Network News

X My Profile
View More Activity

Social Networking Accounts Prized By Cybercrooks

Cyber criminals increasingly are moving away from trying to break into computers directly, choosing instead to target Internet users where they spend much of their time online -- at social networking Web sites, new data suggests.

In an analysis of cyber crime activity in the 2nd half of 2007, security vendor Symantec Corp. found that two social networking sites together were the target of 91 percent of U.S.-based phishing Web sites. Social networking sites also were the leading targets of phishing sites located in four other countries listed by Symantec in its phishing Top 10.

Source: Symantec Corp.

Hijacked social networking pages often are used to host malicious software or "malware" directly or to host links phishing or malware sites that are then advertised in messages sent to all of the contacts in the victim's social network.

Why on earth would hackers want to bother stealing user names and passwords for Myspace or Facebook accounts? The answer lies in the very nature of social networking sites, online destinations where individuals regularly interact with friends and acquaintances.

Spreading malware via hijacked social networking accounts is ideal because people are far more likely to click on a link recommended by someone in their close circle of friends than they are a link that arrives in a message from a complete stranger, said Alfred Huger, vice president of engineering at Symantec Security Response.

"The main reason [criminals] are targeting this area so heavily is because most of us take part in them," Huger said of social networking sites. Indeed, four of the top 10 most-visited sites on the Web are social networking sites, according to global Web site rankings by Alexa.

Cyber crooks are still principally out to steal financial and personal data that can be resold to identity thieves or converted into cash. And data-stealing computer viruses remain among the most expedient way to extract that data from victims. Symantec found that 68 percent of the 50 most-frequent potential infections reported by customers involved malware that tried to access things like stored usernames, passwords and financial data.

The shift from hacking the computer to hacking the user can be seen as well in pure malware-based attacks. Symantec found that only 10 percent of all malware samples detected in the second half of 2007 sought to infect computers by exploiting security vulnerabilities in Microsoft Windows or other software. That means that 90 percent of all malware installed on PCs in the last six months of 2007 got there by simply tricking people into installing it themselves.

Spam is another area where social engineering and malware have teamed up to help criminals make major inroads. Junk e-mail made up more than 70 percent of all e-mail communications in the latter half of 2007. While spam is often used to advertise links to malicious software, hardly any actual malware is sent directly via spam these days. In fact, Symantec found that less than two-tenths of one percent of all spam sent in the second half of 2007 contained malicious code.

Rather, today's malware is commonly advertised by spam but disguised as links to content or software applications that the recipient may already want to download, such as a game, an online greeting card, or a media player component supposedly required in order view specific types of online content -- usually videos.

One exceedingly common type of security vulnerability -- a Web site-specific programming error known as a "cross-site scripting" (XSS) flaw -- is increasingly being abused by malware writers and phishers to help exploit the trust people place in social networking and other well-known Web sites. XSS flaws occur when legitimate sites accept input from the user -- usually from something like a search box or e-mail form -- but do not properly filter that input to prevent the injection of potentially malicious instructions.

Such flaws allow an attacker to craft a Web link that, when visited, uses the vulnerable Web site to load or display content from a malicious site. When used in malware attacks, XSS flaws can help attackers make unfamiliar links appear to belong to high-profile sites that the user recognizes and trusts. Phishers can use XSS holse to craft links that, when clicked, display the name of the trusted site in the address bar of the victim's Web browser while displaying a fake login page served from a Web site controlled by the attackers.

In the first half of 2007, security researchers identified nearly 7,000 sites that contained cross-site scripting flaws. In the last six months of 2007, researchers found an additional 11,252 such site-specific flaws, many of them in high-profile sites such as,,, and Despite the fact that most of these Web site security flaws are posted to a publicly accessible archive site, only 473 of the cases discovered in the last half of 2007 were fixed by the end of last year, Symantec said.

By Brian Krebs  |  April 8, 2008; 12:01 AM ET
Categories:  Fraud , Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: RedBox Warns of Credit Card Skimmers
Next: Kraken Spawns a Clash of the Titans


In mid February, I paid a 3 day access fee to, an adult web site using a European file format. The site has GREAT teaser samples for their numerous well endowed female models.

The first check card I used appeared not to take, so I used another. Mind you, I downloaded nothing that cost any money, i.e., full videos -- only the short freebees.

I just discovered double billing on both check cards, one thru, and the other thru web[something].com on roughly the same billing dates, meaning that I was billed 4 times [twice per month thru each billing agent.]

Had they not been greedy and double billed me on the one card, I would not have even suspected anything on the other card. Both cards have been cancelled by the banks involved.

I would suspect, since I tried to sign in using the password assigned and the user name selected, a week after this 3 day teaser period lapsed and my username and password did not work, that any claim that they were merely continuing billing me until they got a call on the HOT phone from the former NY governors office at high noon every Wed [or whatever ridiculous cancellation provisions were specified] to be largely bogus -- otherwise I could have signed in.

Does this look like accounting fraud, [no appearance of a hijacking is being detected by my multiple 'security programs.'

If there is a history of problems like this from this website, I am sure my banks would like to know. Where does one find such 'histories?'

Posted by: brucerealtor | April 8, 2008 1:16 AM | Report abuse

I guess that one could call this a 'social networking site.' LOL

Posted by: brucerealtor | April 8, 2008 1:19 AM | Report abuse

Free Anti spam webinar, Why Today's Spam Filters Fail

Spam isn't just a big nuisance; it's big business as well. So why is spam persisting?
Ferris Research estimates that spam will cost $140 billion worldwide in 2008, of which $42 billion will be in the United States alone. If you compare these numbers with Ferris's 2007 estimates of $100 billion and $35 billion, you'll see that the cost of spam has increased substantially over 12 months.

Register for a complimentary Webinar conducted by Abaca and Ferris research to know more about how you can stop this nuisance. To register please click the link below:

Posted by: victor louis | April 8, 2008 3:15 AM | Report abuse

@ brucerealtor

If you have not gotten your money back:

Get the company name and address (visit their corporate web page, usually in "Contact Us") and keep track of all invoice numbers, reference numbers, whom you talked to or emailed in customer service and when. Then visit the Better Business Bureau's web site and file a claim. For resolution simply say you want a full refund and state the amount. Do the same for both companies in separate claims. The BBB acts as an intermediary, plus you'll add a history for the two companies or see if others have experienced the same. If no resolution occurs after this, then contact your State Attorney General website and ask them to send a letter to the company on your behalf, pressuring the company to act. Do this after contacting the BBB first so there is a precedent.

There is no need to do any of this if money is no longer the issue and the company has not adversely affected your credit rating by claiming a default on recurring payments.


Posted by: JimGoldbloom | April 8, 2008 8:00 AM | Report abuse

...Or you could ignore anything from a "friend" with an odd-looking link and broken syntax, and not install any of the numerous sketchy Facebook applications out there.

Wait, then everyone would have to become well-spoken and rational in order to effectively function online.

Posted by: Adam | April 8, 2008 9:36 AM | Report abuse

"Despite the fact that most of these Web site security flaws are posted to a publicly accessible archive site, only 473 of the cases discovered in the last half of 2007 were fixed by the end of last year, Symantec said."

Ouch! :)

Posted by: Giorgio Maone | April 8, 2008 10:01 AM | Report abuse

@Giorgio -- Nice find! That's a very recent one. You reminded me that I had meant to go back and research if any of those zero day threats in 2007 that Symantec mentions in its report were for Symantec products. Anyone?

Posted by: Bk | April 8, 2008 10:05 AM | Report abuse

While I'm reading this column there is an annoying "Please take our survey" floating around which I presume to be from the Washington Post.

First question on the survey: In what year were you born ?. Cool, the beginnings of identity theft.

Don't your employers read your column ?

Posted by: John | April 8, 2008 10:44 AM | Report abuse

As Royko advised: Always lie to pollsters.

Posted by: Adam | April 8, 2008 3:55 PM | Report abuse

Jim Thank you. My primary concern is getting my banks to restore the funds, which in prior instances has usually been successful. The exception was with ENTERPRISE Rent-a-Car here in DC, where I used a checkcard for a $100 deposit to rent a vehicle where a 3rd party accident claim was involved. State Farm [that likes to use junk yard parts] on vehicles over 5 or 6 years old when possible claimed that some of the damage from an accident was 'really caused' in a previous accident, where Allstate was involved, so we had to get Allstate out and while they covered the repair of the previous issues, the rental car coverage got split between the two carriers and they couldn't agree on who owed what. THUS. ENTERPRISE'S 'accounting dept.' hit my check card for about $600 -- over the Christmas & New Years holidays.

When I discovered this [ouch] I demanded my bank to charge back ENTERPRISE bwecause I had written on their form contract that no further funds could be obtained without subsequent authorization. Now the branch in downtown DC knew this, but the accounting dept didn't.

I advised the bank that the withdrawels were [1] unauthorized and [2] covered by a collateral source -- the insurance. They heard what they wanted to hear [2] and not [1.] The account remains overdrafted by the banks actions [not following my instructions] and until it gets resolved, I am using another bank. PLUS, the bank never looked at the ENTERPRISE agreement.

While a credit score is important, I don't have SUCKER written on my forehead. If they report this to any of the bureaus, I will challenge it there, but I believe it will get resolved, even if we have to wait for the insurance money.

As a former trial attorney, I am also trying to minimize the NUISANCE VALUE to me [not that the Real Estate market is booming these days LOL.]

Posted by: brucerealtor | April 9, 2008 4:08 AM | Report abuse

U need antivirus?

Posted by: antivirkaspersky7 | April 25, 2008 7:16 AM | Report abuse

I don't generally feel anything until noon; then it's time for my nap.

Posted by: Airline Ticket | May 4, 2008 11:48 AM | Report abuse

Art is either plagiarism or revolution.

Posted by: Cheap Car Insurance | May 4, 2008 11:48 AM | Report abuse

Writing gives you the illusion of control, and then you realize it's just an illusion, that people are going to bring their own stuff into it.

Posted by: valium | May 4, 2008 11:48 AM | Report abuse

Do you want to see good pics?,

Posted by: Barsuk | May 4, 2008 6:07 PM | Report abuse

Thanks for the tip on how cyber criminals are choosing to go to social sites to steal vital information. So they wouldn't go to a site like but to and many others.

Posted by: George S Alarcon | May 9, 2008 5:54 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company