With Online Friends Like These…

Social networking sites offer hackers a rich trove of potential victims and many opportunities to exploit them, a new security report says

Your next MySpace friend could be a virus. Social networking sites, blogs, and other popular Web destinations that rely on user-generated content are hackers' newest targets, according to a Symantec report. And these bad guys are not targeting social networking sites just to show off—they're hunting for sensitive financial information.

On Sept. 25, Symantec (SYMC) released its biannual Internet security report for the first half of 2006. Among the biggest trends were hackers targeting Web browsers and so-called Web 2.0 sites that allow users to publish content on their pages and connect with one another. "It's just the latest evolution of the bad guys trying to get under your radar," says Dave Cole, director of Symantec Security Response. "Now they are going after these grassroots type sites."

For hackers, social networking communities such as News Corp.'s (NWS) MySpace are appealing because members assume fellow users are on the site to socialize and meet new people. As a result, says Cole, members are more likely to trust bad links provided by community members under the guise of helpful comments or friendly photo-sharing. Once they click on the link, corrupted picture, or file they can inadvertently be directed to phishing sites aimed at defrauding users out of bank account numbers and other personal information.


 Photos and other seemingly innocent shared files could easily be developed to contain malicious code, such as key logging programs that can steal passwords that are passed around as "friends" share the content. "Web 2.0 technologies present a number of areas for security concern," according to the report. "Attackers will often take advantage of the implied trust between the community of individual developers and the sites hosting content to compromise individual users and/or Web sites."

Hackers have not yet seized on these communities to a wide degree, security experts say. "Most of the attacks are more social engineering type of attacks where they are getting users to click over to Web sites where the bad things are happening," says Brian Trombley, product manager for McAfee (MFE), Symantec's main competitor. "They are not happening on the social networking sites themselves." But that could change.

Already, there are signs hackers are preparing to do some damage. For example, a banner ad on a series of MySpace profiles titled "deckoutyourdeck.com" downloaded adware, programs that flood computers with pop-up ads and other tracking devices. In April, there was a Trojan virus developed under the nickname "Hearse" that was programmed to activate whenever an Internet user logged onto social networking, banking, or e-mail sites. Names and passwords from more than 2,000 MySpace accounts were stolen (see BusinessWeek.com, 4/10/06, "This Bug Is Nasty, Brutish, and Sneaky").


  Social networking and other user-generated sites may also be particularly vulnerable to worms because they are designed to allow quick information transfer between users. Last year, a MySpace user named "Sammy" created a worm that enabled him to install his profile on user sites and gain more than a million friends. The worm was not malicious, but it was evidence of a vulnerability that other hackers seeking far more than popularity could exploit. MySpace Chief Security Officer Hemanshu Nigam was traveling on Sept. 26 and could not immediately be reached for comment, a company spokeswoman said.

The vulnerabilities with user-generated sites are of particular concern because of the increased number of attacks against Web browsers. In its report, Symantec found that nearly half of all computer attacks were targeting Web browsers. Typically, computer users would inadvertently download malicious code by clicking on a bad link or file, visiting a domain embedded with malicious code, or even scrolling over a corrupted banner ad—all standard Web activities, particularly on social networking sites where clicking through links to other friend pages is standard practice.

The attacks were targeting vulnerabilities in Web browsers and applications. Microsoft's (MSFT) Internet Explorer, the most widely used Web browser, had the most attacks against it and accounted for 47% of all Web browser attacks. Symantec saw 38 new vulnerabilities in its software, a 52% increase over the past six months. Microsoft has addressed the problems as Symantec reported them and developed downloadable patches to shore up its systems. Mozilla, maker of the popular Firefox open source browser, had 47 vulnerabilities, an increase of 276%. Even Apple Computer's (AAPL) Safari browser, which is typically immune to many weaknesses shared by other more popular browsers, had 12 vulnerabilities.


 Most of those vulnerabilities were discovered by testers whose purpose is not to exploit them, but to help the companies protect their applications. However, Symantec was alerted to some of the vulnerabilities by catching viruses that were exploiting them. McAfee's Trombley says hackers have an increasingly strong financial incentive to find the vulnerabilities before the testers do because they are paid by criminals to develop code that can be used to steal passwords and account numbers.

Companies are facing pressure to release new browser products to meet customer demands for increased capabilities, which can make it difficult to find all the potential holes in new products. "It is very difficult for the browsers to keep up with the functionality that people are pushing for," says Larry Bridwell, vice-president of communications for Grisoft, the makers of AVG Anti-Virus. "Browsers are being asked to do more and more things that they were not designed to do from the ground up."

As a result, code can have more holes in it, says Bridwell, which can lead to bugs that are more dangerous and harder to detect. The companies behind the Web browsers are consistently working to develop patches that plug holes in code before hackers learn of them (see BusinessWeek.com, 8/7/01, "Patches Don't Make a Security Blanket"). The window of exposure to vulnerabilities has decreased from 50 days in 2005 to 28 days, according to Symantec. However, that still gives hackers considerable time to spread viruses. The best defense for Internet users? Update programs, install security software, and, most important, beware of "friends" bearing unknown attachments.

Before it's here, it's on the Bloomberg Terminal.