Gallery

The hidden dangers of social networking

Posted on 28 Apr 2009 at 12:08

This month, Davey Winder ponders social networking security and mobile botnets.

When His Holiness the 14th Dalai Lama popped up on Twitter people just accepted that it was him, and the same happened when the Real James May appeared and started posting updates. Of course neither was genuine, but in the overall scheme of things it didn't really matter much.

But what if you were to let someone into your circle of Facebook friends who you thought was a trusted acquaintance but is actually an imposter up to no good? With some 45% of the UK population participating in social networking at some level or other according to new research commissioned by VeriSign, that's something you really need to give serious thought to, especially as more and more people participate from work as well as home.

Using business computers, smartphones and networks potentially leaves a door open for hackers and data thieves to enter. That's quite apart from the estimated £6.5 billion a year that social network usage is said to be costing UK businesses in lost production time.

A small matter of trust

These kind of figures make the tabloid headlines while at the same time missing the conversational security point. We've trained pretty well everyone by now to understand the risk involved link clicking from email messages, and that doing so carelessly may lead to malware infection, phishing scams and all the rest.

But the same people see no risk in divulging the most intimate details of their lives to people online they may never have actually met, and whose identities haven't been verified in any meaningful way - often intimate details that could include data of interest to an identity thief, a business rival or a blackmailer.

More worryingly still is the threat posed by the heady mixture of mates and malware that's becoming an increasingly common reality in social networks.

Facebook has, not too surprisingly, found itself the most heavily hit by the malware brigade. It isn't surprising because it happens to be the Big Daddy of social networks right now in pretty well every respect - membership numbers, momentum and media attention - and it also happens to allows users freely to install web-based add-ons that are meant to enhance the user experience.

Most important of all, Facebook does not adopt the Apple Store approach of permitting only pre-approved applications to appear on its site. That's hardly the end of the world if all an application does is chivvy your online friends to take part in some mindless poll over whether Star Wars is better than The Matrix (PS: it isn't), but not so good when the widgets turn malicious.

As I write, just such an application seems to have been uncovered, which some security researchers think might be employing worrying new techniques to deliver a dangerous payload. Facebook users have been receiving messages that say their friends cannot view their profile and offering the "Error Check System" application as a solution. It's unclear if this application steals personal information or just employs scareware tactics to get people to install it.

However, my friend Graham Cluley, senior technology consultant at Sophos and leading authority on all things malware, has uncovered an interesting twist in this tale.

Many people, when hearing about such a potentially malicious application will Google for information about it, and when you do that for "Error Check System" it's been throwing up some rather unexpected results.

Cluley points out that the first result on the hits list when he searches via Google takes him to a supposed information site that actually loads a third-party obfuscated script. This will run and redirect your browser to a site that starts up another scareware staple, the fake antivirus scan.