MySpace Scams

The week that Skype has announced its big deal with MySpace, the world’s largest social network, it has been hit by a major Trojan virus, the second in just over a month.

Researchers at McAfee have found the Trojan PWS-Pykse, which advertises itself to users as “Skype Defender”. It works by tricking users into executing the malware.

The “Skype Defender” Trojan is classified as an infostealer, according to Skype Security. It appears as a plug-in confirmation window, saying “Skype-Defender(TM) Installed! Please login to your account to apply new plugins”.

If users click “OK”, it beings up what looks like the Skype login screen, although apparently the button design is slightly different.

If a user enters their name and password, they are informed that they have not been recognised, but the malware has collected them by that point ? along with all their other usernames and passwords stored in Internet Explorer.

Skype has issued information about the problem: “To remove the malware, please update your anti-virus software. At this time, we have notified F-Secure, TrendMicro, Symantec, WebSense, and FaceTime Security Labs. For manual removal it is enough to delete the 65404-SkypeDefenderSetup.exe file.”

This is in stark contrast to the bold claims on Skype’s website, that states that “Skype is free of Adware, Spyware and Malware” and goes on to boast: “We will not display unwanted and intrusive advertising, or allow any malware or spyware to operate”.

A technology lawyer says that Facebook has paid a high price for making a basic Web 2.0 mistake that sites like MySpace, Flickr and YouTube avoid.

Investigators working for New York Attorney General Andrew Cuomo posed as young teenagers and set up profiles on Facebook. According to a statement from Cuomo’s office, “they received online sexual advances from adults within days and found widespread pornographic and obscene content.”

The investigators also accused Facebook of failing to respond, and at other times being slow to respond, to complaints lodged by investigators posing as parents of underage users, asking the site to take action against predators that had harassed their children.

Cuomo issued a subpoena to Facebook less than a month ago, demanding sight of certain documents. It was accompanied by a letter warning the company that “it could potentially face consumer fraud charges for failing to live up to its claims that youngsters on the website were safer from sexual predators than at most sites and that it promptly responds to concerns.” Facebook had also represented itself as a “trusted environment for people to interact safely,” according to Cuomo.

Facebook’s settlement of the complaint was announced at a press conference on Tuesday.

Under the terms of the settlement, Facebook agrees “to respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.” It must also report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been emailed to abuse@facebook.com.

Hyperlinks must be placed “throughout Facebook’s website” for accepting complaints about nudity or pornography, harassment or unwelcome contact. An Independent Safety and Security Examiner will be appointed to report on Facebook’s compliance.

Facebook must also provide “a prominent and easily accessible hyperlink” to allow a Facebook user or their parent to give feedback direct to the Examiner.

“I applaud Facebook for addressing my office’s concerns about the site’s representation that they provided a safe environment and an expeditious complaint review process,” said Cuomo. “I believe our agreement will provide additional confidence to young people and parents alike and give Facebook a competitive advantage in the marketplace for setting a new standard for safety.”

The Attorney General’s statement also quoted Facebook’s founder and CEO. “Privacy and safety have been a priority since we first built Facebook,” said Mark Zuckerberg. “Our agreement with Attorney General Cuomo will set new industry standards to stop abuse online.”

“We applaud the Attorney General’s leadership and are committed to working together to keep Facebook safe,” added Zuckerberg.

Struan Robertson, a technology lawyer with Pinsent Masons and editor of OUT-LAW.COM, said that Facebook’s failure to take some of these steps of its own volition was a surprise.

“Any site that relies on user-generated content, whether it’s a small blog or a social networking giant, needs a prominent complaint mechanism. That doesn’t just help users, it also helps to channel complaints in a way that make them manageable. I’m amazed that Facebook didn’t have that already,” he said. “It’s even more important for a site that’s targeting children as well as adults.”

Facebook claims to have 47 million users. Its terms and conditions state that the site is “intended solely for users who are thirteen (13) years of age or older”. The company’s Chief Privacy Officer, Chris Kelly, told reporters this week that it believes 80% of users are over 18 but that it has no firm data.

“If Facebook had had obvious complaint systems like YouTube, Flickr and MySpace it might have avoided the Attorney General’s action. It’s now stuck with onerous demands to address complaints within 24 hours and to report on steps taken within 72 hours. Other sites will surely fear these time limits becoming the industry standard.”

In the UK, the general rule is that website operators must deal with complaints about unlawful third party material ‘expeditiously’. Robertson said that there is no case law that defines how fast that should be, though. “The only legislative reference we have to a specific time limit for the removal online material is in the Terrorism Act,” he said. Where police officers order a site to remove material that encourages acts of terrorism, the operator must comply within two days, according to that legislation.

With an increase in the number of phishing-related Web sites popping up on the Internet, protecting personal and financial information is becoming more of a challenge.

The scam occurs when an e-mail is sent by a hacker pretending to be from a business or bank and instructs the reader to click on a link that leads to a counterfeit Web site of the business. Upon clicking that link, the reader is asked to provide sensitive information, such as account or Social Security numbers.

The scam continues to evolve and improve. One of the more recent developments is the inadvertent downloading of information-stealing “crime-ware” onto your computer once the link in the phishing e-mail has been clicked, according to the Anti-Phishing Working Group, which includes hundreds of banks, online retailers, technology companies and government agencies and works to spread the word against phishing.

Other recent phishing attempts have involved the Internal Revenue Service. In some of those scams, an e-mail was sent during tax season and instructed the reader to click on a link to receive a refund. The link sent readers to a Web site that looked identical to the IRS site, where they were instructed to provide their Social Security number and credit and bank account numbers.

A computer worm in 2006 took over pages on the social networking Web site MySpace. The worm altered links to direct surfers to sites that were designed to steal login information.

According to computer security company McAfee, the top brand that is exploited by phishing scams is PayPal, at 45 percent, followed by eBay at 27 percent. The most common phishing subject line, according to McAfee, is “Question from eBay Member regarding Item.”

While the number of phishing Web sites has increased, there is a silver lining to this scam: The United States is actually now second in the world in the number of phishing scams reported, slightly behind China — by 1 percent. In addition, the number of days phishing Web sites are up and illicitly collecting information has decreased from nearly a week in October 2004 to 3.6 days by July 2007, according to the Anti-Phishing Working Group.