Montgomery County Fair
.JPG)
2008 Venice Film Festival
Extreme Makeover: Home edition
Social Web site users need to be more skeptical about 'friends'
Scam artists often use lists on MySpace and other sites to lure people into bad deals.
Sunday, February 25, 2007
Scammers often set up fake profiles on MySpace, Friendster, Facebook and similar sites and then go about inviting people to become their Internet "friends."
In doing so, they can glean personal information about their potential targets — like their ZIP codes, age or gender — that can be used to fashion legitimate-sounding spam or phishing attacks.
Extras
Even more easily, scammers can buy lists of thousands of social networking site users on hacker-oriented Web sites. The names are typically gleaned with so-called "scraping" programs that can quickly harvest the e-mail addresses of thousands of users and then break them down by gender, age or other categories.
At the Web site dnlodge.com, for instance, a poster named "Susa" recently advertised a "myspace phish list" of more than 5,000 accounts for $55. "Great for advertising!" the posting touted.
Another user named "coffeehunk" offered a list of hundreds of MySpace users — "all girls" — for $100. A list already narrowed down by gender could quickly be used for spam or phishing attacks specifically targeting women.
Targeted spam and phishing attacks can be extremely effective.
In a 2005 Indiana University study, researchers sent e-mails to unsuspecting students asking them to visit a Web site and enter their names and university ID numbers — information that in the hands of an identity thief could have been used to do all sorts of harm.
Some of the e-mails came from people that recipients thought were their friends; others got e-mails from strangers.
Only about 16 percent of those students who got e-mails from strangers fell for the scam. But 72 percent of those who got e-mails from people whom they listed as "friends" on social networking sites were duped into giving up their information.
"We expected a high success rate ... but frankly we didn't expect anything as huge as 72 percent," said Filippo Menczer, a computer science professor who helped oversee the study.
"It was like fishing with dynamite in a barrel."
MySpace is by far the online world's biggest social networking site. As a result, it also is the most popular target for online bad guys.
"If I wanted to phish people on MySpace right now, I could have a database with 100,000 to 200,000 accounts within a couple of days — easy," said Loren Williams, a professed former "script-kiddie" hacker in New Orleans who now is an Internet entrepreneur.
A frequent critic of MySpace security, Williams called spam and phishing problems on MySpace and other social networking sites "insanely huge."
MySpace Chief Security officer Hemanshu Nigam acknowledges that problems are growing in the virtual world he oversees.
Because of MySpace's incredible growth in recent years — its membership has soared from about 10 million registered users a few years ago to more than 157 million users today — such problems are inevitable, he said.
"What happens in the virtual world ... is very (similar) to what happens in the physical world," Nigam said. "Whenever you have a city, country, state or any location ... where a lot of people congregate, at some point you're going to have a bad element that shows up and tries to do bad things."
Nigam said MySpace is taking steps to make things better. It started with his hiring in May 2006 as the first full-time Internet security officer for MySpace and other sites operated by its parent company, News Corp.'s Fox Interactive Media.
MySpace now is trying to hire attorneys and additional security experts to make improvements, Nigam said.
The site also recently made several technology changes, including limiting the number of "friend requests" a member can send at one time, instituting a more secure e-mail verification processes, and notifying users when it appears their accounts have been phished.
And, Nigam said, MySpace will continue to sue suspected spammers and phishers who violate the site's policies.
Still, just as everything from lawsuits to legislation have done little to stem the flood of spam, viruses and other maladies on the general Internet, the social networking sites face an uphill battle to keep out bad guys and protect users.
