As long as marketers are willing to spam and scam to make money by taking advantage of people, this type of blight will continue to find new outlets and leave a trail of victims. These offers all rely on automatic credit card rebilling (euphemistically called “negative option” or "reverse billing") and the fact that users don't take the time to read the fine print. ... more

Network World has a good wrapup of the top 10 security-related stories of 2009 involving social networking sites such as Facebook and Twitter. Such stories illustrate the need for good web fraud prevention in the new world of social networking. Because social networks, while user-friendly and generally open to all, present unique challenges both to cybercriminals and the security industry devoted to defeating them. And keeping up with the online security stories about these networks is a big part of that. The full article is rather long, so I’ll cut this introduction short, in order to present it ... more

Word is out from Trend Micro that the Koobface botnet has started a new attack on Facebook, and also a second report about it using Google Reader to spam Facebook, MySpace, Twitter and possibly other social networking sites. This attack should be seen as part of the growing threat to social networking sites without the proper type of bot detection software. Below is the Trend Micro blog on the Facebook attack, but I would also advise checking out their blog post on the wider Google Reader attack as well. The Koobface botnet has pushed out a new component that ... more

The fight against Virtual Blight has two heroes this week, TechCrunch founder and editor Michael Arrington and Facebook advertising guru Dennis Yu, who set the spammy/scammy world of incentivized lead generation scams on fire. Arrington started the ball rolling with Scamville: The Social Gaming Ecosystem of Hell, and Yu pushed the gas pedal to the floor with How To Spam Facebook Like A Pro: An Insider’s Confession. These two heroes in the fight against blight have pushed MySpace to publicly flagellate these scams and toughen up their TOC for applications and advertisers along with getting serious about enforcement. ... more

Phishing attacks are on the rise again, and the targets — Facebook, Twitter, and other social networking sites, as well as large webmail sites — all seem at a loss as to how to protect their clients. I read a fascinating article on Byron Acohido’s “Watchdog on Internet security” blog which goes into the growing threats in some detail (the article was too long to repost, it is excerpted below). But what all these attacks have in common is the growing need for some new thinking on login protection. Being able to filter out automated login attempts by ... more

Facebook users are under attack (again) from spam which tells them their passwords have been reset for security reasons. When the unsuspecting user clicks on an attachment (to see “your new password”), what they get instead is the Bredolab Trojan on their machine. This will then connect to a server, and download Cutwail, multiplying the malware loaded. Such social networking spam is a growing problem, but one that could be solved with better bot detection software. ZDNet has a blog post up with a nice image of the spam email, for those interested. EWeek has a ... more

CNN ran an interesting story today on how social networking sites have been recently plagued with spam, phishing, and other online fraud. For those of us in the network security field, this is not exactly news — but stepping back a bit from such tunnel vision, we have to remember that it is indeed news to a lot of the users of such sites. So while the article itself is fairly basic and beginner-level when it comes to online security, what is interesting is that it is being presented to such a wide general-interest audience. So, for ... more

Proving once again the next-to-worthless nature of CAPTCHAs, it seems that rogue spyware operators have bypassed Facebook’s CAPTCHA “security” system and has successfully launched attacks behind such perceived protection. This is not exactly news. As one article addressing the new report from AVG Technologies points out: “Nearly 3,200 cases of social network account hijackings have been reported to the FBI’s Internet Crime Complaint Center since 2006.” While there are companies out there who do achieve web fraud protection, sites which rely solely on CAPTCHAs for this purpose are woefully unprepared for today’s malware attacks. PC World explores ... more

Trend Micro issued a new warning yesterday on Facebook apps which do nothing but create spam for your friends. A group of apps all appear to be doing the same thing, assumably making them harder to target. And the effort seems to be getting slightly more sophisticated as time passes, by changing from an easily-identifiable domain name to the harder-to-recognize numeric IP address. Elinor Mills at CNet has the full story (complete with screen shot image), from Rik Ferguson at Trend Micro: So far, six malicious applications have been identified: “Stream,” “Posts,” “Your Photos,” “Birthday Invitations,” “Inbox ... more

While this story is not exactly news to people who follow security trends online, the mainstream media certainly discovered it in the past few days. Social networking sites such as Facebook and Twitter have been targets for such attacks of late, but a report just out seems to have focused attention on these attacks in a more widespread way than before. If you’re interested in the mainstream news’ version of the story, all you have to do is enter “social networking” into a search engine such as Google News to see the numerous stories on the phenomenon this ... more