Here I sit, the Winter Solstice past and New Year approaching, so when better to reflect on what’s been a remarkable year for online security? 2008 started badly in January, when it became apparent that more than a million people had been exposed to a malware scam called Secret Crush. This story is a warning of things to come, because those million people were users of Facebook. Social networks have always been a source of rich pickings for ordinary identity thieves, but Secret Crush extended that scope to directly stealing data. The whole scam played on the fact that Facebook applications – those tedious little “widgets” that offer to show who among your friends has the biggest “movie brain”, or allow you to add some obscure psychological barcode profile to your page – had become depressingly popular with users of the fastest growing social network on the planet, and it was the security research team at Fortinet that first spotted the arrival of this particular exploit, and was first to reveal the extent to which it had infiltrated the system: it had gone straight onto the computers of some 3% of Facebook users, which is where that “million users” number came from at the time.
The Secret Crush application used Facebook notifications to suggest that some member of a network had a secret admirer, but actually what it did was spread the “Zango” worm as it became known. Once one person downloaded and installed the widget the infection spread like wildfire, since the only way to uncover your secret admirer was, you’ve guessed it, to download and install the application. Actually, it was worse than that because you also had to persuade five other people to install it before the truth would be revealed. Unfortunately, that truth turned out to be merely an invitation to download a second “crush calculator” application, which Fortinet discovered pointed at the home of an infamous adware application, Zango. The only secret admirers you ultimately ended up with were a never-ending stream of dodgy advertisers.
Botnets and scareware
February wasn’t a lot better – perhaps the most striking security related news was the statistic that some 85% of all the spam in circulation was being distributed via no more than six botnets. Researchers from the Marshal TRACE team didn’t make this news any easier to swallow by revealing that the botnets that made up this busy half-dozen changed from month to month, making it harder still to track them down and stop them. One week the Mega-D botnet would carry 40% of the spam traffic, but the next week that would drop to 20% and Srizbi would take over the running. In fact, at the start of the year it was looking as though spammers really were immune to whatever we could throw at them, an erroneous impression that thankfully would get corrected as the year came to a close.
March brought further depressing news from the online security research trenches, this time courtesy of my friend Graham Cluley over at Sophos who informed me that a South Korean scammer had been arrested and charged with distributing fake antivirus software. The reason this was such depressing news wasn’t the fact that this chap had been caught, but rather that his company had already distributed some 3.96 million copies of this bogus software, and even more sickening was the revelation that goaded by the fake security alerts displayed by this rubbish product, 1.26 million people had coughed up something in the region of £5 million over the course of three years to register for a “full product” that purported to clean their computers of these non-existent threats.
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
