Malware, scams and over-sharing of personal information unknowingly are some of the top security and privacy threats associated with Google+, according to security experts.
The emotional connect and attachment to circles epitomized by Google's increasingly popular social networking platform may be a scammer's ticket to an easy con job, a security expert has warned.
A month into its launch, Google+ has attracted around 20 million users who sign up via "invites" from members. This "referral" scheme has given cybercriminals an opportunity to push survey scams, Myla Pilao, director of core technology marketing from Trend Labs, highlighted in an e-mail interview.
Cybercriminals, she explained, have capitalized on the "perceived scarcity of the accounts" to create fake Web sites to lure unsuspecting victims interested in joining the social network. According to her, such sites claim to offer downloadable invites after a user completes a series of surveys.
When users try to dismiss the list of surveys, they are directed to a file-sharing Web site where the user is given two options--to download an invitation for free by answering one of the surveys or pay a fee to obtain the invite, she noted.
"Users who choose to go with the free option will see a warning that tells them they can only enter valid information or be banned from the site, apart from not being allowed to download an invitation," said Pilao. "The users are then led to the survey of their choice."
Upon completing any of the surveys in the form of IQ tests, users will be asked to enter their mobile numbers. The entire exercise does not lead to the creation of a Google+ account, but instead victims may see unnecessary club subscription charges in their subsequent phone bills, she cautioned.
According to various reports, Fabio Assolini, malware researcher at Kaspersky Lab's global research and analysis team, said the Russian security vendor had identified fake invites from Brazilian cybercriminals targeting Portuguese speakers. These invites contained links to malware, specifically banking Trojans, which are a family of malware aimed at stealing log-in information related to banks.
When clicked, the links redirect a user to a commonly used .cmd file hosted at Dropbox when accessed. Accompanying this message is a link to another document purportedly hosted at Google Docs, but is essentially a fake form created to collect names and e-mail addresses of new victims.
Social engineering woes
Trend Micro's Pilao added that cybercriminals may take advantage of the inclusion of gender in Google+ profiles for social engineering attacks.
"In the recent past, we have come across an increasing number of such attacks. As they become more complex and socially engineered, they are also crafted based on gender interest and we may see this come up once Google+ takes flight," she noted.
Such attacks, she said, can be carried out through interesting, shocking images, spamming and direct messages, as well as spammed messages posing as update or activity notifications.
The transparency and ease of use of Google+ has made it a hit among social media fans, but as Chester Wisniewski, senior security advisor at Sophos found out, the integrated features of Gmail and Google+ may reveal one's online status, whether the user likes it or not.
"One thing that you may not realize is that updating your Google Chat status will make that information available to those following your circles," he said. "Once logged on, potentially hundreds of people will now see your status change."
Pictures installed in Google+ will also be automatically uploaded to the Picasa/Google Pictures album, he added. While these pictures are not "shared in any way", they are still "sent to the cloud" without the user's permission, Wisniewski pointed out.
Pilao said the ability to aggregate information is an extremely useful tool for Google users, but for cybercriminals this simply means "an increase in the number of channels that a hacker can play around with while targeting individuals for his attacks".
Both experts confirmed that so far no serious attacks on the Google+ platform have taken place, but cautioned users to remain vigilant.