Easy money for hackers, big headaches for IT

Batten down the security hatches. Hackers are poisoning social networking sites, particularly Facebook, and loosely regulated app stores like the Google Android marketplace, with increasing ferocity. A new study by security vendor AVG found that poisoned URLs posted on Facebook soared by 200 percent in February (compared to the previous month) after increasing by 300 percent in January. (AVG derived its statistics by analyzing URLs blocked by its software.)

The huge spike in rogue software on Facebook is part of a pattern that security experts have seen for several years: tricking users into poisoning their own systems and networks through clever ruses that appeal to curiosity, greed, or lust. No matter how often management tells users not to goof around while on company networks, they do. And IT gets stuck with the mess.

[ Spear phishing: A new breed of malware dupes even the savviest of users into opening security holes. | Keep up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

Although the numbers in the AVG study focused only on Facebook, Yuval Ben-Itzhak, AVG’s senior vice president of engineering, says other social networking sites are also inadvertent carriers of rogue software. Indeed, Facebook appears to take reasonable precautions, he says, which only underlines the difficulty of combating the threat.

An easy $12,000 a day A favorite trick of hackers these days is the fake antivirus scan, often attached to a Facebook page. All of a sudden a window pops up saying your system may be infected, but we’ll do a free scan. In the better — that is, more malicious — versions of this scam, it’s very difficult to make the pop-up window go away.

And while it might seem, well, stupid to do so, quite a few users will actually pay something for the bogus software. An examination of various Web logs and other sources reveals that even a small gang can net $12,000 a day, according to Ben-Itzhak. “It’s a dream come true for the bad guys,” he says. In one seven-day period, more than 80,000 users were affected by the rogue scanner malware.

[ InfoWorld Test Center reviews: “Malware-fighting firewalls miss the mark” and “Whitelisting security offers salvation.” ]

While the users feel the pain of the antivirus scam, another hack making the rounds targets business information. It’s a fake codec. A URL leads a user to a site where a video is posted. To play it, the user needs to download the fake codec, which is actually a container for seriously malicious code designed to steal business information.

That particular scam worked especially well in February, when users were hungry for videos of the Winter Olympics. Similarly, visitors to Foxnews.com who wanted to watch certain video clips last year were tricked into installing a tainted codec. Still, it’s difficult to zero in on why Facebook has been hit so much harder this year than last.

To be fair to users, it’s worth noting that some of the traditional advice they get from IT or popular publications is no longer adequate. IT tells people to go to only trusted sites. Unfortunately, by the beginning of 2009, the majority of infectious sites were mainstream, says Roger Grimes, a security professional and InfoWorld’s Security Adviser blogger.

Facebook says it has not noticed a spike in rogue software. “People have a number of options for controlling the information they share with applications. We also have a dedicated enforcement team that conducts spot reviews of top applications and of many other applications, including looking at the data they need to run the application versus the data they gather,” says Facebook spokesman Simon Axten.

Axten points out that apps are subject to privacy settings. “That is, you can configure what your friends’ apps can and can’t access.” (Here’s how to configure those settings.)

Which is worse: Email or Web 2.0? AVG isn’t the only security company pointing the finger at threats related to Web 2.0 and social networking. Four in five IT professionals polled recently by Webroot said Web 2.0-based malware will pose the biggest security threat this year.

Seventy-three percent said Web-based threats are more difficult to manage than email-based threats, and 23 percent said their company was vulnerable to attacks on Web 2.0 applications, including social networks such as Facebook and Twitter.

No one likes to be hated, but sometimes you have to take security measures that will make your users really angry. You might even have to (gasp) pull some PCs off the Internet and treat some employees like children, suggests David Perry, global director of education for Trend Micro, whose global array of sensors (and information exchanges with other security vendors and customers) now detects an astonishing 100,000 samples of new malware a day.

You know the drill: Tell them going to porn and gambling sites and so on will get them in serious trouble. Because they are adults, you might set up a PC in the break room that has Web access but is not on your network. They may waste time on it, but it won’t endanger enterprise security.

I don’t mean to pick on Facebook. But I do think that Web 2.0 mavens have to think harder about the problems — indeed, crimes — that holes in their sites create for IT.

I welcome your comments, tips, and suggestions. Post them here so all our readers can share them, or reach me at bill.snyder@sbcglobal.net.

This article, “Easy money for hackers, big headaches for IT,” originally was published at InfoWorld.com. Read more of Bill Snyder’s Tech’s Bottom Line blog at InfoWorld.com.