Kaspersky researcher criticizes Facebook developer policy

Stefan Tanase, a researcher at the Moscow-based anti-malware company, gave a webinar on malware in social networks during the same week that the Vatican launched a website targeting followers on using such services. Attacks generally exploit a mixture of technical vulnerabilities and human gullibility, he said.

"Underneath this eye candy, there are new attack vectors emerging that enable the bad guys to find their way into the computers that we use," he said, citing videos that point to malicious links on YouTube as an example. He pointed to Twitter, LinkedIn, and Digg comments as other fertile breeding grounds for attacks that point users to malicious websites and then deliver malware to their machines.

"They have scripts that are trying to guess what operating system a specific system is using, and trying to target their attacks," he said. "They also use geographical IP locations, so that they can target their stories more effectively, all over the world."

The company had found 43 000 malware samples related to social networks at the end of last year, Tanase said. "More than half of this number were received only in 2008." In 2007, half that number were found. "We can easily see that the growth rate is exponential," he added.

10% of malware attacks succeed when spreading through social networks, compared to 1% when spreading through email, he said, citing research published by the company earlier this year.

"It's one thing to get a link from someone you don't know as part of a random spam message, compared to getting a targeted message from someone that you know in real life, and that you trust," he warned.

Facebook announced its certified application program for developers this month. "What the developers had to do was pay a $375 fee to get their applications certified, but that fee is pretty big for normal developers, and it has to be renewed each year," said Tanase, adding that there are currently 52 000 applications on Facebook.

Bugs have been discovered in the Facebook system that stopped certified applications showing up, he warned. "I worry about how many applications will be verified under these conditions."

He also warned users to consider the applications that they run on their machines, advising them to use application vulnerability scans, and to use proper licenses to enable the software to be updated. Of the critical vulnerabilities in applications found in 2008, 18 can lead to full system access, according to Kaspersky data. This was the leading vulnerability by far. Exposure of sensitive data was the next most prevalent, with six vulnerabilities.

What’s Hot on Infosecurity Magazine?