Social networking breeds new wave of 'Trojan 2.0' attacks

The great Facebook boom of 2007 has been accompanied by a new generation of phishing and trojan horse virus attacks, according to security experts.

In its review of the year, MessageLabs noted that websites such as Facebook, Linked-In, and Plaxo presented rich pickings for identity thieves looking to gather personal information.

As the same company warned in November, scammers are now researching their targets and attempting to lure them to infected websites that will download invasive code to their personal computers. MessageLabs tracked several attacks on senior executives, including one aimed at 1,000 individuals in the finance sector during November 2007.

During the year, MessageLabs identified an average of 1,253 new web sites per day that harbored malware, equating to nearly half a million new malicious sites. It also found that social networking tools were the third most common trigger of its web security filtering rules.

"The rapid adoption rate of social networking sites such as Facebook has inevitably been exploited by cyber criminals intent on adding the content in these sites to their portfolio of tools," warned MessageLabs chief security analyst Mark Sunner.

"As we have seen in the past, mass adoption of new communication or web-based tools is often followed by a rise in the number of threats against it, and the Facebook effect will present new challenges to corporate and personal online security."

Almost on cue, McAfee's Avert Labs reported a new angle of attack this week that masquerades as a friend request on MySpace. When a user clicks on the picture or name of their new potential friend, an image appears that looks like a legitimate Windows Automatic Update dialogue box. Clicking the image starts what purports to be a Microsoft update. What the file really contains is "a malware cocktail" containing downloaders, Trojans, and a remote administration tool according to the Avert Labs blog. One way to guard against such attacks is to minimize your browser. If the dialogue box disappears, it is probably an impostor, McAfee advised.

As the MySpace Trojan indicates, malware attacks are becoming increasingly sophisticated. In Finjan's annual report, chief technology officer Yuval Ben-Itzhak warned of "Trojan 2.0" attacks that would exploit new web technologies such as social networks, blogs, RSS feeds, and so-called "mash-ups."

Hackers are getting paid according to the number of users they infect, so their main motivation is to develop attacks that go undetected for as long as possible. This development has spawned new techniques to evade signature-based and database-reliant security methods, he explained. For example, Finjan recently identified and named a Trojan virus Random JS Toolkit that changes every time it is accessed from an infected website, making it extremely difficult to block.

These Trojan 2.0 attacks represent a quantum leap for hackers in terms of technological sophistication, and pose a serious challenge to the IT community, Finjan said.

By John Stokdyk for our sister publication, AccountingWEB.co.uk

 

You may like these other stories...

Accountants without a succession plan are hurting not only themselves but their clients as well. Here are seven ways to see your practice continues after you retire—some of them are better than others.What Are Your...
Boehner, Camp profit from corporate bid to avoid US taxesRichard Rubin of Bloomberg reported on Tuesday that House Speaker John Boehner (R-OH) and House Ways and Means Committee Chairman Dave Camp (R-MI) profited from a...
In my last article, I discussed the model of value pricing and the benefits this billing structure offers you and your clients. However, in order to set up the right value pricing for your client, you need to know what...

Already a member? log in here.

Upcoming CPE Webinars

Aug 28
Excel spreadsheets are often akin to the American Wild West, where users can input anything they want into any worksheet cell. Excel's Data Validation feature allows you to restrict user inputs to selected choices, but there are many nuances to the feature that often trip users up.
Sep 9
In this session we'll discuss the types of technologies and their uses in a small accounting firm office.
Sep 11
This webcast will include discussions of commonly-applicable Clarified Auditing Standards for audits of non-public, non-governmental entities.
Sep 26
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.