Hackers crash the social networking party

The malware headache began for Robyn when she saw a MySpace bulletin from a friend inviting her to view new photos. She knew the friend in real life, so she went ahead and clicked the link. The site looked like a photo-sharing site, but one she had never heard of. Then her computer practically froze. A few days later, her MySpace friends received photo-viewing invites that seemed to come from her.

"It definitely wigged me out," says Robyn, who asked that her last name not be used. She hasn't touched that computer since.

Like pickpockets at a festival, money-minded malware authors are drawn by the huge crowds visiting social networking sites. In an August report, Internet security firm ScanSafe states that, on average, one in every 600 pages on the sites hosts some form of malware. The report says Facebook tended to be more secure given its previous member restriction to those with educational e-mail addresses, but the site has since opened its doors to everyone.

And these days, those viruses and worms are after your wallet. "There's a great deal of money in it for people to be able to get your personal data," said Lysa Myers, virus research engineer for McAfee Avert Labs, in an e-mail interview.

Poisoned banner ads

One major attack took place in July, when iDefense, a research and security company, discovered a poisoned banner ad that appeared on MySpace, Webshots, and many other sites. The new type of attack ad downloaded adware onto an estimated million computers, according to iDefense. The threat went after low-hanging fruit by exploiting an image file (.wmf) vulnerability. It's a vulnerability that was reported and fixed way back in January. But in the huge numbers game of social networking sites, the attack still found plenty of victims.

And the game is growing ever larger. MySpace ranks as the sixth most-visited site in the world, according to Alexa.com, which analyzes Web traffic and puts Flickr at number 39 and Facebook at number 69. Most social networking sites more than doubled their user base between July 2005 and July 2006, according to comScore Media Matrix.

It's not just eager teens visiting the sites, either. The ScanSafe report found that social networking sites now account for 1 percent of at-work Web browsing. This may not seem like much, but consider just how much Web traffic goes in and out of most every business in the nation.

Good defense necessary

Even if the site maintainers are on the ball -- MySpace generally gets decent marks for closing new-found holes and threats on its site -- the sheer number of people involved can present an irresistible target for crooks. To keep your system safe, make sure you've got a layered defense with good antivirus and antispyware programs, and a firewall. PC World's Spyware and Security Info Center contains the latest security software reviews and rankings, and a link to our Internet Safety Tool Kit.

In addition, Dan Moniz, a security consultant in San Francisco, recommends using a browser other than Internet Explorer. "The way that Internet Explorer is hooked in with the operating system can cause some problems," he says. The July banner ad attack targeted Internet Explorer.

As if downloaded malware weren't enough, future attacks could twist things so that the browser attacks a site. At the BlackHat Internet security conference in Las Vegas this year, Moniz and HD Moore, head of the Metasploit project and a well-known hacker, presented a novel proof-of-concept hack. It showed that a poisoned site could infect a Web browser using Javascript such that the browser becomes an attacker and infects visited blogs or social networking sites. It could spam links to malware downloads or overwhelm blogs with casino advertisement comments, for instance.

Like many proof-of-concepts, this one might never become a real threat. It still has to find an open security hole to infect the browser in the first place, and it might never interest malware writers who have plenty of other profitable methods currently in use. But it's one more example of a party crasher just waiting to spoil the fun.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Josh Krist

PC World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?