The social network phenomenon has shown many benefits. These sites, such as facebook (FB), have great potential for people seeking friends to hang out with online. Businesses too are finding it desirable to create a company presence on FB, myspace, twitter, etc. Given their explosive growth, however, these sites have also attracted an unsavory element looking to exploit such new fertile ground.
Do you recall, back in the early 2000s, when email phishing was a relatively new phenomenon? Eventually people became savvy about not following links that arrived in email messages from businesses with which they had no established relationship. You see, in order to compromise your system, eventually the bad guys have to get you to act on their behalf ... so at some point, they have to present you with some “stuff to click on” ... thereby tricking you into giving your operating system (Windows, MacOS, linux, etc.) the go-ahead to install their evil code.
In a similar vein – have you noticed that when you go to play a game on a social site, say FB, you are presented with a dialog-box saying something like "This application requires access to your FB profile. Do you wish to grant access?” This is the FB security layer warning you that this application is trying to access your FB profile. This is like a stranger asking to look through your wallet and record whatever they feel like while they’re in there browsing. Alarm bells should be sounding in your head! Let’s see ... a game that’s all sorts of fun to play and has really nice graphics, and which must have taken some people a lot of time to develop, all apparently, “for free”! Too good to be true? Gee whiz -- that's a little like those emails I occasionally get from "banks" promising to consolidate all my debt into a "Zero down, 0% APR loan” ... too good to be true indeed.
So, while most FB applications/games are not bogus fronts for bad guys that want access to your personal information, it is also true that some of those ostensible applications are in fact phony. So be very careful before deciding to unleash these apps on your private information.
In another example of social networking abuse, there was recently a worm blazing its way through FB accounts called KoobFace ("facebook" spelled sideways, sort of). KoobFace arrives as a FB message from a FB friend in your FB inbox. When you open it, you are told to check out a YouTube video. When you click on the link to the video you are sent to a fake YouTube site. When you try to start the video playback, you are told that your system is missing an important piece of video playback software called a codec (engineering speak for coder-decoder). It asks if you want to install the missing codec.
Let’s step back here. At the request of a site that looks like YouTube, you are about to install and run some piece of software! Are those internal alarms bells clanging loud and clear yet? They should be. The supposed missing codec is really a worm. If you OK installation -- your system is infected. The worm begins executing immediately, making a few "adjustments" to your Windows Registry to make sure it gets restarted whenever you reboot. It then proceeds to wander about in your browser cookie cache finding out which social networking sites you belong to. For each site, it authenticates and then sends messages, in your name, to all your friends! Of course, those messages are just more infect-o-grams like the one you fell for. And so the worm turns...
The lesson here is: think twice before accepting requests to "access" your social networking profile(s) from applications, games and gifts. Moreover, think three times about saying yes when some web site that you have followed a link to recommends you OK installation of software you supposedly need! If you believe you really might be running an old version of a plug-in, anti-virus program, etc., you should still always refuse the unsolicited pop-up style request. Instead, you should explicitly type in the URL for the software maker and check if there you are missing codecs or updates to the software. If there are updates then update your software and retry playing the video.
If your software is already up-to-date, or if you get the pop-up again after updating, then assume the pop-up is malicious and just skip playing it! It cannot be worth the inherent risk. You might even go the extra step to inform the sender of your suspicions. For example, in this particular case, the “sender” would be surprised you even got an email from them! You’ll recall, in our scenario, it was the worm that sent it. This is often how people find out their system is infected so you are doing them a big service.
To read further, here is a link to a technical explanation of how the koobface worm works.