FortiGuard reports about a Facebook widget dubbed "Secret Crush" that installs adware. Sunbelt Software and others find MySpace banners that deliver malware. Meanwhile, these social networking sites feature a nice haul of personal data. The common thread: Social networking sites are ripe for malicious attacks and it's likely we're going to hear a lot more about them in 2008.
Let's ponder the reasons why these sites are ripe for the picking:
- A little social engineering could go a long way on a site like Facebook. As FortiGuard's advisory shows: Who wouldn't want to know about a "Secret Crush" and share a neat widget with friends?
- While primo data like Social Security numbers aren't available tons of email addresses could be quite useful.
- These sites, built with shared APIs and apps built on the fly, have a big attack surface.
I've been more concerned about the impact of Web 2.0 security in the enterprise, but social sites themselves are vulnerable. I also doubt that these sites have security teams and patching plans much like software giants do even though they technically build and enable applications.
Attacks on social networking sites may be simple such as the MySpace ads highlighted by Sunbelt on Thursday. Or the attacks could be more involved like the Facebook widget from hell. On Tuesday FortiGuard found a Facebook widget that cons you to install the Zango adware/spyware.
In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush" (this happens frequently with Facebook's Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a "crush" on the targeted user.
That's pretty crafty. In fact, FortiGuard notes that this widget becomes a social worm of sorts that relies on social engineering more than any technical prowess. And that's what makes these social networking attacks dangerous.
As we all know the user is the weakest security link in many cases. It's quite a honey pot when you can aggregate a lot of those security naive users in one place and network them together.