Companies Say Facebook Is Riskiest Social Network

CU360
February 19, 2010 | COMMENTS

Seventy percent more companies reported spam and malicious infections arrived via social networks in 2009 than they did in 2008. Almost three-quarters (72%) of companies are concerned that their employees' use of social networks could result in a security breach. And 60% of companies now consider Facebook to be the riskiest social network out there.

As the largest social network, Facebook might naturally be expected to emerge as the top target of cybercriminals, says Graham Cluley, a senior analyst at Sophos, which conducted the survey of 500 companies. But Cluley says Facebook has exacerbated matters by asking its members to embrace a new, more granular privacy setting. Cluley says the new setting, in effect, authorizes Facebook to expose more of its member-generated content to everyone on the Internet.

Facebook's new privacy setting gives the company leeway to submit more content to Google, Microsoft Bing, and Yahoo Search so the search services can incorporate more Facebook content into real-time search results, much as they've started to do with Twitter microblog postings, says Cluley, in a recent edition of USA Today.

The wider release of Facebook members' data, however, "inevitably means more information will be made available to cybercriminals who want to target you or your company for an attack," says Cluley.

Facebook continues to defend its new privacy setting as flexible and easy to change. But privacy advocates continue to criticize the move. And the Office of the Privacy Commissioner of Canada recently launched an investigation into a citizen's complaint about the new settings.

Meanwhile, Sophos' new survey includes extensive analysis about how Facebook, Twitter, and other social networks have become like a candy store for data thieves. The fast-morphing Koobface social network worm is a case in point.

The now-notorious Koobface worm family became more diverse and sophisticated in 2009. The sophistication of Koobface is such that it is capable of registering a Facebook account, activating the account by confirming an e-mail sent to a Gmail address, befriending random strangers on the site, joining random Facebook groups, and posting messages on the walls of Facebook friends (often claiming to link to videos laced with malware). Furthermore, it includes code to avoid drawing attention to itself by restricting how many new Facebook friends it makes each day.

Koobface's attack vectors broadened, targeting a wide range of sites other than the one (Facebook) that gave it its name. Social networking sites, including MySpace and Bebo, were added to the worm's list in 2008. Tagged and Friendster joined the roster in early 2009. Most recently, the code was extended to include Twitter in a growing battery of attacks. It's likely we'll see more malware following in the footsteps of Koobface, creating Web 2.0 botnets with the intention of stealing data, displaying fake anti-virus alerts, and generating income for hacking gangs.