The messages are sent by friends, family, and trusted acquaintances. Some appear to carry embedded images or videos. Most arrive under innocuous subject lines: “You look just awesome in this new movie,” or “Funny moments.”
But when users of popular social networks Facebook, MySpace, and Bebo click on the link inside the message, they set loose a devastating computer virus called Koobface, which devours their operating systems from the inside out. According to research conducted by Kapersky Lab, a digital security group, Koobface quickly turns computers into highly infectious “zombies,” which spread the virus outward in an ever-widening spiral.
By December, Koobface had affected thousands of users in dozens of countries, prompting Facebook to release a set of safety instructions. Among them: Download an antivirus scanner, and immediately reset your password. Then on Monday morning, the Web was rocked by a second attack, a “phishing” scam targeting the popular microblogging network Twitter.
Both incidents have caused widespread alarm among users of social networks, which are generally considered to be relatively safe from crippling malware. In interviews this week, industry analysts say the attacks also raise questions about the ability of network administrators to effectively protect against a fresh wave of faster, smarter computer viruses.
“Security for social media is one of the biggest concerns in 2009,” says Ryan Sherstobitoff, chief corporate evangelist at Panda Security USA, which designs and distributes antiviral applications. “Look at it from a target-rich perspective – social networks are full of interactive applications. Those allow worms to easily self-propagate. And demographically, more and more of us are on [sites such as Facebook].”
Compounding the problem, Mr. Sherstobitoff says, is the implicit trust engendered by social networks. Users know enough not to click on suspicious e-mail messages or annoying pop-up advertisements. But Facebook, which now boasts more than 140 million active users, has until now succumbed to only one major hack, and users are accustomed to roaming freely through the pages of the site.
“It really exploits the trust model,” Mr. Marcus says. “People are trained not to bother with unsolicited material. When it comes from someone you know, the situation is different.”
Marcus says the soaring popularity of Twitter and Facebook, now the top social networking site on the Web (it long ago surpassed MySpace), is candy to hackers, who can now cause more damage with less effort.
“That huge amount of traffic solves a big problem the bad guys have always had, which is how to get the malware to you,” Marcus says. “There’s a big onus on the bad guy to take advantage of a high-traffic site.”
The prospect of more high-profile viral attacks, of course, is widely seen as problematic for Facebook, a media giant that has recently jostled with Google for media market dominance. (Facebook did not respond to repeated requests for comment.)
Adam Ostrow, the editor in chief of Mashable, a leading technology blog, recalled that a couple of years ago, MySpace began to suffer from an overload of spam, which clogged users’ mailboxes and comments sections.
“In some sense,” Mr. Ostrow says, “that contributed to [MySpace’s] relative decline. It’s something Facebook needs to work hard to address. They’ve done a decent job, but it’s hard to really educate mainstream users about what these scams are all about.”
In an e-mail message, a spokesman for MySpace says that spam has significantly decreased over the past year and that the networks takes a “holistic approach to providing users with a safe and secure experience.”
Bebo, which was recently bought by AOL, issued a statement urging users to take care when opening suspicious messages. Viruses, the statement read, “can be combated by adhering to a number of simple checks,” including contacting the sender of the message in question.
Marcus says that social network administrators won’t be able to prevent another attack, because viruses typically exist on users’ machines, and not in the networks themselves. Still, he suggested a handful of precautions all users should follow: run regular antivirus scans; invest in prepackaged security suites marketed by companies such as Symantec, McAfee Avert, and Panda; pay attention to site advisories, and track reports of new viruses.
“It comes down to reading,” he says. “I always read the subject line of the e-mail. In many cases, that’ll give you something – sometimes, they just look wrong.”
But things may get much worse before they get any better. Sherstobitoff, of Panda USA, says his company sees approximately 10,000 pieces of malware a day, each one “totally unique and different.” As hackers take aim at the fat target of social networks, users may find themselves under electronic siege.
“It’s an emerging threat,” Sherstobitoff says, “and it’s only going to get worse. We need to bring it to light.”