The next hacker frontier: Social networking sites

The next hacker frontier: Social networking sites

Summary: FortiGuard reports about a Facebook widget dubbed "Secret Crush" that installs adware. Sunbelt Software and others find MySpace banners that deliver malware.


FortiGuard reports about a Facebook widget dubbed "Secret Crush" that installs adware. Sunbelt Software and others find MySpace banners that deliver malware. Meanwhile, these social networking sites feature a nice haul of personal data. The common thread: Social networking sites are ripe for malicious attacks and it's likely we're going to hear a lot more about them in 2008.

Let's ponder the reasons why these sites are ripe for the picking:

  • A little social engineering could go a long way on a site like Facebook. As FortiGuard's advisory shows: Who wouldn't want to know about a "Secret Crush" and share a neat widget with friends?
  • While primo data like Social Security numbers aren't available tons of email addresses could be quite useful.
  • These sites, built with shared APIs and apps built on the fly, have a big attack surface.

I've been more concerned about the impact of Web 2.0 security in the enterprise, but social sites themselves are vulnerable. I also doubt that these sites have security teams and patching plans much like software giants do even though they technically build and enable applications.

Attacks on social networking sites may be simple such as the MySpace ads highlighted by Sunbelt on Thursday. Or the attacks could be more involved like the Facebook widget from hell. On Tuesday FortiGuard found a Facebook widget that cons you to install the Zango adware/spyware.

FortiGuard writes:

In opening the request, the recipient is informed that one of his/her friends has invited him/her to find out more information by using "Secret Crush" (this happens frequently with Facebook's Platform Application). Figure 2 exhibits the social engineering speech employed by the malicious widget to get the user to install it. On first glance, it does seem like the friend who has sent the notification is the one having a "crush" on the targeted user.

That's pretty crafty. In fact, FortiGuard notes that this widget becomes a social worm of sorts that relies on social engineering more than any technical prowess. And that's what makes these social networking attacks dangerous.

As we all know the user is the weakest security link in many cases. It's quite a honey pot when you can aggregate a lot of those security naive users in one place and network them together.

Topics: Collaboration, Networking, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Re: The next hacker frontier: Social networking sites

    Good...anyone stupid enough to put personal information out on the web for all the planet to see disserves to have their identity stolen.

    People who use these lame sites shouldn?t complain when something happens to them. It?s sad that there are so many insecure people in this world that they need to ?advertise? for friends.

    Get a life folks. :-(
  • Many Predict...

    Folks that are looking at "trends" have already predicted that these wasted spaces called Social Networking are fading quick and rightly so. Good riddence to these sites anyway.
  • A virtual life leads to virtual happiness

    The question is whether or not you are content with virtual happiness. For most people they will eventually realize that virtual happiness is as distinct as the bits it's based are are content or not; there's no middle ground.

    If not then I suggest going to a play, a symphony, a park, taking a drive, "feeling" a concert, running, walking, volunteering, anything that doesn't involve a keyboard and mouse or interacting via a screen.

    There, now just do it!
  • RE: The next hacker frontier: Social networking sites

    These threats are not new and have been in full force for a long time. In fact recently stats from Verisign showed half the threats online were coming from MySpace. With impatience and the click obsessed younger generation we will not see an end to these issues anytime soon. More needs to be done to protect everyone online. This year will surely see more law suits and exposure as we surpass the 100 billion dollar mark in online fraud.

    Shellee Hale
  • for the most part I doubt it

    A lot of these sites were built well after the email spam problem and the pop-up
    malware problems - and have been coded accordingly, so that they won't be
    susceptible to the same kinds of malicious misuses.

    I have the feeling we're going to get a lot more "state sponsored" malware in the
    form of advertisers who buy their way into social networking sites and ruin the
    experience for people. Facebook right now is leading that charge.