Facebook has apparently become a choice distribution channel for several malicious applications and a new variant of a pernicious piece of malware originally detected in 2008. The popular social networking site has been hit by at least three separate security issues in the last week — two phony applications and the latest variety of the Koobface worm, according to security research firm Trend Micro.
Rik Ferguson, a security researcher at Trend Micro, first noticed the Koobface threat after he received a message via Facebook from a friend. Nothing distinguished the message from any other; however, the included link to a YouTube page led Ferguson to a “very familiar looking spoofed version of YouTube, complete with a bogus comments from ‘viewers,'” he wrote in a post on the TrendLabs Malware blog.
The two hoax applications, “The Error Check System” and “Facebook — closing down!!!” were reported within a few days of one another, just before reports of the Koobface worm surfaced. The applications, when downloaded, could expose a Facebook user’s profile and personal information to hackers.
However, of the recently surfacing security issues impacting Facebook users, Koobface may be the most serious.
“Once on a machine, the risk Koobface poses is extreme,” Michael Argast, a Sophos security analyst, told TechNewsWorld.
The worm has been detected on several social networking sites, spreading itself on Bebo, Friendster, Hi5, Livejournal and Myyearbook.
First detected in late 2008, the Koobface worm and its variants are customized for a variety of social networking sites.
The latest version of the malware aims to steal a user’s cookies and in turn gain access to a user’s profile and personal information. With that data in hand, the malware then searches for the infected user’s friends and sends them messages containing links to sites that will download a copy of the worm onto the friend’s computer. At the same time, the worm sends and receives information from infected machines by connecting to several servers, allowing hackers to execute commands on the infected systems, according to Ferguson.
“It is able to download new instructions on the fly, so that if the author desires, they can sniff credit card or banking transactions, install keyloggers, send spam or any of a number of other malicious activities,” Argast explained.
“Not to mention the social faux pas of being the source of the infection to your friends — it’s the equivalent of being the source of mono that takes down everyone in your circle of friends. This particular piece of malware spreads via links which entice users to install a codec to view a video — this is always a bad idea. Fake codecs are a major threat vector today,” he continued.
The Koobface worm is a serious threat to social network users because it potentially gives the attacker complete control over the user’s machine, noted Chris Rodriguez, a Frost & Sullivan analyst.
“[That] means that an infected computer can be turned into a zombie machine for the attacker’s personal zombie army. Called a ‘botnet,’ this army can be used for number nefarious purposes such as spamming, denial of service attacks, click-fraud and hosting malware/spyware. [It can] also search out sensitive data such as credit card and Social Security numbers and relay it to attackers,” he told TechNewsWorld.
With some 175 million users around the world, Facebook has gone to great lengths to create controls that ensure the privacy of its users, Argast pointed out.
However, “as an application, Facebook still has a number of things they need to do in order to improve the security of the platform they are providing,” he stated.
For instance, the site could focus on better vetting applications submitted by developers for its platform.
“If Apple can vet 15,000 iPhone applications, why is Facebook unable to vet the thousands of applications on their platform? It is likely hard for them to justify given the costs — and lack of revenue — associated, but failure to do so has already led to several malicious applications,” Argast suggested.
The company could also try to ensure that links posted by users are safe. The amount of links posted to the site daily numbers in the millions, and malware programs such as Koobface use links to spread from one computer to another.
“Google, for example, has done great things to ensure that their search results remain clean. Facebook could apply similar techniques to ensure that links out of their systems don’t lead to pages which will result in the compromise of their users,” Argast noted.
However, only a small percentage of Facebook users have been affect by security issues like Koobface, Barry Schnitt, a Facebook spokesperson, told TechNewsWorld.
“We’re updating our security systems to minimize further impact, including resetting passwords on infected accounts and identifying and deleting malicious content sent by the virus,” he said.
Concerned users can check out what Facebook is doing at here.
The Proper Incentive
While there are measures Facebook could take to make its site and application platform more secure, as a money-making entity, it will implement those safeguards only if its subscribers demand it, said Rodriguez.
“Facebook users can demand better protection by discontinuing use of the site until better protection systems are in place. Alternatively, Facebook users that suffer identity theft due to malware may feel compelled to blame Facebook — and similar sites — and may seek out legal action,” he stated.
Security is critical for a personal social networking service like Facebook, Caroline Dangson, an IDC analyst, told TechNewsWorld.
“The popularity and size of Facebook makes it especially susceptible to security breaches. Facebook is storing people’s personal Rolodex in addition to the conversations and interactions between users. While Facebook users have invested time and energy into this platform, they have not invested money, so terminating the service, especially now that Facebook does not claim to own user content, is not out of the question if users lose trust,” she said.
People who use Facebook know that outages, spam and phishing scams are possible, but they expect Facebook to respond quickly to fix any hiccups in the system, Dangson said.
“Facebook still has work to do in order to gain user trust. This incident is not going to help. According to IDC’s U.S. Consumer Online Attitudes Survey Results, one out of two Facebook users ranks the social networking service as ‘trustworthy.’ This put Facebook low on the list as number 24 out of the 27 consumer Internet brands we asked about. From our survey data, IDC observed that brand trust for Facebook was weaker than brand awareness,” Dangson added.
For Facebook’s part, the site has disabled several versions of the bad applications and is working aggressively to make sure these apps stay off of Facebook, according to Schnitt.
“We are committed to maintaining an ecosystem of apps that provide users with a trusted experience and will take action against those that violate policies, including disabling them. We’ve also built security into the platform by preventing any app from accessing sensitive information like contact info,” he explained.
That said, Facebook is growing at an amazing pace. With that comes new and difficult challenges, Argast said.
“But Facebook is not just another Web site anymore — they are an application platform bigger than Apple, second only to Microsoft, one could argue — and a site that people go to in order to discover new things in a fashion similar to Google and likely only second in scale. With this scale comes responsibility to take steps to help ensure the security of their users,” he continued.
“Failure to do so can lead to what we security professionals like to call the ‘broken window’ syndrome — once one window in a neighborhood is broken and not attended to, the vandals know they have free rein, and chaos ensures, dropping property values and driving out the good tenants. If Facebook fails to take appropriate security measures, hackers will more aggressively target their platform, which will turn off their users, who will turn to safer destinations,” Argast concluded.