Virus makers exploit 'friend' trust in social networks

You can get the most amazing messages from friends on Facebook.

Recently, a high-school pal wrote me about a strange new Web site, adding the parenthetical comment "(69241)." Then, a typically typo-free writer assured me I could "become a reall filmm staar noww" and pointed me to a site in India. And a normally levelheaded colleague passed along yet another strange address, followed by the exultation "Best store!!!" — then resent the message a minute later.

OK, so my Facebook friends didn't really write those things. Nor did the co-worker who appeared to invite contacts on Twitter and Facebook to view a "private video." Instead, a virus did, hijacking their accounts to send messages steering friends to hostile sites.

These attacks shouldn't surprise anybody. Virus authors are creative but ultimately predictable: Whenever a new site or software becomes popular, you can count on these cretins to try to exploit these. And over the past year or so, they have found social-networking sites such as Facebook, Twitter and MySpace attractive targets.

That's because the most basic feature of these sites can be useful for anonymous enemies as well as known friends. Social-networking sites provide their core value — no, not accelerating the distribution of gossip — by delivering a component missing from the Internet's own architecture: trust.

On the Internet, as the cartoon goes, nobody knows you're a dog. There's no bit attached to the data identifying you by name, location or occupation.

So a person or company on the Internet must use other tools to persuade strangers to trust them, such as the "security certificates" of online merchants or feedback scores on eBay.

Social-networking sites fit into that pattern, allowing you to identify yourself and have other people vouch for you by adding you to their friend lists.

That helps when long-lost pals confirm that it's really you on Facebook from mutual friends' endorsements, but it's also open to exploitation by crooks. You might ignore a message linking to a random site if it came from a stranger, but would you dismiss it so quickly if it had a friend's name on it?

The status-update culture of social-networking sites compounds the vulnerability. Much of the activity on the likes of Facebook and Twitter consists of short messages linking to Web sites whose identities have been obscured through link-shortening services.

Free sites such as TinyURL.com and bit.ly generate these shorter links to lengthy Web addresses so that they fit better in the tight space of a Facebook or Twitter status update, but these custom addresses rarely reveal their destination unless users run extra software.

Both TinyURL and bit.ly use blacklists from Google and other sources to block links to malicious pages; perhaps as a result, all the bogus messages I've received on Facebook and Twitter linked directly to hostile sites.

So far, only a handful of viruses — all Windows-only — have attempted to turn the virtues of social-networking sites against them.

Most of this malware goes by the name "Koobface" and targets Facebook and MySpace users ("koob" being "book" in reverse), though a newer version of it attacks Twitter accounts, too. This family of viruses surfaced at least a year ago and has been updated by its unknown developers multiple times.

Facebook spokesman Simon Axten said the site has resisted these attacks by blocking links to hostile sites; retroactively deleting malicious messages from users' in boxes; and shutting down accounts that show signs of infection, such as posting many updates faster than usual.

Those steps, Axten wrote, have meant that "less than 1 percent" of Facebook users have been hit with a security issue, such as virus or phishing attacks, since the site opened in 2004.

Twitter representatives did not respond to requests for comment.

I'd like to think that the small scale of this problem so far means that social networks haven't just been lucky, they've been good.

But their steadily growing popularity suggests that things could get worse soon enough.

There's no perfect software fix for these online diseases, but there is a human remedy for the problem of suspicious messages from friends. It's the sort of skepticism expressed in an old newsroom saying that, with one update, fits this situation, too: If your mother says she loves you on Facebook, check it out.