Security experts warn of social engineering risks

Criminals find it increasingly easy to obtain log-in credentials

F-Secure has warned that hackers are using instant messaging applications in an attempt to snare personal user log-ins.

The security firm explained that hackers are exploiting messaging apps to ask users about some photos. Messages appear to come from a friend and say: 'Are you sure you didn't post these photos?'

A link in the message leads to an official looking web site where the photos can be seen. Access to the bogus site requires the user's MSN log-in details, which are then harvested by the fraudsters.

"Let's not forget to be careful on IM, that other favourite medium for spreading social engineering links," said Choon Hong, a web security expert at F-Secure, in a blog post.

Meanwhile, Graham Cluley, senior technology consultant at Sophos, has just published the results of an experiment designed to illustrate the ease with which social engineering attacks can be launched.

Cluley and Carole Theriault, senior security consultant at Sophos, took to the streets of Bristol armed with a video camera and a flimsy excuse to harvest some personal information.

The pair found that in most cases people were happy to give up their names, date of birth and email address, all of which could be used by criminals to steal an identity.

"Only one person refused to give us any personal information at all. Everyone else at least gave us their name, and most gave us their date of birth and email address. Our feeling was that, if we had engineered our questions and spent more time with each 'victim', we could have probably ascertained their address," said Cluley in a blog post.

The security expert advised individuals and businesses to be more careful with personal information.

"It's not just a personal problem, of course. Businesses and organisations also have a responsibility to look after sensitive information and ensure that it isn't exposed and doesn't fall into the wrong hands," he said.