David Harley, ESET: Facebook, Chain Letters are so Last Decade
The security issues around Facebook, Twitter and such have become a hot issue in recent years: most security conferences and expos currently list some Web 2.0-related presentation, or list social networking as a topic of interest in a Call for Papers. More generalist events and publications seem to waver between the need to restrict corporate access to such media and the need to make more use of them. Admittedly, there’s been much coverage of high-profile incautious disclosure of profile information (for instance) by the likes of the Head of MI6. However, there’s an equally pressing issue that hasn’t attracted sufficient attention: the avalanche of incoming misinformation.
I’ve had a professional interest in chain letters and hoaxes since the 1990s, when Good Times and other virus hoaxes ran wild over Internet messaging services, generating mailstorms that gave systems administrators almost as many headaches as real malware. In fact, I sometimes think that the pseudoscience of memetics and “viruses of the mind” are almost more interesting than real malware because you can concentrate on the psychological mechanisms that drive both the hoaxer and his victim without being distracted by the technicalities of malicious code. Therein lies their appeal, of course: not everyone can code a Trojan, but anyone at all can invent a hoax.
In recent years, hoaxes have diversified: we see fewer virus hoaxes and “Bill Gates is sharing his fortune with anyone dumb enough to forward this email”, and more of the kind of chain letter that extorts emotional engagement on the part of the recipient: tsunami hoaxes, photographs of missing children, wear red to show you support the troops, and so on. And, of course, there are new propagation channels.
Twitter has become a hotbed of instant rumours about celebrity deaths, non-existent dramas and disasters, and fake “Amber alerts” about kidnapped children. Facebook has less immediacy in the hoax department, but more persistence. For example, a number of Facebook pages have sprung up around myths and semi-myths that have previously circulated as chain emails, suitably modified to suit the Facebook environment. Others have reinvented the virus (semi-)hoax: for example, the Unnamed Application “spybot” that may have originated in more than one event, but appears to have been primarily due to a Facebook bug. (Though there is plenty of scope for malicious code in those FB applications so many people sign up for because their friends did.) But don’t get the idea that all Facebook hoaxes are irritating but harmless fictions.
Cybercriminals, who are perfectly happy to make money any way they can, realized long ago that anything that creates a stir on Facebook or Twitter can be used for SEO (Search Engine Optimization) poisoning. In other words, if you start looking in Google or Bing for search terms like (in this instance) “Unnamed application”, they make sure that the first results you get will be links to malicious sites. Most hoaxes are malicious, but they’re also frequently linked to malicious code in ways you might not have thought about.