JOIN USViruses that leave victims red on Facebook
Malicious programmes are rampaging through Web sites like Facebook and Twitter, spreading themselves by taking over people’s accounts and sending out messages to all of their friends and followers. The result is that people are inadvertently telling their co-workers and loved ones how to raise their I.Q.’s or make money instantly, or urging them to watch an awesome new video in which they star.
“I wonder what people are thinking of me right now?” said Matt Marquess, an employee at a public relations firm in San Francisco whose Twitter account was recently hijacked, showering his followers with messages that appeared to offer a $500 gift card to Victoria’s Secret.
Marquess was clueless about the offers until a professional acquaintance asked him about them via e-mail. Confused, he logged in to his account and noticed he had been promoting lingerie for five days.
“No one had said anything to me,” he said. “I thought, how long have I been Twittering about underwear?”
The humiliation sown by these attacks is just collateral damage. In most cases, the perpetrators are hoping to profit from the referral fees they get for directing people to sketchy e-commerce sites.
In other words, even the crooks are on social networks now— because millions of tightly connected potential victims are just waiting for them there.
Often the victims lose control of their accounts after clicking on a link “sent” by a friend. In other cases, the bad guys apparently scan for accounts with easily guessable passwords. (Marquess gamely concedes that his password at the time was “abc123.”)
After discovering their accounts have been seized, victims typically renounce the unauthorised messages publicly, apologising for inadvertently bombarding their friends. These messages — one might call them Tweets of shame — convey a distinct mix of guilt, regret and embarrassment.
“I have been hacked; taking evasive maneuvers. Much apology, my friends,” wrote Rocky Barbanica, a producer for Rackspace Hosting, an Internet storage firm, in one such note. Barbanica sent that out in November after realising he had sent messages to 250 Twitter followers with a link and the sentence, “Are you in this picture?” If they clicked, their Twitter accounts were similarly commandeered.
“I took it personally, which I shouldn’t have, but that’s the natural feeling. It’s insulting,” he said.
Earlier malicious programmes could also cause a similar measure of embarrassment if they spread themselves through a person’s e-mail address book.
But those messages, travelling from computer to computer, were more likely to be stopped by antivirus or firewall software. On the Web, such measures offer little protection.
Getting tangled up in a virus on a social network is also more painfully, and instantaneously, public. “Once it’s delivered to everyone in three seconds, the cat is out of the bag,” said Chet Wisniewski of Sophos, a Web security firm. “When people got viruses on their computers, or fell for scams at home, they were generally the only ones that knew about it and they cleaned it up themselves. It wasn’t broadcast to the whole world.”
Social networks have become prime targets of such programs’ creators for good reason, security experts say. People implicitly trust the messages they receive from friends. Sophos says that 21 per cent of Web users report that they have been a target of malicious programs on social networks. Kaspersky Labs, a Russian security firm, says that on some days, one in 500 links on Twitter point to bad sites.
Brad Stone