Researchers Warn of Social Networking Scams
LAS VEGAS, NEV. -- Social networking sites like Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at the Black Hat hacker conference would probably make most people want to avoid social networking sites altogether, it turns out that staying off of these networks entirely may not be the safest option either.
The biggest danger from social networking sites is that they are all tripping over themselves to embed powerful functionality that most subscribers will never use, said Shawn Moyer, chief information security officer at Agura Digital Security, a Web and network security firm. Speaking with Nathan Hamiel, senior consultant for Idea Information Security, Moyer co-presented a talk today called "Satan is on My Friends List," in which he demonstrated a plethora of ways that user-created applications popular on MySpace could be used to hijack and/or lock out accounts, or trick the user into installing malicious software.
Paradoxically, there may be danger in remaining a social networking site Luddite. After all, if you don't claim a space on these networks, someone else may do it for you as a way of scamming or attacking your friends and business contacts. With the permission and good humor of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum's behalf, including a photo of him and bits from his resume to make the profile look legit. In less than 24 hours, more than 50 people had joined his LinkedIn network. Among those taken in by the stunt was Ranum's sister.
"Even if you just put some basic information out there that's easy to find, you're kind of controlling your privacy that way," Hamiel said.
"How do you know it's a legitimate gadget?" asked Robert "RSnake" Hansen, chief executive of SecTheory, a security consultancy. "There's no moderation. There's no way to guarantee it won't turn bad."
In a statement given to the Associated Press, Google said that it scans all gadgets regularly for malicious code, and in the "very rare" instance in which one is found, it's immediately blacklisted.
All this talk of the dangers lurking on social networking sites may seem like stating the obvious. But the reality is that most people are trusting individuals at heart, and social networking sites build themselves on a culture of trust: Trust that clicking on a user's photo or merely reading a message from another reader won't turn your computer into a spam-spewing zombie or cause your page to become a vector for cyber attacks against others.
Yet, that's exactly what happened last week, when security companies began warning about a new worm that was spreading like a nasty rash across social networking sites like Facebook and MySpace. Dubbed Win32.Koobface by Russian anti-virus firm Kaspersky Lab, the worm spreads when users click on a link to view a video that prompts the user to install an Adobe Flash browser plug-in. The worm spreads when a user who has installed the bogus plug-in logs on to his or her MySpace or Facebook page, at which point the malware adds links to the poisoned videos in the comments section of all of the victim's friends' pages (the "Paris Hilton Tosses Dwarf on Street" spam subject line detailed in a blog post last week on silly spam message titles is in fact one of the subjects used by this worm).
-- Brian Krebs
Posted by: TJ | August 7, 2008 6:31 PM | Report abuse
Posted by: Brian | August 7, 2008 7:25 PM | Report abuse
Posted by: Brian | August 7, 2008 7:27 PM | Report abuse
Posted by: reader | August 8, 2008 10:27 AM | Report abuse
Posted by: another reader | August 8, 2008 12:00 PM | Report abuse
Posted by: Ted | August 8, 2008 1:00 PM | Report abuse
The comments to this entry are closed.