[Web Informant] 12 January 2009: Facebook, the new social disease

Mon Jan 12 09:26:07 EST 2009

Web Informant 12 January 2009: Facebook, the new social disease

Accompanying the announcement that more than 150 million people are
active on Facebook last week (and even more depressing, that half of
them login daily) is a new series of security and legal  issues
surrounding its use. When exactly is your account compromised by a
piece of software that may not be acting in your best interests? Or
could it be something that is more sinister, or just human error?

Don't you pine for those simple days when the line between software
and malware was pretty easy to delineate? Consider these news items:

Last week, Facebook sued the Brazilian site Power.com, claiming that
its automated login process violated their terms of service. According
to the LA Times, Power has agreed to use Facebook Connect, but the
suit brings up all sorts of issues that aren't so clear cut: is Power
providing a service for its users, by consolidating several social
networking logins? Or is it doing something that it shouldn't, by
storing these credentials? How is that different from any number of
sites that allow me to cross-post messages to different video or blog
sites?
http://latimesblogs.latimes.com/technology/2009/01/lawsuit-shows-h.html

Last December, we saw the Koobface trojan that spreads through social
network news feed messages, prompting users to download what they
think is an update to the Adobe Flash player but is really malware:
http://www.avertlabs.com/research/blog/index.php/2008/12/03/koobface-remains-active-on-facebook/

This was similar to a Brazilain-based attack that plagued Twitter last summer:
http://www.viruslist.com/en/weblog?weblogid=208187551

Earlier last fall over in Russia, we saw email/SMS pitches for people
to download a Java applet to their cell phones that was spread via the
Russian social network Vkontakte. Once on their phones, the app would
automatically text several premium numbers that would be charged back
to the user:
http://www.viruslist.com/en/weblog?weblogid=208187582

The trouble is that as these attacks proliferate, it gets harder to
differentiate them with legit situations where people are just making
dumb mistakes. Consider the situation where a new social networking
user doesn't understand the very optional step when he or she signs up
and is asked whether or not to send email invitations to their entire
address book. In just a few seconds, a simple task of joining the
network has turned into an annoying one sending out hundreds of
unwanted emails. Sometimes this step isn't explained well in the
sign-up process, or sometimes people aren't paying attention. Either
way, it isn't malevolent; it is just a stupid user error.

Or take instant messaging, which seems so quaint now that there are
lots of other networks out there. Yes, there are malware programs that
propagate through IM, and there are security products that protect IM
networks too. But nothing can stop human stupidity in how these IM
networks are used, particularly if you store your IM login credentials
on a family computer that is shared by several people. One of my
colleagues has been having IM conversations with the wrong people –
some that have gone on for ten or 15 minutes, before he realized he
was talking to the intended's spouse or kids. Why anyone leave his or
her IM account wide open in this way is hard to understand. But it
points out that just because someone is signed into IM, doesn't mean
that they are there. Remember, on the Internet no one knows that your
dog hasn't logged in instead of you.

Then there are sites like omgxd.com that use your login information
for IM networks, supposedly to make it easier to connect but in
reality spam all of your contacts on your buddy list. Heyxd.com is
another one. I have tried to find out whether these two sites are
legit or have some sinister purpose. I can't really tell, but I would
recommend steering clear of both of them.

So the next time you get an email or IM or text message asking you to
download a greeting card, update your Flash player, or do something
else, take a moment to stop and think whether this is a request that
you should just hit the delete key and move on. You don't need to be
the latest victim of a new social networking disease.