MySpace Scams

TIS the season to receive Christmas cards and a growing number of them, conveniently, will come via the internet.

There’s only one problem: some of the emails promising an e-greeting from a friend or family member may instead be from a scam artist intent on obtaining your bank or credit card information.

Stu Elefant, senior product manager for anti-virus company McAfee, says the danger is at this time of year people are more likely to click on these greetings in their email inbox. “There is more cybercrime because peoples’ defences are down. They are in a more trusting mood, thanks to the holidays, and they are looking online for bargains,” he says.

Increasingly clever cybercrooks realise more people than ever will shop online this year, as well as seeking to save postage – and time – by emailing Christmas cards.

Christmas sales in the US are up 23 per cent, to about $10.63 billion, compared with a year ago, says Gian Fulgoni of ComScore Networks, which tracks web activity. Those figures are from November 1 to 24.

Christmas cybershopping will steadily increase over the next few weeks. But as more people turn to the internet for at least some of their holiday purchases – or simply for comparison shopping – more crooks are tracking their movements.

The average loss per phishing scam grew from $328 in 2005 to $1590 in 2006, according to a November report from research firm Gartner. Losses stemming from such attacks reached more than $3.5 billion this year, Gartner found.

In Australia, a scam was uncovered in late October by Exploit Prevention Labs that was perpetrated through e-greeting cards. According to a TechNewsWorld story, accounts at nearly every Australian bank were affected when a major cybercrime group used fake Yahoo greeting cards to infect computers with malicious software that tracked keystrokes on PCs. This so-called keylogger software was used to steal credit card numbers, bank account usernames and passwords.

Numerous computer users have noted a marked increase in e-card-based spam email lately. The subject line typically reads, “You’ve received a greeting from a family member” or “You’ve received an animated postcard”.

The text inside these phishing email messages asks people to “click here” to see the card. Phishing scams are an attempt to trick people into revealing personal information. If they click on these links, they could unwittingly download software used to separate users from their hard-earned cash.

Elefant warns people to only open messages from people they know. If in doubt, he warns, don’t open it.

Crooks are exploiting what security professionals like to call “social engineering”, Elefant says. Because humans are social beings, they’re more likely to open an email they think is from a friend or family member than something unfamiliar. “Social engineering is more prevalent this time of year because people want to click on an internet greeting card or get a better deal at a store online,” he says.

People also are helping the crooks more than before. The growth of social networking sites like Facebook, MySpace and even YouTube are helping cybercriminals target computer users. A crook may send a message to a user and write, “Hey, I saw your video at YouTube about skateboarding. If you want a new skateboard, come check out the deals at my site.”

Another reason for the online crime wave, according to the Harris survey, is that few people adequately secure their computers. The survey found that 74 per cent of people do not install a hardware firewall and 53 per cent don’t use a software firewall. Only 22 per cent had installed a proper suite of security software.

MySpace has been hit by a worm that exploits the Javascript cove of Apple QuickTime media player which lures users into a phishing scam. The worm causes users to click on faked links on a MySpace profile which directs them to a phishing site which attempts to get users to enter their MySpace login details.

The worm not only replaces legitimate links on MySpace.com user profiles with links to the phishing site, but it also manages to root infected videos into the victims’ profiles. The worm has already infected hundreds of user profiles, which have now been pulled down by MySpace. Further, the worm is infecting MySpace profiles with such efficiency that an informal scan of 150 such profiles found that close to a third of these were infected.

MySpace has asked Apple to fix the Javascript flaw in QuickTime. Javascript code and its variants such as AJAX, which execute applications on client computers, is an increasingly important part of the Web 2.0 services revolution, but has been criticized by many security experts as a target for attackers to worm their way into unsuspecting target computers.

MySpace said it will develop technologies to help block convicted sex offenders.

MySpace is partnering with Sentinel Tech Holding Corp. to build a database containing names, physical descriptions and other identifiable details on sex offenders in the United States. The News Corp. site, however, stopped short of adopting Sentinel’s technology for verifying the ages and identities of its users.

The database, to be called Sentinel Safe, “will allow us to aggregate all publicly available sex offender databases into a real-time searchable form, making it easy to cross-reference and remove known registered sex offenders from the MySpace community,” Hemanshu Nigam, MySpace’s chief security officer, said in a statement.

Parents, school administrators and law-enforcement authorities have become increasingly worried that teens are finding trouble at social-networking sites, which provide tools for messaging, sharing photos and creating personal pages known as profiles.

The aim of such sites is for users to expand their circles of friends — and critics say those circles sometimes include predators, including those previously convicted of sexual crimes.

John Cardillo, Sentinel’s chief executive, said the database will give MySpace and other sites a tool to help keep out sex offenders.