Hackers Crash the Social Networking Party

The malware headache began for Robyn when she saw a MySpace bulletin from a friend inviting her to view new photos. She knew the friend in real life, so she went ahead and clicked the link. The site looked like a photo-sharing site, but one she had never heard of. Then her computer practically froze. A few days later, her MySpace friends received photo-viewing invites that seemed to come from her.

"It definitely wigged me out," says Robyn, who asked that her last name not be used. She hasn't touched that computer since.

Like pickpockets at a festival, money-minded malware authors are drawn by the huge crowds visiting social networking sites. In an August report, Internet security firm ScanSafe states that, on average, one in every 600 pages on the sites hosts some form of malware. The report says Facebook tended to be more secure given its previous member restriction to those with educational e-mail addresses, but the site has since opened its doors to everyone.

And these days, those viruses and worms are after your wallet. "There's a great deal of money in it for people to be able to get your personal data," said Lysa Myers, virus research engineer for McAfee Avert Labs, in an e-mail interview.

Poisoned Banner Ads

One major attack took place in July, when iDefense, a research and security company, discovered a poisoned banner ad that appeared on MySpace, Webshots, and many other sites. The new type of attack ad downloaded adware onto an estimated million computers, according to iDefense. The threat went after low-hanging fruit by exploiting an image file (.wmf) vulnerability. It's a vulnerability that was reported and fixed way back in January. But in the huge numbers game of social networking sites, the attack still found plenty of victims.

And the game is growing ever larger. MySpace ranks as the sixth most-visited site in the world, according to Alexa.com, which analyzes Web traffic and puts Flickr at number 39 and Facebook at number 69. Most social networking sites more than doubled their user base between July 2005 and July 2006, according to comScore Media Matrix.

It's not just eager teens visiting the sites, either. The ScanSafe report found that social networking sites now account for 1 percent of at-work Web browsing. This may not seem like much, but consider just how much Web traffic goes in and out of most every business in the nation.

Good Defense Necessary

Even if the site maintainers are on the ball--MySpace generally gets decent marks for closing new-found holes and threats on its site--the sheer number of people involved can present an irresistible target for crooks. To keep your system safe, make sure you've got a layered defense with good antivirus and antispyware programs, and a firewall. PC World's Spyware and Security Info Center contains the latest security software reviews and rankings, and a link to our Internet Safety Tool Kit.

In addition, Dan Moniz, a security consultant in San Francisco, recommends using a browser other than Internet Explorer. "The way that Internet Explorer is hooked in with the operating system can cause some problems," he says. The July banner ad attack targeted Internet Explorer.

As if downloaded malware weren't enough, future attacks could twist things so that the browser attacks a site. At the BlackHat Internet security conference in Las Vegas this year, Moniz and HD Moore, head of the Metasploit project and a well-known hacker, presented a novel proof-of-concept hack. It showed that a poisoned site could infect a Web browser using Javascript such that the browser becomes an attacker and infects visited blogs or social networking sites. It could spam links to malware downloads or overwhelm blogs with casino advertisement comments, for instance.

Like many proof-of-concepts, this one might never become a real threat. It still has to find an open security hole to infect the browser in the first place, and it might never interest malware writers who have plenty of other profitable methods currently in use. But it's one more example of a party crasher just waiting to spoil the fun.