Facebook and Twitter were all the rage in 2009, and not just for social networkers. The sites were also extremely popular among hackers and thieves, IT security firm Sophos revealed Monday in its Security Threat 2010 report.
The firm's survey found that spamming on social networks has skyrocketed more than 70 percent. Fifty-seven percent of social-networking users said they had been spammed via a social-networking site.
In addition, 36 percent of respondents said they had received malware from such sites, a spike of almost 70 percent.
Where the Money Is
"Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made," said Graham Cluley, senior technology consultant for Sophos. "The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cybercrime or risk falling prey to identity-theft schemes, scams and malware attacks."
As the biggest social network, Facebook is also the "most feared" network, Sophos said. Sixty percent of respondents said Facebook is the biggest security risk, with MySpace a distant second at 18 percent. This has little to do with the relative security measures of the sites and everything to do with size, Cluley said.
"We shouldn't forget that Facebook is by far the largest social network -- and you'll find more bad apples in the biggest orchard," explained Cluley. "The truth is that the security team at Facebook works hard to counter threats on their site -- it's just that policing 350 million users can't be an easy job for anyone."
Cluley did call for Facebook to make some changes, however. "There is no doubt that simple changes could make Facebook users safer. For instance, when Facebook rolled out its new recommended privacy settings late last year, it was a backward step, encouraging many users to share their information with everybody on the Internet."
These days, businesses cannot turn their backs on social networking, regardless of the risks, says Andrew Storms, director of security operations for nCircle. "A company cannot turn a blind eye to social-networking anymore," he said. "Companies that utilize social-networking sites or allow employees to do so personally need to both accept and combat the risk."
When it comes to social-networking sites, "the best word of advice right now
for IT security teams is to embrace and educate," Storms said. "Simply put: Forego the yearly security education material on password strength and instead focus on real-life situations as applicable to social-networking and social-engineering attacks."
The existence of social networks makes "social engineering" -- the tactic of getting targets to open malware -- even more powerful. "These are the same types of attacks we've all known for some time, but now with a new dynamic," Storms said. "Simply because a message appears to come from a friend doesn't mean the recipient shouldn't question its validity. Think twice, ask questions, and don't be so quick to click."