Spam, phishing and malware attacks on social-networking sites in 2010 were double in number from the year before, according to a new review of cyberthreats.
Released Wednesday, Sophos’ Security Threat Report 2011 explains that the rapid growth of social-networking sites — most prominently Facebook — has made them sitting targets for attackers.
Sophos asked social-networking users whether they’d received spam, phishing e-mails or malware attacks through last December. Sixty-seven percent of people reported spam (up from 33.4 percent in April 2009); 43 percent phishing messages (up from 21 percent); and malware attacks jumped to 40 percent from 21.2 percent.
"Once you break into a Facebook account, it’s a treasure trove," Graham Cluley, senior technology consultant for Sophos, told SecurityNewsDaily. "The user has laid out their personal information for you, including a long list of friends and relationships."
All a hacker has to do is trick the user into divulging some of that personal information, and it can then be sold to advertisers or used for any number of criminal acts, including identity theft.
The fact that Facebook does not screen third-party apps is a serious security flaw, the report notes. The policy allows rogue applications to roam freely throughout the site, preying on a pool of 600 million people.
New survey scams and "clickjacking" — tricking users into clicking on disguised malicious links — were two prominent threats that emerged this past year and will continue to thrive on social networks, especially if Facebook doesn’t take steps to curb the dangers.
"A June 2010 Sophos poll found that 95 percent of respondents wanted Facebook to do more to prevent ‘likejacking’ attacks (essentially clickjacking by liking something on Facebook) and urged the site to impose stricter controls on the plug-in," the report notes.
"The social media site, however, is either unable or unwilling to invest the necessary resources to stamp it out."
The cybersecurity landscape is dotted with other land mines, the study found, ranging from attacks targeting smartphones and other mobile devices to large-scale infrastructure breaches, such as Stuxnet-like malware and WikiLeaks-related "hacktivism."