform to another, he said, comparing Internet users to a growing field from which scammers can harvest.

But the real story isn’t the type of mechanism being used to target victims, he said.

It’s that “people are simply not learning how to avoid being tricked on the Internet,” Dittrich said.

Christine Harvey: 206-464-3263 or charvey@seattletimes.com