Malware on Facebook :: The Future of the Internet

Malware on Facebook

January 11th, 2009 | by elisabeth | Published in Future of the Internet

—By Elisabeth Oppenheimer

If you use Facebook, you’ve probably seen some of the viruses that have been hitting site users. (That message from your aunt telling you to “click here to see paRiS Hilton!!1″—probably not actually from your aunt.) Initially, it was phishing scams—the user would click on a link, be taken to a site that looked just like Facebook’s login page, and unwittingly give her login information to the bad guys. A more serious problem is the “Koobface” virus. Users got messages from their friends inviting them to view videos, but were prompted to update their flash player first. Clicking “update” installed malicious executable code that turned their machines into zombies. If the frantic threads I’ve been seeing on my newsfeed are any indication, it’s a pain to undo the damage. The McAfee security blog explains the motivation for the malware:

As for the motivations behind this Koobface variant, analysis shows that during infection a proxy server is installed to %ProgramFiles%\tinyproxy\tinyproxy.exe and a service named Security Accounts Manager (SamSs) is created to load the server at startup. This component listens on TCP port 9090 and proxies all HTTP traffic, in particular looking for traffic to Google, Yahoo, MSN, and Live.com for the purpose of hijacking search results. Search terms are directed to find-www.net. This enables ad hijacking and click fraud.

It’s not hard to see why this malware is springing up. Facebook is huge and growing, and it holds all sorts of interesting data about its users. As the book predicts, developers of malware will follow users and money—if there’s something to exploit, there will be someone to exploit it. Moreover, social network users are lulled into a false sense of security because they know the people in their networks.

Facebook isn’t taking this lying down, of course. If you click on an outbound link—even a perfectly innocent one—you’ll get this stern warning:

picture-1

and I presume they’re immediately deleting accounts of anyone caught spamming, just as they immediately killed applications with security loopholes. Also, browsers helped: the initial bogus login sites had URLs ending in .access-login.com. When a user attempted to access one of those URLs, Firefox would display a “reported web forgery” banner. (The .access-login sites now appear to be gone.)

These measures will mostly combat the initial phishing scam, and once users internalize the fact that they should treat Facebook messages like any other email—potentially dangerous—viruses like Koobface may not spread as quickly. But malicious actors are creative, and Facebook is basically going to be in the position of playing whack-a-mole, trying to kill off new malware before it drives away too many users. (As noted, usage of Facebook is still climbing quickly, but spam and malware nonetheless will be a real threat if they get out of control. Similar problems hurt MySpace.)

What really interests me about this situation is whether Facebook will deploy advanced methods to combat advanced malware. In the book, Professor Zittrain suggests that malware is best combatted through community efforts rather than post hoc solution like virus software (or the Facebook equivalent, a central authority trying to wipe out individual viruses). The hard thing about communal solutions is how to deploy them. The Internet doesn’t have a communal gathering place—people have to take the initiative to install something like Herdict. Perhaps the closest thing we have to a gathering place is Google, which is why Google’s partnership with StopBadware has been such an effective way to get owners of infected sites to clean up the sites. Facebook, on the other hand, does have the equivalent of bulletin boards that everyone sees. Everyone uses the same login page, sees the newsfeed, and can be made to click through the same warning when they exit the site.

Facebook can deploy these capabilities in a top-down manner, as they have with the warning on outward-bound links. That’s pretty effective. But Facebook could also build a tool like Herdict and display the results prominently next to every application offered. Or, instead of directing a user who clicks on a suspicious link to the Wikipedia page on phishing, Facebook could let that user chat directly with another user who is a security expert. (Would people volunteer to be security experts? Maybe—Wikipedia got written, after all. Or Facebook could bribe them—give them free “gifts” to pass on to their friends, let them put a gold star on their profile, whatever.) They could give users similar incentives to write programs that clean up the results of viruses, or delete comment spam en masse. In other words, Facebook could ask users to help anticipate and deal with the problems, and then provide a free, effective way to publicize and distribute those solutions.

Comments are closed.

Blog

Dropbox Ran Afoul of Apple’s App Store Review Guidelines: So What?

Last week, a number of developers reported that Apple was rejecting iOS applications that used Dropbox, a popular cloud file storage and backup system. An initial thread on the Dropbox developers’ forum has led to a outpouring of tech news full of hyperbolic claims. However, none of this reporting has covered the real problem – Apple is now more concerned about protecting its business model than serving its users or its developers. Read more »

Help pioneer Casebook: The Next Generation

We at the H2O project are seeking a full-time Project Manager. H2O is an online platform for textbook development and distribution, currently in a pilot stage. H2O is based on the open source model – instead of locking down materials in formalized textbooks, we believe that course books can be free (as in free speech) for everyone to access and, equally important, build upon.

Using H2O, professors can freely pull together materials for a course by selecting cases, editing those cases to the sections that are most relevant, and grouping them into readings. Once the materials are assembled, they can be copied in part or in whole by other interested faculty and then edited further. H2O has been successfully piloted in JZ’s 1L Torts class, and will be rolling out further over the coming year.

H2O’s project manager will play a leading role in shepherding H2O into its next phase, which will focus on developing new materials and incorporating additional features, in order to expand the platform beyond its law school roots.

H2O is a joint project of the Berkman Center for Internet & Society and the Harvard Law School library. The Project Manager will be housed at the HLS Library and work in close collaboration with lead members of the Library Innovation Lab team; he/she will also work closely with the Berkman Center and current H2O teams. More info and job posting here.

Meme patrol: “When something online is free, you’re not the customer, you’re the product.”

I participated in the Berkman Center’s fascinating HyperPublic symposium in the summer of 2011. When moderating a panel I invoked the aphorism that “When something online is free, you’re not the customer, you’re the product.” It’s a way of encapsulating the idea that online free services usually make money by extracting lots of data from users — and then selling that data, or using it for targeted availability of those users for advertising, to advertisers. In that sense, the advertisers are the clients, and the users enjoying free content are what’s being sold. (Of course, sometimes that happens even when the user pays.)

I didn’t coin the phrase, and since it was featured (and attributed to me!) in wordsmith.org’s wildly popular “word a day” as a thought for the day accompanying the word “enceinte” — I sought to nail down its provenance.

The first use of the quote that we can find is as a comment within the famed MetaFilter community in August 2010. The user’s name is blue_beetle, who might be someone named Andrew Lewis. It’s entirely possible I saw it there, as MeFi is one of my five favorite sites on the Web.

Similar sentiments (whether drawn from that source or independently invented) have been expressed by Bruce Schneier in October 2010 and by Douglas Rushkoff in September ’11.

The phrase “you’re the product” also apparently appeared in a 1986 speech by President Reagan about the drug war.

Just say know.

–KA and JZ

OS X Mountain Lion and Gatekeeper

This week, Apple announced that it was moving to a new, faster OS X operating system development cycle, starting with the release of Mountain Lion next summer. It previewed a number of features for the OS, and released some parts in beta.

Mountain Lion is slated to include a feature called Gatekeeper as part of the security and privacy settings. Gatekeeper allows administrators (those with full privileges on a Mac) to limit the applications that can run on the Mac. They can choose among allowing apps downloaded from the Mac App Store only, or apps from outside the Store so long as they are digitally signed to Apple’s satisfaction by their developers, or apps from anywhere. (The latter has been the way both Mac and Windows PCs have worked, for better or worse, since the introduction of the Apple II in 1977.) Read more »

GPS-based Insurance Rates: The Devil is in the (Data) Details

A British insurance company called Motaquote has teamed up with TomTom, the GPS manufacturer to offer insurance prices based on data gathered by GPS. Fair Pay Insurance, Motaquote’s new program, is an opt-in insurance pricing scheme where drivers will get a free GPS unit in return for potentially lower (but possibly higher) premiums. The GPS unit will provide all the traditional navigational services as well as warn drivers when they corner too sharply or brake too hard. Read more »

About Jonathan Zittrain

Jonathan Zittrain is Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet and Society at Harvard Law School

Tweets from Z

An error has occurred; the feed is probably down. Try again later.