Online scams are a billion dollar a year business. It has even been reported that, as far as profitability is concerned, online crime beats the drug trade.
It’s not hard to see why online crime has skyrocketed. Scammers don’t even need to leave the comfort of their own homes to exploit the ample criminal opportunities that exist online.
Hardly a day goes by without online crime making headlines. Just yesterday, Spotify, the up-and-coming online music service I wrote about on Monday, was compromised by hackers, potentially resulting in a breach of user data including email address, birth date, gender, postal code and billing receipt details (but not credit card numbers).
Increasingly, scammers are turning to social networks. There are hundreds of millions of people on social networks and because of the potential for content to spread virally on these social networks, they’re potentially a scammer’s dream.
Recently, scammers have set their sights on Facebook. In the past several weeks, two attacks using rogue Facebook applications have hit the world’s most popular social network. The latest, ‘Koobface‘, originally surfaced late last year but has re-emerged.
It uses Facebook to spread a worm that turns infected computers into botnet zombies. These zombies are typically used by their controllers to send spam and engage in other such activities. ‘Koobface’ uses the viral nature of the social network to spread. Messages are sent to an infected user’s friends, encouraging them to visit a video at a link that will instead infect them.
Another recent rogue Facebook application, ‘Error Check System‘, appeared to be an attempt to gather personal information.
Facebook’s developer platform, which enables to build applications that Facebook users can ‘install’ on their Facebook accounts, opened the can of worms that ‘Koobface‘ and ‘Error Check System‘ emerged from.
According to security vendor Trend Micro, Facebook is not doing enough and faces a potential security disaster if it doesn’t beef up security policies for its developer platform.
Trend Micro senior security advisor Rik Ferguson stated:
The [Facebook] policy is facilitating the growth of rogue applications, and
making it easier. If Facebook does nothing, they will continue to increase.
He issued an ominous warming:
This feels like a test run for something more malicious in the future. It may be
about stealing identities, or it may be much more.
While it’s too early to panic, it’s easy to understand why so many security experts have been raising concerns about social networks. It’s not just the ease with which they enable content (including rogue applications) to spread; it’s the fact that they allow these to spread amongst friends. That means that users are more likely to trust the malicious ‘packages’ they receive. After all, the package arrives in the form of a message from a friends on Facebook, not a random email from a person you don’t even know.
Unfortunately, it appears that Facebook doesn’t see the threat. According to Facebook CEO Mark Zuckerberg, an open developer platform is more important to Facebook than security. He told the BBC:
Our philosophy is that having an open system anyone can participate in is
generally better. When we were starting this we wanted anyone to be able to develop an
application. This has made it so students in their college dorm rooms could
build applications for free. That’s how I got started with Facebook. We really
want to make sure that sort of innovation is possible.
Innovation is great and Facebook’s developer platform is a wonderful thing but if online criminals continue to ramp up their abuse of open developer platforms to fool users into opening up their wallets, it’s not going to be pretty. There has to be a middle ground.