False 'Friends' Prey On Social Networking Sites

The spam sent to millions of MySpace users late last year resembled the multitude of other bothersome, unsolicited e-mails that flood the Internet each day.

By just visiting a Web site, recipients were told, they could get free Lacoste polo shirts, cool Sidekick phones and hip cell-phone ring tones.

Yet for the MySpace users, the e-mails came with an unusual air of legitimacy. They came from their own MySpace friends — or so they thought.

Instead, MySpace now alleges in a lawsuit, they originated from a well-known spammer who systematically hijacked users' e-mail addresses and used them to contact everybody on the users' "friends" lists.

In a statement, self-proclaimed "Spam King" Scott Richter and his Atlanta-based attorney, Pete Wellborn, say he did nothing illegal. Wellborn, who made a name for himself going after spammers on behalf of Internet companies, not defending them, did not return phone calls seeking further comment.

Wrong or not, the MySpace case illustrates a growing problem.

Social networking sites are the modern-day meet-up spots, attracting millions of teens and a growing number of adults who want to make online friends in a virtual world.

They're also increasingly attracting spammers, hackers and other Internet bad guys who see the unique "friend networks" and the reams of personal information users post there as potential gold mines.

"We are looking at the very early stages of these kinds of exploits," said Mark Sunner, chief security analyst at Internet security company MessageLabs Inc. "But they're (going to) become more commonplace."

Spam is just the start.

"Phishers" — cyberspace con men who try to dupe users into giving up credit card numbers and other sensitive information — are increasingly trolling social networking sites to create highly targeted scams that seem legitimate.

Often, they don't have to try very hard.

"These Web sites are just bottomless pits of useful information" for phishers, identity thieves and others, said Chris Boyd, security research manager at FaceTime Communications, an Internet security firm. Raiding them, he said, is the equivalent of "Dumpster diving."

Scammers often set up fake profiles on MySpace, Friendster, Facebook and similar sites and then go about inviting people to become their Internet "friends."

In doing so, they can glean personal information about their potential targets — like their ZIP codes, age or gender — that can be used to fashion legitimate-sounding spam or phishing attacks.

Even more easily, scammers can buy lists of thousands of social networking site users on hacker-oriented Web sites. The names are typically gleaned with so-called "scraping" programs that can quickly harvest the e-mail addresses of thousands of users and them break them down by gender, age or other categories.

At the Web site dnlodge.com, for instance, a poster named "Susa" recently advertised a "myspace phish list" of more than 5,000 accounts for $55. "Great for advertising!" the posting touted.

Another user named "coffeehunk" offered a list of hundreds of MySpace users — "all girls" — for $100. A list already narrowed down by gender could quickly be used for spam or phishing attacks specifically targeting women.

Targeted spam and phishing attacks can be extremely effective.

In a 2005 Indiana University study, researchers sent e-mails to unsuspecting students asking them to visit a Web site and enter their names and university ID numbers — information that in the hands of an identity thief could have been used to do all sorts of harm.

Some of the e-mails came from people that recipients thought were their friends; others got e-mails from strangers.

Only about 16 percent of those students who got e-mails from strangers fell for the scam. But 72 percent of those who got e-mails from people whom they listed as "friends" on social networking sites were duped into giving up their information.

"We expected a high success rate ... but frankly we didn't expect anything as huge as 72 percent," said Filippo Menczer, a computer science professor who helped oversee the study.

"It was like fishing with dynamite in a barrel."

MySpace is by far the online world's biggest social networking site. As a result, it also is the most popular target for online bad guys.

"If I wanted to phish people on MySpace right now, I could have a database with 100,000 to 200,000 accounts within a couple of days — easy," said Loren Williams, a professed former "script-kiddie" hacker in New Orleans who now is an Internet entrepreneur.

A frequent critic of MySpace security, Williams called spam and phishing problems on MySpace and other social networking sites "insanely huge."

MySpace chief security officer Hemanshu Nigam acknowledges that problems are growing in the virtual world he oversees.

Because of MySpace's incredible growth in recent years — its membership has soared from about 10 million registered users a few years ago to more than 157 million users today — such problems are inevitable, he said.

"What happens in the virtual world ... is very (similar) to what happens in the physical world," Nigam said. "Whenever you have a city, country, state or any location ... where a lot of people congregate, at some point you're going to have a bad element that shows up and tries to do bad things."

Nigam said MySpace is taking steps to make things better. It started with his hiring in May 2006 as the first full-time Internet security officer for MySpace and other sites operated by its parent company, News Corp.'s Fox Interactive Media.

MySpace now is trying to hire attorneys and additional security experts to make improvements, Nigam said.

The site also recently made several technology changes, including limiting the number of "friend requests" a member can send at one time, instituting a more secure e-mail verification processes, and notifying users when it appears their accounts have been phished.

And, Nigam said, MySpace will continue to sue suspected spammers and phishers who violate the site's policies.

Still, just as everything from lawsuits to legislation have done little to stem the flood of spam, viruses and other maladies on the general Internet, the social networking sites face an uphill battle to keep out bad guys and protect users.

Users must be careful to limit the information they post about themselves and whom they let access it, and be careful about how they respond to online solicitations of any type, security experts say.

"There's really only so much these Web sites can do," said Indiana University's Menczer. "Ultimately a lot of the responsibility is with the users."