As Facebook spreads, so does malware
"Facebook finally hits the mainstream," a CNET post proclaims today. A report from industry watcher O'Reilly Radar finds that US growth for the site has been strongest among users aged 26-59. It comes as no surprise, then, that as the site's reach expands, that attempts to exploit it should also.
This morning I awoke to an email warning of a malicious message circulating among Facebook friends. Turns out I wasn't alone. The Journal of New England Technology reports:
“Look you were filmed all naked!” read the subject header on one iteration of the virus-spreading message, which is being sent automatically from infected accounts to the “friend” list for that account. Clicking the link usually takes users to a page that looks like YouTube, and a pop-up message advises the user to download a Flash plug-in. The download contains the virus, which replicates by contacting everyone on the victim’s Facebook friend list and advancing the hoax.
The "Koobface" worm was first discovered in the middle of this year, and can open back doors that can install other software.
The resulting round of "Sorry, I was hacked – don't click that link I sent you" emails are time consuming and embarrassing, and efforts to get back a compromised account can be difficult, and sometimes futile.
The tactic isn't an old one on the Web, but it is finding resurgence in Facebook as more users join the site.
An experiment carried out in 2007 by Sophos found that 41 percent of Facebook users risk revealing sensitive personal information to total strangers by accepting friend requests from people unknown to them.
From its start, Facebook has relied on personal connections to build community. At first only college students could join the site. Then high schoolers could get in. Then companies. Now anyone is welcome. The gates to this walled garden have come down.
This new round of Facebook users – the moms and hairdressers – likely have the "web smarts" to filter obvious scams from their email inboxes, but the community that a site like Facebook thrives and relies on may be lulling them into a false sense of trust.
Facebook responded to this type of malware intrusion the first time it reared its head earlier this year, implementing a "black list" of sites that can't be linked to from Facebook.
Users of social networking sites can do many things to protect against from this type of attack, including participating in sites like PhishTank, but the easiest thing to do is remain skeptical and alert.