Malware Delivered Through Social Media

Facebook malware ultimately involves interaction of a downloaded Facebook page with applications that can then transform a personal computer into a conduit of malicious code.

Once a malicious Facebook malware has been endorsed by clicking or passing automatically, the malware can steal personal information, monitor activity or spread infection.

For example, a fake notification will claim that somebody has “posted something on your pages” or “tagged a private video”.  The icon next to the notification would utilize standard notification windows. This will prompt instinctive acceptance.

There are several fake messages on Facebook that can be exploited.  Similar tricks will apply to dozens of social messages that are flooding mailboxes. Subversive text is placed directly or inserted as spam. It is always made to look plausible.

The list of malware that can be triggered by social media is growing at a fast rate. According to the April 20, 2010 Symantec report (http://www.symantec.com/about/news/release/article.jsp?prid=20100419_02) there were 240 million new malicious programs against which DoD must protect seven million computers. These programs show a rising sophistication how to hide malware.  Cybercrime attack toolkits are now available to speed the introduction of “zero day” attacks that flood the defenses and make most anti-virus countermeasures ineffective (http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits). The Zeus malware generation software can be purchased anonymously for $700.

The greatest threat to the Department of Defense from social media originates from various forms of “phishing”. According to a RSA report of January 20, 2010 (http://www.rsa.com/press_release.aspx?id=10671) three in ten participants in social networking are easy prey to such compromise.

SUMMARY
There is not much that can be done by DoD to prevent “phishing” or social engineering via social media. The only available defense is through tracking what are potentially compromising outgoing responses from DoD personnel.

DoD cannot depend on BlogSpot, Digg, Epernicus, Exploroo, Gossipreport, Facebook, Flickr, Metacafe, Myspace, LinkedIn, Orkut, Technorati, Twitter and YouTube providers to install acceptable safeguards. In view of DoD’s endorsement of social media it will have to trust its people but must also take reasonable measures to verify that a leak of intelligence information is not taking place.