Network News

X My Profile
View More Activity

Researchers Warn of Social Networking Scams

LAS VEGAS, NEV. -- Social networking sites like Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at the Black Hat hacker conference would probably make most people want to avoid social networking sites altogether, it turns out that staying off of these networks entirely may not be the safest option either.

The biggest danger from social networking sites is that they are all tripping over themselves to embed powerful functionality that most subscribers will never use, said Shawn Moyer, chief information security officer at Agura Digital Security, a Web and network security firm. Speaking with Nathan Hamiel, senior consultant for Idea Information Security, Moyer co-presented a talk today called "Satan is on My Friends List," in which he demonstrated a plethora of ways that user-created applications popular on MySpace could be used to hijack and/or lock out accounts, or trick the user into installing malicious software.

Paradoxically, there may be danger in remaining a social networking site Luddite. After all, if you don't claim a space on these networks, someone else may do it for you as a way of scamming or attacking your friends and business contacts. With the permission and good humor of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum's behalf, including a photo of him and bits from his resume to make the profile look legit. In less than 24 hours, more than 50 people had joined his LinkedIn network. Among those taken in by the stunt was Ranum's sister.

"Even if you just put some basic information out there that's easy to find, you're kind of controlling your privacy that way," Hamiel said.

In another warning to the social networking community, a pair of researchers presented on Wednesday various ways to create mischief using Google Gadgets, free programs such as calendars or photo feeds that people can add to their personalized Google home pages. The trouble is that anyone can create gadgets and make them available for download on Google's site, gadgets can include arbitrary Javascript commands and other powerful programming features that expose the user's system and network to a laundry list of nasty attacks, from phishing to data poisoning and theft to Web site defacement and surreptitious internal network scanning.

"How do you know it's a legitimate gadget?" asked Robert "RSnake" Hansen, chief executive of SecTheory, a security consultancy. "There's no moderation. There's no way to guarantee it won't turn bad."

In a statement given to the Associated Press, Google said that it scans all gadgets regularly for malicious code, and in the "very rare" instance in which one is found, it's immediately blacklisted.

All this talk of the dangers lurking on social networking sites may seem like stating the obvious. But the reality is that most people are trusting individuals at heart, and social networking sites build themselves on a culture of trust: Trust that clicking on a user's photo or merely reading a message from another reader won't turn your computer into a spam-spewing zombie or cause your page to become a vector for cyber attacks against others.

Yet, that's exactly what happened last week, when security companies began warning about a new worm that was spreading like a nasty rash across social networking sites like Facebook and MySpace. Dubbed Win32.Koobface by Russian anti-virus firm Kaspersky Lab, the worm spreads when users click on a link to view a video that prompts the user to install an Adobe Flash browser plug-in. The worm spreads when a user who has installed the bogus plug-in logs on to his or her MySpace or Facebook page, at which point the malware adds links to the poisoned videos in the comments section of all of the victim's friends' pages (the "Paris Hilton Tosses Dwarf on Street" spam subject line detailed in a blog post last week on silly spam message titles is in fact one of the subjects used by this worm).

-- Brian Krebs

By washingtonpost.com Editors  |  August 7, 2008; 5:30 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Online Crime Gang Stole Millions
Next: Wireless Awareness: Don't Be A Sheep

Comments

Other than avoiding social networking sites all together, the best solution is a defense in depth strategy based on a limited user account. Unfortunately, there are A LOT of people that can't be bothered to secure their system and thus become the low hanging fruit ripe for the picking.

You can preach about defense in depth until the cows come home, but until people are serious about securing themselves, it's all for not. Stupid is as stupid does.

Posted by: TJ | August 7, 2008 6:31 PM | Report abuse

Working at a business network, konnects.com, I see first hand the amount of trust people do place on social networks. People need to be educated about good internet technique. There is a danger, however small, by just using the internet that you could be exposed to some malicious intent, but not any more so than driving your car down the road.

Brian
http://www.konnects.com

Posted by: Brian | August 7, 2008 7:25 PM | Report abuse

Working at a business network, konnects.com, I see first hand the amount of trust people do place on social networks. People need to be educated about good internet technique. There is a danger, however small, by just using the internet that you could be exposed to some malicious intent, but not any more so than driving your car down the road.

Brian
http://www.konnects.com

Posted by: Brian | August 7, 2008 7:27 PM | Report abuse

Hi Dan,

I think Las Vegas can stand alone in the dateline, without the Nev. Unless Wash Post has a different style...

Posted by: reader | August 8, 2008 10:27 AM | Report abuse

@reader

Who's Dan?

Posted by: another reader | August 8, 2008 12:00 PM | Report abuse

"Black Hat Conference" indeed... REAL Black Hatters don't hold conferences. These guys are so lame... a bunch of wannabe's who are trying to prove something. All they really do is point out the obvious.

I thought it was funny those three French reporters hacked their private network. And their response? You can't do that, go home! Ha-ha! They were pretty upset that they were on the hacked end. Why didn't they secure their network?! Lame...

Posted by: Ted | August 8, 2008 1:00 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company