Hackers' Latest Target: Social Networking Sites

By Brian Krebs Staff Writer
Saturday, August 9, 2008

LAS VEGAS -- Social networking sites such as Facebook, MySpace and LinkedIn are fast emerging as some of the most fertile grounds for malicious software, identity thieves and online mischief-makers. And while some of the talks given here at Black Hat, one of the larger hacker conferences in the country, would probably make most people want to avoid the sites altogether, it turns out that staying off these networks may not be the safest option, either.

The biggest danger from social networking sites is that they are all tripping over themselves to embed powerful features that most subscribers will never use, such as digital image or media files with the ability to download content from third-party Web sites, said Shawn Moyer, chief information-security officer at Agura Digital Security, a Web and network security firm. Moyer and Nathan Hamiel, senior consultant for Idea Information Security, gave a presentation Thursday called "Satan is on My Friends List," in which they demonstrated a plethora of ways that user-created applications popular on MySpace could be used to hijack and lock out accounts, or trick the user into installing malicious software.

Paradoxically, there may be a danger in remaining a social networking site Luddite. After all, if you don't claim a space on these networks, someone else may do it for you as a way of scamming or attacking your friends and business contacts. With the permission and good humor of security pioneer Marcus Ranum, Hamiel and Moyer created a LinkedIn profile on Ranum's behalf, including a photo of him and bits from his résumé to make the profile look legit. In less than 24 hours, more than 50 people had joined his LinkedIn network. Among those taken in by the stunt was Ranum's sister.

"Even if you just put some basic information out there that's easy to find, you're kind of controlling your privacy that way," Hamiel said.

In another warning to the social networking community, a pair of researchers presented on Wednesday various ways to create mischief using Google Gadgets, free programs such as calendars or photo feeds that people can add to their personalized Google home pages. The trouble is that anyone can create gadgets and make them available for download on Google's site. These gadgets can include arbitrary JavaScript commands and other powerful programming features that expose the user's system and network to a laundry list of nasty attacks, from phishing to data poisoning and data theft to Web site defacement and surreptitious internal network scanning.

"How do you know it's a legitimate gadget?" asked Robert "RSnake" Hansen, chief executive of SecTheory, a security consultancy. "There's no moderation. There's no way to guarantee it won't turn bad."

In a statement given to the Associated Press, Google said that it scans all gadgets regularly for malicious code, and in the "very rare" instance one is found, it's immediately blacklisted.

All this talk of the dangers lurking on social networking sites may seem like stating the obvious. But the reality is that most people are, at heart, trusting individuals, and social networking sites build themselves on a culture of trust: trust that clicking on a user's photo or merely reading a message from another reader won't turn your computer into a spam-spewing zombie or cause your page to become a vector for cyber attacks against others.

Yet that's exactly what happened last week, when security companies began warning about a new worm that was spreading like a nasty rash across social networking sites like Facebook and MySpace. Dubbed Win32.Koobface by Russian anti-virus firm Kaspersky Lab, the worm spreads when users click on a link to view a video that prompts the user to install an Adobe Flash browser plug-in. The worm spreads when a user who has installed the bogus plug-in logs on to a MySpace or Facebook page, at which point the malware adds links to the poisoned videos in the comments section of all the victim's friends' pages. (The "Paris Hilton Tosses Dwarf on Street" subject line detailed last week in a blog post about silly spam message titles is in fact one of the subjects used by this worm.)

Excerpted and adapted from the Security Fix blog by Brian Krebs, who is attending the Black Hat conference in Las Vegas this week. For more from the blog, visit

© 2008 The Washington Post Company