Article

Networking

Social Networking Security Scams

By Michelle V. Rafter

The message looks like any other email from a fellow Facebook user asking to add you as a friend. But if you look closer, you’ll see there’s a file attached to it, and if you double click to open it -- wham -- you’ve just downloaded a Trojan horse.

Welcome to the newest flavor of Internet deviance, the social network scam. The popularity of Facebook and other social networks hasn’t been lost on spammers and Internet criminals, who’ve picked up their underhanded operations and moved them to the virtual communities.

In fact, social networking sites such as Facebook and MySpace have become some of the most popular targets for online attackers. Social networks are the perfect breeding ground for malicious coders because they have lots of users, good reputations and support open software applications, meaning a decent programmer can write code -- good or bad -- that works inside the network.

The average Internet user figured out awhile ago not to open email from strangers due to safety concerns, but they haven’t wised up to social network scams yet.

Beware These Social Network Scams
But ignorance is not bliss because new types of social networking scams are popping up all the time. Some of the latest include:

  1. The email spoof. Like the previously mentioned Facebook example, this innocent-looking email message appears to come from a legitimate social network account and has a zip file attached that is purportedly a picture of the friend making the request. But if opened, the attachment releases some sort of virus, such as a Trojan horse. Spoofs aren’t limited to Facebook, or even to English. In mid-October, a malicious email spoof campaign was reported on the Spanish language social-networking site Hi5.

  1. The phishing campaign. Similar to an email spoof, this email appears to have a legitimate log-in page for Facebook or another social network in the body of the message. But it’s really a fake front for a phishing site that tries to con unsuspecting visitors out of personal information like a password or account number.

  1. The YouTube con. In this gambit, spammers set up legitimate YouTube profiles to advertise products and services, including X-rated materials. Spammers send email invitations to other YouTube members to check out their profiles. If someone clicks on the link they go to a real YouTube profile that’s little more than an ad -- in some cases a very risqué ad -- with links to the spammer’s web site.

  1. The Flash attack. The Flash virus, also called the Win32/Koobface virus, takes its name from Adobe’s Flash plug in, which people download to play videos on their Web browser. The virus spreads by sending spam messages with titles like “Paris Hilton Tosses Dwarf on the Street” from an infected user’s Facebook or MySpace account to their contact list. When someone who gets the email clicks on a link to watch the video, it actually downloads a worm that copies itself onto their machine’s Windows directory and repeats the cycle.

To Protect Yourself, Be Smart
The key to avoiding social network scams is being cautious about who you connect to, says Krista Canfield, spokeswoman for LinkedIn, the business social network with 25 million members. Ideally, accept only invitations to connect to people you’ve actually met, worked or gone to school with or know some other way, Canfield says. If you do, you have more control over who can see your profile and contact you. And since on LinkedIn, direct contacts can see your email address “Connecting only to people you trust will help you keep your contact information safe,” she says.

Here are some other ways to stay safe:

  • When creating or updating your profile on a social network, don’t include personal information like your email address or phone number.

  • Switch from HTML to text-based email. Malicious bits of code can be written into the programming language used to create HTML messages and download as soon as you view the message. If you don’t want to switch, use your email program’s preview function to look at a message before actually opening it.

  • To prevent anyone from hacking into your social networks, pick passwords that aren’t easy to guess. The best are at least eight to 10 characters long and contain a combination of upper and lower case letters plus numbers and symbols. Make up your own, or look online at password generating sites such as RoboForm. Use different passwords for different accounts and store them in a password vault such as KeePass or Password Corral.

  • If you use a shared computer to log onto a social network -- like at work or the library -- be sure to completely log off of your account when you’re finished.

  • If you’ve had privacy problems or suspect something’s wrong, contact the social network’s technology support staff to report it.

Finally, the best defense is a good offense, security experts say. So be sure to install the latest security software and keep it updated. It’s the first step toward protecting yourself and your important private information.

Michelle V. Rafter is a journalist based in Portland, Oregon. She's spent more than 20 years writing about business and technology for magazines, newspapers, wire services and web sites.

More Articles >
More Features
Symantec Security Check

Test your computer's exposure to online security threats and learn how to make your computer more secure.

Test
Symantec Tools
Norton Solutions

Protect your family computer from viruses and other threats.

Visit

Loading the Internet Threat Meter by Symantec

Internet Security Threat Report
Vol. XIV

This report offers analysis and discussion of threat activity over a six-month period.

Visit
Security Poll

What do you think of downloading music?

Vote
Symantec Glossary

This week's tech term:

Network firewall

Definition View entire glossary
Copyright © 2009 Studio One Networks. All rights reserved