Social Networks a Magnet for Malware

The “clickjacking” attack on the Twitter social networking service last week is part of a growing trend of social engineering attacks via social networks, say experts.

“We’ve seen a lot of these social networking and peer to peer sites targeted in general for a bunch of different reasons,” said Sam Curry, the vice president of product management and strategy for RSA. “It’s a law of large numbers in many ways.”

Curry calls the attacks through social networking attacks “orthogonal attacks.” As users have become aware of phishing attacks and other efforts to get at their personal data, hackers have turned to social networks and “brand attacks,” like the recent CNN.com-spoofing Cease-Fire Trojan to spread malware that goes after the same information once installed on the victim’s computer.

In the case of Twitter, the service moved to block clickjack exploits last week, according to Biz Stone, co-founder of Twitter. He said in an e-mail to InternetNews.com that the company is serious about blocking such attacks.

“We’ve found that proactive security reviews, quick reaction time when there is an incident, and communication with our users in a timely manner are effective techniques in dealing with exploits,” he wrote.

While the Twitter clickjack only spread itself and had no apparent malware associated with it, social engineering attacks on other social networking sites have hardly been so benign.

The recent scareware links on Digg.com and the Koobface virus currently spreading across Facebook are both examples of social-engineering based attacks that are tailored to the habits of social networking users, with a much more significant security threat attached.

Because of the nature of social networks, they’re particularly attractive to hackers, according to Craig Schmugar, a threat researcher for McAfee. “The nature of user interaction within social networking sites is being exploited by malware authors and distributors, and that’s definitely on the rise.” said Schmugar.

“Unfortunately, a lot of it is just straight social engineering,” he said. “They’re not exploiting any security vulnerabilities, but they are crafting messages like ‘don’t click me’ to capture users’ attention and take them to completely different sites.”

That sort of attack puts social networking sites in a difficult situation, he says. “Even if you test as much as you practically can to validate user input, you’ve got millions of users out there, a small subset of which are trying to poke holes in the application, but it still is a lot of people, and you can’t assume your QA is 100 percent. So if you at least on the back end do some additional scanning you have a better chance of catching it.”

While social networking services are being more proactive about scanning downstream sites, that can be a fairly expensive undertaking in terms of resources, “especially when you’re talking about Facebook which has millions of posts a minute, and Twitter, in trying to isolate the ones you really have to be worried about and keeping the rest of the traffic going,” said Schmugar.

While the risk of malware is certainly growing on social networking sites, Curry thinks that the risk is tied directly to the benefit the sites offer. “The risk is greater (in social networks),” he said. “But why do people do this? They want a richer social life, they want to interact with more people, have more engaging types of interacts with people, and want to push out the cultural and social boundaries of their lives, and that creates more risk.

“The question is, is that necessarily a bad thing? Most of us want to hire the people who are interactive in those ways. The value of people who use these is probably far greater to an employer than people who don’t do that sort of thing.”