A Closer Look
Sunday, July 16, 2006
Rob Newland is a pro at dodging spam e-mails and suspicious pop-up windows as he surfs the Web. But he lets his guard down when he is checking friends' profiles and clicking through blog posts on the social networking Web site MySpace.
"I'm there to meet new people, so I follow random messages and links," the 24-year-old D.C. bartender said. "It seems harmless."
Internet thieves are banking that the millions of users who log on to social networking sites, such as MySpace, Facebook and Friendster, are just as trusting, leaving them vulnerable to financial fraud and identity theft. As viewership skyrockets, growing by 50 percent in the past year, according to Nielsen-NetRatings, such sites are becoming vulnerable places for scams. The combination of young users and a culture that encourages sharing personal details presents opportunities for increasingly sophisticated methods to lure information.
The FBI last month warned MySpace users of a phony bulletin post urging people to click on a link to "check out old school pictures." A virus seeking financial information recently invaded Orkut, Google's social networking site. Early last month, unsolicited instant messages attempted to lure MySpace users into divulging account information, and about a dozen other sites that spoof the MySpace log-in page have been discovered.
Because people reveal so many intimate details on the sites, scammers "can look at those profiles and use that information to better hone their attack," said Ron Teixeira, executive director of the National Cyber Security Alliance. Scammers can craft phony messages that appear to come from friends to trick people into revealing more personal data, such as credit card or cellphone numbers.
Such come-ons are called "spear phishing," Teixeira said. "Social networking sites are a potential haven for spear phishers."
Newland became a victim of one of those attacks after a spear phisher posted a phony link on a MySpace bulletin, which directed all of his 89 friends to a fake site, MySpase.com, asking for their user names and passwords.
"We all fell for it," he said. "I was lucky enough to catch it."
Phishing attacks have traditionally taken the form of spam e-mails that appear to come from legitimate sites such as eBay, PayPal or banks, often duping consumers into giving up account numbers or passwords.
"There's an implied state of trust on social networking sites. You're generally talking to people you know or want to know, so you're more vulnerable," said Alfred Huger, senior director of engineering for Symantec. Phishers started targeting instant messenger users about two years ago, he said, but meeting sites are "the new frontier for ripping people off."
MySpace, which has more than 75 million users and was the country's most-visited Web site last week, according to Hitwise, has been the largest target so far. But security experts expect to start seeing attacks aimed at other social networking sites, such as Facebook and Friendster, as well as blog-hosting sites including LiveJournal and Xanga.
"It's probably happening now and we just don't know about it," Teixeira said. "It's foolish to think it's only occurring on MySpace."