The next hacker frontier: Social networking sites

Summary:FortiGuard reports about a Facebook widget dubbed "Secret Crush" that installs adware. Sunbelt Software and others find MySpace banners that deliver malware.

FortiGuard reports about a Facebook widget dubbed "Secret Crush" that installs adware. Sunbelt Software and others find MySpace banners that deliver malware. Meanwhile, these social networking sites feature a nice haul of personal data. The common thread: Social networking sites are ripe for malicious attacks and it's likely we're going to hear a lot more about them in 2008.

Let's ponder the reasons why these sites are ripe for the picking:

  • A little social engineering could go a long way on a site like Facebook. As FortiGuard's advisory shows: Who wouldn't want to know about a "Secret Crush" and share a neat widget with friends?
  • While primo data like Social Security numbers aren't available tons of email addresses could be quite useful.
  • These sites, built with shared APIs and apps built on the fly, have a big attack surface.

I've been more concerned about the impact of Web 2.0 security in the enterprise, but social sites themselves are vulnerable. I also doubt that these sites have security teams and patching plans much like software giants do even though they technically build and enable applications.

Attacks on social networking sites may be simple such as the MySpace ads highlighted by Sunbelt on Thursday. Or the attacks could be more involved like the Facebook widget from hell. On Tuesday FortiGuard found a Facebook widget that cons you to install the Zango adware/spyware.

FortiGuard writes:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush" (this happens frequently with Facebook's Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a "crush" on the targeted user.

That's pretty crafty. In fact, FortiGuard notes that this widget becomes a social worm of sorts that relies on social engineering more than any technical prowess. And that's what makes these social networking attacks dangerous.

As we all know the user is the weakest security link in many cases. It's quite a honey pot when you can aggregate a lot of those security naive users in one place and network them together.

Topics: Collaboration, Networking, Security, Social Enterprise


Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.