Malware Makes Social Networks Less Sociable

by Brian Prince

Obama and Spears joined a number of people whose accounts were compromised when an individual hacked into some of the tools Twitter’s support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can’t remember or get stuck. In response, Twitter said it was increasing the security of its sign-in tools and further restricting access to support tools.

Cybercriminals bank on the users being more willing to open a message and click on a link sent to them by a “friend” via social networking site than they are on regular email. Case in point is the Koobface worm, which sent Facebook messages to people listed as “friends” of someone already infected in an attempt to lure victims to sites hosting malicious content. The message: always be careful before clicking on links, even from people you know.

Given the open nature of social networks, it is no surprise that there is plenty of personal information out there. This makes the sites fertile ground for phishers. Many Twitter users fell victim to a well-publicized phishing scam earlier this month where scammers used promises of a free Apple iPhone to lure them into giving up their credentials.

Security vendors have reported a number of phishing sites that pose as log-in pages for sites like Facebook and hi5. Sometimes links to the fake log-in pages are spammed out. As usual, security pros urge users to check URLs for any errors, and again, be careful what they click on.

Once phishers have stolen a user’s credentials, they may be able to insert malware or links to malware on their pages to infect visitors. They can also simply create pages for the same purpose. A recent example of this was reported on LinkedIn, where profiles for celebrities such as Beyonc??« Knowles and Salma Hayek were found with malicious links.

A few months ago, Facebook won a $873 million judgment against a spammer in federal court, a victory for social networks. Most sites have policies that allow users to decide whether or not to display their full e-mail information, but security researchers warn that many users are not cautious when it comes to their privacy settings.

Another technique scammers use once they have taken control of an account is to use sympathetic story to try to get victims to give up money. In some cases, hackers have used a site’s live IM/chat to talk to “friends” and trick them into giving up money. SnapStream CEO Rakesh Agrawal recently published a transcript of such a scam attempt, where a hacker who compromised the account of someone Agrawal knew tried to get the CEO to wire money.