In another indication of how easy it is for malware authors to leverage Web 2.0 technologies, spammers have taken control of a Facebook site with more than 1.5 million users.
The site, 5,000,000 against the new version of Facebook, was set up by Adam Stanborough in September for Facebook members unhappy with the social networking site’s redesign in July. It gained one million members within 12 days, according to the Herald and Weekly Times.
A blog posting at Graham Cluley’s blog said spammers had put up “Make Money Fast” advertisements on the site. Cluley is senior technology consultant for security vendor Sophos.
These advertisements are for get-rich-quick schemes and one is a guide on how to seduce women, according to the blog. A check of the site today though, by InternetNews.com, showed the ads had disappeared.
“Our investigation showed a third party was involved in distributing the spam,” Facebook spokesperson Barry Schnitt told InternetNews.com by e-mail. “We’ve cleaned up the site.”
This is the latest attack on a social networking site by malware authors exploiting Web 2.0 technologies to distribute spam.
In January, hackers broke into the Twitter accounts of then President-elect Barack Obama and 32 other people, prompting the micro-blogging service to tell users to change their passwords.
Just one day later, spammers launched attacks using fake profiles of celebrities on the LinkedIn
professional social networking site and on Google (NASDAQ: GOOG) Blogspot.
Late last month, Websense Security Labs found that hackers were distributing
malware through blogs on MyBarackObama.com, an online community site put up by President Obama’s team. Their blogs led to a Web site purporting to host a YouTube pornographic video. Clicking on that video would ultimately lead to visitors downloading malware onto their PCs.
The hackers have been distributing their BarackObama.com URLs all over the Web by adding them to their comments on various blogs and leveraging user generated content management systems used by Web 2.0 sites.
The threat to legitimate Web sites
This bears out predictions from a survey conducted by messaging and data protection firm Websense, which found hackers are increasingly compromising legitimate sites, mainly social networking or search sites. They are able to target the Web 2.0 elements of these sites because the sites allow users to upload their own content.
Attacks like this could hurt the trusted site concept the Internet depends on, Web and e-mail security vendor Marshal8e6 has said. It has warned that social
networking sites in particular are emerging as a source of security threats, because it is easy to set up profiles on them and they have lax user safeguards.
One potential solution for bloggers and social networking site owners comes from Websense. The company said its Defensio Web service takes posts and comments on blogs and Web sites, scours them for malicious content or links, and, if it finds these, removes them. The application is free for personal use.
“We can place the technology onto blogs and places that have forums to capture bots spamming their URLs in real time,” Stephan Chenette, manager of security research at Websense Security Labs, told InternetNews.com.
