Avoiding Twitter hacks, Koobface, and other security holes

The messages are sent by friends, family, and trusted acquaintances. Some appear to carry embedded images or videos. Most arrive under innocuous subject lines: “You look just awesome in this new movie,” or “Funny moments.”

But when users of popular social networks Facebook, MySpace, and Bebo click on the link inside the message, they set loose a devastating computer virus called Koobface, which devours their operating systems from the inside out. According to research conducted by Kapersky Lab, a digital security group, Koobface quickly turns computers into highly infectious “zombies,” which spread the virus outward in an ever-widening spiral.

By December, Koobface had affected thousands of users in dozens of countries, prompting Facebook to release a set of safety instructions. Among them: Download an antivirus scanner, and immediately reset your password. Then on Monday morning, the Web was rocked by a second attack, a “phishing” scam targeting the popular microblogging network Twitter.

Both incidents have caused widespread alarm among users of social networks, which are generally considered to be relatively safe from crippling malware. In interviews this week, industry analysts say the attacks also raise questions about the ability of network administrators to effectively protect against a fresh wave of faster, smarter computer viruses.

“Security for social media is one of the biggest concerns in 2009,” says Ryan Sherstobitoff, chief corporate evangelist at Panda Security USA, which designs and distributes antiviral applications. “Look at it from a target-rich perspective – social networks are full of interactive applications. Those allow worms to easily self-propagate. And demographically, more and more of us are on [sites such as Facebook].”

Compounding the problem, Mr. Sherstobitoff says, is the implicit trust engendered by social networks. Users know enough not to click on suspicious e-mail messages or annoying pop-up advertisements. But Facebook, which now boasts more than 140 million active users, has until now succumbed to only one major hack, and users are accustomed to roaming freely through the pages of the site.

Furthermore, Koobface is spread from friend to friend, says Dave Marcus, director of security research and communication at McAfee Avert Labs, a leading tech company.

“It really exploits the trust model,” Mr. Marcus says. “People are trained not to bother with unsolicited material. When it comes from someone you know, the situation is different.”

1 | 2

Next