Online socialising on Web 2.0 sites has rapidly become the new way to network and make friends, but it is also an easy way to become a victim of malware. Because as more users use Web 2.0 applications like social-networking sites, blogs, wikis and RSS feeds, cybercriminals are right behind them.
The most prominent threats posed by social networking sites fall into two categories: technical and social. Technically, Web 2.0 sites allow millions of people to post content and malicious users are constantly trying to post malware to these sites. Socially, the threat lies in the amount of personal information that people share on social networking sites like Myspace, Facebook, Bebo, and LinkedIn. This information makes users more vulnerable to phishing attacks, as personalized attacks are far more credible.
First off, some examples of technical threats:
In the beginning of 2008 malware spread through Facebook. More than four percent of the site’s 60 million registered users were infected with the “Secret crush” malware in less than four days. The malware spread by prompting users to forward the application to five of their friends.
In February 2008, exploit code affecting an unpatched flaw in the Aurigma Image Uploader, an application used by both Facebook and MySpace, started circulating publicly. Exploitation of the bug could allow an attacker to execute malicious code on a user’s system.
MySpace, the even larger social networking site with an estimated 250 million active users, was shut down in late 2005 after more than 1 million users were infected by the Samy worm. Myspace has also been subverted on multiple occasions by malware attackers during 2007 and on 26 January 2008 a 17-gigabyte file containing more than half a million pictures lifted from private MySpace profiles showed up on BitTorrent, potentially making it the biggest privacy breach yet on the top social networking site.
At the end of 2007 Brazilian users of Google’s Orkut were subject to an attack by a worm that tried to steal bank account details. The malware, which also tried to hijack compromised computers, spread via booby-trapped links placed on the personal page of Orkut users.
Other attacks have tried to capitalise on the popularity of video clips seen on sites such as YouTube by putting booby-trapped links on pages that show the short films. Various Wikipedia sites have also had to deal with such problems as they allow online users to add and edit content, thus opening the door to potential malicious content.
And secondly, let’s take a look at the social threats posed by Web 2.0 sites:
Security experts believe that the popularity of social networking sites is allowing cyber-criminals to access information previously unobtainable and that phishers are using these sites to find targets for identity fraud.
People on social networking websites have a tendency to publish details about their lives, friends, loves, jobs and hobbies to the entire world that they would never share with a stranger in a bar, and this information is invaluable to identity fraudsters. People often don’t realise the significance of the kind of information they are putting out on the Web and who may be accessing it. Fraudsters can use this information to steal an individual’s identity and open accounts in their name.
In 2007, research found that 41 percent of Facebook users were willing to divulge personal information like e-mail addresses, dates of birth, phone numbers and other data to complete strangers. Other research, released in November 2007 by Get Safe Online, showed that one in four social networking users had posted confidential personal information, such as their phone number or address, on their social networking profiles. And after all, which criminals need to dive through dumpsters or steal snail mail when so many details are available simply by searching the Web?