Social Networks May Provide A Chattering Class For Viruses

You can get the most amazing messages from friends on Facebook.

Recently, a high school pal wrote me about a strange new Web site, adding the parenthetical comment "(69241)." Then, a typically typo-free writer assured me I could "becomee a reall filmm staar noww" and pointed me to a site in India. And a normally level-headed colleague passed along yet another strange address, followed by the exultation "Best store!!!" -- then resent the message a minute later.

Okay, so my Facebook friends didn't really write those things. Nor did the co-worker who appeared to invite contacts on Twitter and Facebook to view a "private video." Instead, a virus did, hijacking their accounts to send messages steering friends to hostile sites.

These attacks shouldn't surprise anybody. Virus authors are creative but ultimately predictable: Whenever a new site or software becomes popular, you can count on these cretins to try to exploit them. And over the past year or so, they have found social networking sites such as Facebook, Twitter and MySpace an attractive target.

That's because the most basic feature of these sites can be useful for anonymous enemies as well as known friends. Social networking sites provide their core value -- no, not accelerating the distribution of gossip -- by delivering a component missing from the Internet's own architecture: trust.

On the Internet, as the cartoon goes, nobody knows you're a dog. There's no bit attached to the data identifying you by name, location or occupation.

So a person or company on the Internet must use other tools to persuade strangers to trust them, such as the "security certificates" of online merchants or feedback scores on eBay. Social networking sites fit into that pattern, allowing you to identify yourself and have other people vouch for you by adding you to their friend lists.

That helps when long-lost pals confirm that it's really you on Facebook from mutual friends' endorsements, but it's also open to exploitation by crooks. You might ignore a message linking to a random site if it came from a stranger, but would you dismiss it so quickly if it had a friend's name on it?

The status-update culture of social networking sites compounds the vulnerability. Much of the activity on the likes of Facebook and Twitter consists of short messages linking to Web sites whose identities have been obscured through link-shortening services.

Free sites such as TinyURL.com and bit.ly generate these shorter links to lengthy Web addresses so that they fit better in the tight space of a Facebook or Twitter status update, but these custom addresses rarely reveal their destination unless users run extra software.

Both TinyURL and bit.ly use blacklists from Google and other sources to block links to malicious pages; perhaps as a result, all the bogus messages I've received on Facebook and Twitter linked directly to hostile sites.

But even the best-maintained blacklist will need a little time to identify a new threat, maybe too much time on a site as fast-paced as Twitter. More important, seeing a steady stream of condensed Web addresses offering no hint of their content teaches us that inspecting a link's address is a waste of time.