Your current Web browser may not display this site properly.

TrendSecure performs best when opened with the latest version of either Microsoft Internet Explorer or Mozilla Firefox .

Social Networking Sites: Fertile Malware Ground

"You have a new friend"

Social networking sites (e.g., MySpace, YouTube, Friendster) share the basic goal of online interaction and communication, allowing individuals to share personal information with vast networks of friends ?and often, unknown numbers of strangers. As these sites continue to evolve, they continue to grow at phenomenal rates. Based on a survey by comScore Media Matrix, Myspace.com registered a record 50 million visitors in May 2006. Traffic to Youtube.com doubled in a single month1. This rapid rise of social networking sites may be attributed to their ability to provide Internet users with much appreciated services, namely the tools to build communities based on shared interests, make new friends, keep in touch with old friends, and share anything creative ?pictures, videos, music, etc.

"Let's share"

Social networks are known for their open nature. This allows users to fill their personal pages with various content to attract more people to their space or to make themselves known. Because these sites are frequented by the coveted 18-34 demographic, they are an ideal marketing venue for business. However, they also provide online thieves and criminals an avenue for their malicious activities due to their accessibility.

With its ever-growing attractiveness, Myspace has become a favorite target of malicious authors. A year ago, "Samy" invaded the Myspace community by creating a malicious script that contained a routine to add himself to the friend list of any user that viewed his profile. Samy's routine proliferated so rapidly that Myspace was closed temporarily to remove Samy from the system.

Last month, a malicious JavaScript ("JS_QSPACE.A ") exploited an XSS vulnerability found in Myspace pages. Once the vulnerability is exploited, this JavaScript redirects a user to a phishing Web site to steal the user's account information and send spam messages to the user's contacts. It also edits the profile of a stolen MySpace account by downloading and adding a movie file to the stolen profile. The movie file contains the phishing URL; when another MySpace user views the affected profile, this malware is automatically downloaded and executed onto the viewer's profile... and the cycle continues.

"What you've missed"

As consumers learn about security threats, they have backed away from impersonalized email messages, which they believe are spam. However, the emergence of social networking sites is changing this. Leveraging the personal data that users are revealing to the public on social networking sites, malware authors can now "personalize" attacks, making their scam more believable and convincing to even the most suspicious user. Based on the results of a study conducted by the National Cyber Security Alliance (NCSA), 57% of users of social networking sites who are aware of potential security risks still reveal critical information. And 83% of the respondents said that they download files from other profiles, even if they are unsure of the content and the profile is unknown to them2.

Developers of social networking sites, on the other hand, have expended so much effort tailoring their Web sites to meet customer needs that they usually do not emphasize security. Initially, their concerns focus on copyright protection, impersonators, online stalking/harassment, and explicit profiles and content.

n today's threat landscape, profit is the motivation for most attacks. User details made available in these sites can help cyber criminals develop specific scams aimed at users or groups of users for financial gain. Although site developers are quick to respond when malicious attacks are reported to them, the potential for more malware attacks is strong. As the rate at which consumers use theses services continues to grow, the risk is also likely to increase.

References

  1. comScore press release, "Social Networking Sites Continue to Attract Record Numbers as Myspace.com Surpasses 50 Million U.S. Visitors in May," June 15, 2006, http://www.comscore.com/press/release.asp?press=906.
  2. National Cyber Security Alliance, press release, "CA/ National Cyber Security Alliance Survey Reveals Consumers Engage in Risky Online Behavior on Social Networking Sites, Leaving Them Vulnerable to Potential Cyber-Crime," October 4, 2006, http://staysafeonline.org/news/cancsasocialnetworkingsurvey.html.