Thieves Find Easy Pickings on Social Sites

By Kim Hart
Washington Post Staff Writer
Sunday, July 16, 2006; F01

Rob Newland is a pro at dodging spam e-mails and suspicious pop-up windows as he surfs the Web. But he lets his guard down when he is checking friends' profiles and clicking through blog posts on the social networking Web site MySpace.

"I'm there to meet new people, so I follow random messages and links," the 24-year-old D.C. bartender said. "It seems harmless."

Internet thieves are banking that the millions of users who log on to social networking sites, such as MySpace, Facebook and Friendster, are just as trusting, leaving them vulnerable to financial fraud and identity theft. As viewership skyrockets, growing by 50 percent in the past year, according to Nielsen-NetRatings, such sites are becoming vulnerable places for scams. The combination of young users and a culture that encourages sharing personal details presents opportunities for increasingly sophisticated methods to lure information.

The FBI last month warned MySpace users of a phony bulletin post urging people to click on a link to "check out old school pictures." A virus seeking financial information recently invaded Orkut, Google's social networking site. Early last month, unsolicited instant messages attempted to lure MySpace users into divulging account information, and about a dozen other sites that spoof the MySpace log-in page have been discovered.

Because people reveal so many intimate details on the sites, scammers "can look at those profiles and use that information to better hone their attack," said Ron Teixeira, executive director of the National Cyber Security Alliance. Scammers can craft phony messages that appear to come from friends to trick people into revealing more personal data, such as credit card or cellphone numbers.

Such come-ons are called "spear phishing," Teixeira said. "Social networking sites are a potential haven for spear phishers."

Newland became a victim of one of those attacks after a spear phisher posted a phony link on a MySpace bulletin, which directed all of his 89 friends to a fake site,, asking for their user names and passwords.

"We all fell for it," he said. "I was lucky enough to catch it."

Phishing attacks have traditionally taken the form of spam e-mails that appear to come from legitimate sites such as eBay, PayPal or banks, often duping consumers into giving up account numbers or passwords.

"There's an implied state of trust on social networking sites. You're generally talking to people you know or want to know, so you're more vulnerable," said Alfred Huger, senior director of engineering for Symantec. Phishers started targeting instant messenger users about two years ago, he said, but meeting sites are "the new frontier for ripping people off."

MySpace, which has more than 75 million users and was the country's most-visited Web site last week, according to Hitwise, has been the largest target so far. But security experts expect to start seeing attacks aimed at other social networking sites, such as Facebook and Friendster, as well as blog-hosting sites including LiveJournal and Xanga.

"It's probably happening now and we just don't know about it," Teixeira said. "It's foolish to think it's only occurring on MySpace."

Mining profiles for sensitive information is relatively simple, said Paul A. Henry, vice president of strategic accounts for Secure Computing Corp. Fraudsters can download software that scans millions of profiles looking for key pieces of information, such as addresses, birthdates and friend's names, which makes it easier for them to "tap into your network of trust."

Dan Hubbard, vice president of security and research for Websense Inc., a San Diego company that recently found a site mimicking MySpace, said interactive sites easily allow spear-phishers to send messages containing malicious code that infects the computer with a virus, which then tracks every user name and password entered on other legitimate sites.

Teenagers and young adults, who make up the bulk of visitors to networking sites, are seen as easy targets because they are typically more trusting and less security-savvy, Huger said.

"Then parents use the same computer for their banking," he said. "It could be months before they realize their bank accounts have been hacked."

Users of Google's Orkut may still be unaware they were infected by the worm that spread through the network, said Frank Cabri of FaceTime Security Labs, which discovered the scam June 19.

Although the number of attacks on social networking sites is still far smaller than those that travel through instant messenger programs and e-mail, the sites have beefed up their security and warn users to check the Web address before entering their log-in information.

"We have told [users] that we will never ask for your user name and password in an e-mail," Facebook spokeswoman Melanie Deitch said. "We let people know the spam is not from us."

Earlier this year, MySpace hired someone to oversee the site's security operations.

Cabri said he expects the number of attacks to increase as more social sites incorporate instant messaging, a draw for Internet thieves.

"I don't think we're going to see this slow down," he said. "It will accelerate."

© 2007 The Washington Post Company