Relearning Trust in a Web 2.0 World
Dec 22, 2009 5:00 AM PT
Social networking sites such as Facebook and MySpace rely on the trusted nature of the relationship between friends, colleagues, associates and followers. Unfortunately, the level of trust that end-users invest in each other is also being applied to the makers of applications and is perhaps a little over-optimistic. Increasingly, cybercriminals are being drawn by the possibilities opened up by application development on popular Web 2.0 Web sites with the promise of more money, which results in more infections and more potential for something to go horribly wrong with computers being used both at home and in a corporate environment.
Facebook is probably the most well-known site as far Web 2.0 applications are concerned. These applications are typically games, add-ons, and time-saving devices that require access to elements of your profile data in order to function correctly. The risks of doing this should be obvious; it requires sharing profile data that could be compromised, including your username and password.
For example, on Twitter recently many people were setting status updates saying what their three most used words were; they identified them by logging into a site link that a friend or follower sent them. They logged in using their Twitter username and password. One wonders how many individuals did this without first checking the legitimacy of the site in question? Did most assume it was "safe" simply because a friend had used it?
The Rapid Evolution of Web 2.0 Risk
Unfortunately, the problem of the chain of trust extends right to the heart of almost every aspect of a Web 2.0 site -- not just applications.
Even as far back as January 2008, security 2.0 went into meltdown simply because a Facebook application opened a pop-up advertisement that contained a (random) promotion for Zango Adware. Two years later, we've moved from near hysteria over a harmless pop-up to grim acceptance that the applications themselves can indeed perform harmful acts, from directing users to phishing pages to promoting dubious ties to rogue antispyware programs. Worse still, smart Internet marketers have identified that they can piggyback legitimate applications by running advertisements above the installers designed to look like part of the install routine.
Not worried enough yet? Some individuals don't even waste time on coding a rogue application. They simply set up an application page that seemingly has nothing on it other than a fake "customer dispute" page, harvesting the login data of anybody foolish enough to enter their account information. In a number of cases, neither the application nor the application pages exist.
These data-stealing perpetrators rely on our acceptance of applications on Facebook pages in general; an attacker knows a reasonably convincing screenshot of a fake program pasted onto a comments wall will attract victims (the hook here being the supposed exploitation of a legitimate app).
Use Common Sense on Social Networks
It's a pretty dire situation then, but there are steps you can take to reduce the risk of falling prey to one of the many cons currently out there in the world of Web 2.0 applications -- and imitations! While the following advice is suitable for home users, business users and IT managers also should take note and apply these same practices to their everyday activities and education processes where social networking is concerned:
1) In all cases, consider using the least amount of personal data an application requires to install on your profile and only provide as much access as is absolutely necessary.
2) Be wary of gaming applications that offer payment in return for gifts and in-game items. There have been numerous problems with these kinds of game applications on Facebook and other sites. In particular, games like "Mafia Wars" often negotiate deals with affiliate partners, but you can't be certain what types of applications or pay structures might come with those affiliates down the line. Ask yourself if what you're getting in return is really worth it.
3) Whenever someone posts a message on a Facebook wall, or a Twitter DM, that you're "appearing in a video," you can virtually guarantee this is a variation of the Koobface worm. An instant giveaway will be a Web site that asks you to install a "codec" or media player in order to watch the movie. These cons rely on the fact that end-users readily install new applications on Web 2.0 sites, which lowers their sense of suspicion in relation to all installs. This is not a good habit to engender.
4) Inspired by the general acceptance of knowledge users have with regard to Facebook applications, a favorite tactic of Con Artist 2.0 is to create a fake program that typically claims to exploit a genuine application, and then post it to the comments wall of the victim, complete with download link. More often than not, an end-user presented with a "program" on their comments wall will assume it's a form of application and run it without thinking. This is usually the first step to a hijacked computer. Just because a friend posts it to your wall doesn't mean it's safe; your friend's account may have been compromised to spread dubious links!
5) Social media con artists will get around the security measures put in place by social networks whenever possible. A recent attack on Russian social networking site Vkontakte.ru involved placing links on Web sites harboring infection files via messages that claimed to "exploit holes" in order to view private profiles. When Vkontakte started to block some of these text links, the con artists started posting the messages as "drawings" on the graffiti wall of the victim. This is a simple yet very effective method of getting around security measures.
Cons 2.0: The Next Generation
Even when you take precautions against attacks like those outlined above, there are always issues -- e.g., rogue applications, dubious advertisements, and social networking worms spreading across your favorite Web 2.0 sites. Perhaps a bigger concern is the thought that Facebook applications will be phased out in favor of Facebook Connect, a new approach that allows users to log into a Facebook service, such as a game previously available only as an application, from a third-party Web site.
While it sounds like an interesting idea, there are likely many ways this could go horribly wrong if a cybercriminal is at the helm.
Chris Boyd is director of malware research at FaceTime Security Labs, which is responsible for maintaining an application signature database of more than 4,000 applications of concern to IT managers.