MySpace Users Tempting Targets for Identity Theft

December 27, 2006

MySpace devotee Kary Rogers was expecting to see a gut-busting video when a friend from the popular online hangout messaged him a link.

First, though, he was directed to a page where he was supposed to re-enter his password. Rogers realized that someone was trying to steal his information, and he didn’t take the bait. At best, he would be spammed with junk e-mails; worse, the Web thief might steal his real-life identity.

“I immediately went back and changed my password,” said Rogers, 29, a network analyst for Mississippi State University in Starkville, Mississippi.

MySpace bills itself as a “place for friends.” Increasingly, it is also a place for unfriendly attacks from digital miscreants on the prowl, luring users to sexually explicit Web sites, clogging mailboxes with spam messages and playing on the trust users have when speaking to “friends” to obtain passwords that could lead to identity theft.

Managing the risks that come with rapid growth is an enormous challenge for MySpace, now part of Rupert Murdoch’s News Corp. media conglomerate. The site can’t afford to drive away users, who might defect to one of a growing number of alternative sites, or advertisers, who pay top dollar to reach the growing MySpace audience.

Last month, MySpace inched past Yahoo Inc. in U.S. page views, recording 38.7 billion, according to comScore Media Metrix.

A key reason behind the popularity is its ease. Simply by adding a few lines of computer code, users can create elaborate profiles and personalize them with photos, music and video. A host of communication tools makes it easy to send messages to one person or a whole list of friends, who number into the thousands for some of the more popular MySpace users.

Those same tools can be used by vandals to make it look like an innocent user has sent spam to the same long list of “friends.”

Programmers are writing scripts that take advantage of specific features on MySpace, including “friend request,” where one user asks to be added to another user’s list of buddies.

One recent scam works this way: A spammer posts a number of phony profiles featuring pictures of cute women, often promising nude photos. A “friend request” with the woman’s photo is sent to hundreds of users.

Once the fake profile loads, a blue screen descends, saying the profile is protected by the “MySpace Adult Content Viewer.” Unsuspecting users who try to download the viewer instead get a worm that installs adware on their computers.

Social-networking sites make good targets because of the implicit level of trust users have when they’re interacting with “friends.”

“The ongoing interaction lowers your reservations and security barriers,” said Marc Gaffan, an expert in online fraud and security at RSA, the security division of EMC Corp.

MySpace, which News Corp. bought last year for some $580 million (euro440 million), has recognized the threat and is stepping up security efforts, said Hemanshu Nigam, its chief security officer.

The company is rapidly expanding its team of software engineers, lawyers and other experts who look for suspicious activity, educate users on how to prevent attacks and go after the worst offenders.

Under Nigam’s direction, the company recently formed a Content Assurance Team. Employees post fake profiles on the site, pretending to be vulnerable teens or clueless adults. The profiles are designed to keep tabs on everything from sexual predators to spammers.

MySpace also is preparing to launch a more aggressive education campaign, urging users to take care and use tools that restrict the viewing of their profiles to only trusted sources.

When all else fails, the company is also files civil suits and is increasing cooperation with law enforcement officials.

“We’re trying to take away the ‘cool’ factor of trying to attack us,” Nigam said.

Nigam came to MySpace after stints as a federal prosecutor specializing in child pornography and computer crime cases. He also led security efforts at Microsoft Corp. and the Motion Picture Association of America.

MySpace hired him in May to strengthen security and safety efforts at the site and other Internet properties owned by Fox Interactive media.

“Security is a top priority because it’s critical for our community of users and for our business partners,” Nigam said. “If advertisers feel uncomfortable being on a site that is seen as not as secure, not as safe, then we lose revenue.”

So far, no major damage has been done on the site, although some users, increasingly annoyed by the fake friends and messages, are seeking other social networking alternatives.

“I don’t have this problem on Facebook,” Rogers said, referring to another popular site.

The Internet has weathered several threats over the years, but as users move on, so do the attackers.

Writers of malicious software used to count primarily on e-mail recipients to click on attachments to spread their wares. As e-mail recipients got more savvy, the writers looked to automate the process by exploiting vulnerabilities in e-mail programs, browsers and the Windows operating system from Microsoft Corp.

As those security holes get closed, virus writers are looking elsewhere, including social-networking sites _ attractive in part because of their size.

“It’s where the activity is and the attackers play the percentages,” said David Cole, director of security response at Symantec Corp. “They go after the largest market share where there is the most activity.”

___

On the Net:

MySpace safety tips:
http://www.myspace.com/Modules/Common/Pages/SafetyTips.aspx

AP-CS-12-25-06 1910EST