The distribution of malware on social networking sites first occurred in small amounts towards the end of 2007, but that trend appears to be on the rise.
According to a report from MessageLabs Intelligence, which specialises in the analysis of messaging security issues and threats, a popular tactic in 2008 among cyber criminals involved the creation of fictitious accounts on social networking sites. These fake accounts were then used to post malicious links, which usually led to a phishing site, to legitimate users.
Scammers would then make use of the phished personal information, such as usernames and passwords, to gain access to legitimate accounts. This access would be used to post blog comments on their pages of their friends, and send messages from the phished accounts to other contacts. These messages usually contained spam, including links to spam sites such as online pharmacies.
“Web 2.0 offers endless opportunities to scammers for distributing their malware–from creating bogus social networking accounts to spoofed videos–and in 2008, the threats targeting social networking environments became very real,” said Richard Bowman, regional manager, MessageLabs South Asia.
Another report from security expert Symantec, which owns MessageLabs, showed this trend does not look to be slowing down.
The report, which analysed Web threats for the month of January 2009, said social networking sites continue to be popular premises for cyber criminals seeking potential victims.
According to the Symantec report, January saw the emergence of e-mail spam which closely mimicked legitimate notification e-mails of two major social networking sites. These spam messages, which invited users to join a group on the social networking site, contained a link to a virtual group created on the site by the spammers.
This virtual group would be linked to a free blogging site before redirecting the user to the destination URL. Upon clicking this URL, users would be faced with the request to fill out a form collecting personal information. Information collected could then be sold to marketing companies or used for other malicious purposes.