Social networks are fun to use, helpful for job hunting, and great for keeping in touch with friends, business contacts, and relatives. The downside: The bad guys know you're using these networks like crazy, and they're gunning for you.
Social Networking Traps
Why You Should Care: Sneaky sociopaths are using social network sites to infect, phish, and spam you.
Scenario: A message from one of your friends shows up in your inbox, sent via a social network site that you use regularly, such as Facebook (To understand social networking better, read "A Peek Inside Facebook").
The message promises a big laugh, and points to a Web site you've never heard of. You think you can trust it, so you click the link--and the next thing you know, your PC is misdirected into a phishing page that steals your log-in details or to a drive-by download site that infects your system with a password-stealing Trojan horse. Your friend says she never sent you the message.
Whether the culprit is a fake LinkedIn profile page that serves up dangerous URLs or a bogus Twitter message that purportedly comes from our friends, social networks are rapidly becoming the newest medium for malware attacks. As operating systems and applications became harder to hack directly, online criminals realized that it was much easier to fool people into clicking bad links, opening dangerous files, and running malicious software. And the best place to exploit the trust between friends and colleagues is in the mechanisms of the social network itself.
By now, most Internet users are savvy enough to recognize spam e-mail. But what about a spam tweet that seems to come from someone in your circle of friends and takes you to a page that looks almost exactly like the one you use to log in to Twitter? A week may go by, and suddenly the data thieves who now control your account begin sending messages with URLs--some of which perform drive-by downloads and infect the recipients' PCs with malware--to everyone in your social network.
Facebook and MySpace users have already had to deal with a number of worms and other nasties that spread independently of any action taken by the account holder. Expect more of these automated attacks in the future.
Fix: If you think that your social networking account details have been compromised or stolen, report your suspicions to the site's support team immediately. Change your password frequently, and avoid clicking links that purport to send you back to the social network site. Instead, type the site's address directly into your browser (or follow a bookmark you've previously saved) to get back to your account.
Credit Card Exposure Online
Why You Should Care: Resolving fraudulent credit card charges can be a messy, time-consuming process.
Scenario: Scanning your e-mail, you see a message from a large online retailer notifying you that an order you recently completed is ready to ship--but you didn't order anything. You follow a link in the message that supposedly leads back to the site's log-in page, which contains a Web-based form that lists the wrong credit card number and address for your account and requests that you fill in the correct information so that the company can initiate its dispute resolution process.
So you enter the card number, the card's expiration date, your billing address, the card verification value (CVV) number printed on the back, your birth date, and your dog's favorite flavor of Milk Bone. In your rush to correct the "mistake," you've just delivered your card details right into the hands of savvy phishers.
Since consumers are never liable for more than $50 of fraudulent credit card charges, you may wonder whether having your credit card information stolen is such a big deal. The answer is yes. You may not pay for the fraud directly and immediately, but all credit card users bear the burden in the form of fees and interest rates that factor in the cost of fraud to the credit card issuer.
In addition, you'll spend considerable time canceling credit card accounts, getting new cards issued, checking your credit reports, and changing the numbers in various accounts if you use them for automatic payments.
Fix: Some larger banks still offer single-use, "disposable" credit card numbers--you log in to your bank's Web site and identify the total amount of your purchase from the relevant online shop, and the banking site responds by spitting out a "credit card" number that can be used only for that amount and at that online store. Bank of America's ShopSafe, Citibank's Virtual Card Numbers, and Discover's Secure Online Account Numbers are still going strong, though American Express killed off a similar service years ago.
Google and Your Privacy
Why You Should Care: Any business that maintains so much information about you puts you at risk of having that data abused.
Scenario: Google seems to be everywhere these days. Aside from running an exemplary search engine, the company offers services for sending e-mail, receiving news feeds, and shopping. Furthermore, many of your favorite Web sites probably use Google to serve ads, syndicate content, or even track their own performance. Your Google account is like a diary of everything you do online: It can track your surfing behavior and even show you trends that you may not be aware of.
The sheer breadth of information that Google handles for people is startling: e-mail, instant messaging, VoIP phone calls, photos, maps, finance and investment portfolios, home and work addresses, reading preferences, video interests and assessments, online purchases, most frequent searches, and clicked-on search results. Can you trust a commercial enterprise that has so much valuable information about you at its disposal to live up to its "Don't be evil" corporate mantra? That remains to be seen.
Fix: You can partly extricate yourself from Google, but don't assume that the big G isn't still all around you. Change the default (Google) search settings in Firefox if you must; stop using Gmail, iGoogle, and your Google Account if you're really concerned. But so many sites now incorporate the company's AdSense, Analytics, and syndication components that going off the Google grid may be virtually impossible for anyone who uses an Internet connection.