Hackers crash the social networking party

The malware headache began for Robyn when she saw a MySpace bulletin from a friend inviting her to view new photos. She knew the friend in real life, so she went ahead and clicked the link. The site looked like a photo-sharing site, but one she had never heard of. Then her computer practically froze. A few days later, her MySpace friends received photo-viewing invites that seemed to come from her.

"It definitely wigged me out," says Robyn, who asked that her last name not be used. She hasn't touched that computer since.

Like pickpockets at a festival, money-minded malware authors are drawn by the huge crowds visiting social networking sites. In an August report, Internet security firm ScanSafe states that, on average, one in every 600 pages on the sites hosts some form of malware. The report says Facebook tended to be more secure given its previous member restriction to those with educational e-mail addresses, but the site has since opened its doors to everyone.

And these days, those viruses and worms are after your wallet. "There's a great deal of money in it for people to be able to get your personal data," said Lysa Myers, virus research engineer for McAfee Avert Labs, in an e-mail interview.

Poisoned banner ads

One major attack took place in July, when iDefense, a research and security company, discovered a poisoned banner ad that appeared on MySpace, Webshots, and many other sites. The new type of attack ad downloaded adware onto an estimated million computers, according to iDefense. The threat went after low-hanging fruit by exploiting an image file (.wmf) vulnerability. It's a vulnerability that was reported and fixed way back in January. But in the huge numbers game of social networking sites, the attack still found plenty of victims.

And the game is growing ever larger. MySpace ranks as the sixth most-visited site in the world, according to Alexa.com, which analyzes Web traffic and puts Flickr at number 39 and Facebook at number 69. Most social networking sites more than doubled their user base between July 2005 and July 2006, according to comScore Media Matrix.

It's not just eager teens visiting the sites, either. The ScanSafe report found that social networking sites now account for 1 percent of at-work Web browsing. This may not seem like much, but consider just how much Web traffic goes in and out of most every business in the nation.

Good defense necessary

Even if the site maintainers are on the ball -- MySpace generally gets decent marks for closing new-found holes and threats on its site -- the sheer number of people involved can present an irresistible target for crooks. To keep your system safe, make sure you've got a layered defense with good antivirus and antispyware programs, and a firewall. PC World's Spyware and Security Info Center contains the latest security software reviews and rankings, and a link to our Internet Safety Tool Kit.

In addition, Dan Moniz, a security consultant in San Francisco, recommends using a browser other than Internet Explorer. "The way that Internet Explorer is hooked in with the operating system can cause some problems," he says. The July banner ad attack targeted Internet Explorer.

As if downloaded malware weren't enough, future attacks could twist things so that the browser attacks a site. At the BlackHat Internet security conference in Las Vegas this year, Moniz and HD Moore, head of the Metasploit project and a well-known hacker, presented a novel proof-of-concept hack. It showed that a poisoned site could infect a Web browser using Javascript such that the browser becomes an attacker and infects visited blogs or social networking sites. It could spam links to malware downloads or overwhelm blogs with casino advertisement comments, for instance.

Like many proof-of-concepts, this one might never become a real threat. It still has to find an open security hole to infect the browser in the first place, and it might never interest malware writers who have plenty of other profitable methods currently in use. But it's one more example of a party crasher just waiting to spoil the fun.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Josh Krist

PC World
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?