Though the wildly popular social networking site MySpace.com typically has no place in most enterprises, it's becoming a security issue when employees access their accounts on the job.
Not only does such activity impede productivity, but some users are also being lured to fake MySpace sites that capture keystrokes -- including the same logins and passwords used to access corporate networks and sensitive databases.
"The problem with MySpace is it's grown to be a tremendous pop cultural icon in the last two years," explained Hiep Dang, director of threat research and engineering for Orlando-based antispyware vendor Aluria Software Inc., which is now part of Internet service provider Earthlink Inc. He said MySpace represents a great new use of Internet technology, "but when people with malicious intent come in and try to exploit it, that's when you have an issue."
MySpace currently claims 63 million users, making it the second most visited domain behind Yahoo. But any social networking site, such as Friendster or the college-oriented Facebook.com, can cause damage if misused at work or from a home computer with access to a corporate network. Dang said profiles can be easily spoofed, leading to identity theft. User also may intentionally or unintentionally divulge confidential company information accessed by others within their virtual circle. And then there are the hyperlinks that unleash viruses, worms and Trojan horses.
In addition, there are now phishing attacks from people posting links to false sites set up by online criminals using MySpace as the conduit. One Aluria researcher last month found Macromedia Flash movie files in circulation that led to a fake MySpace page asking for login information.
"So the bad guys now have anyone's username and passwords to log in to their profiles and see their e-mails and blogs," Dang said.
The more serious danger for companies, however, comes from how often that same login information is used. "What's common practice with most users is [to reuse] whatever passwords they use for one account for others as well -- such as banking, e-mail and IM accounts."
Some signs that a machine's been infected by malicious code should sound familiar by now: strange shortcuts show up on the desktop; the homepage is hijacked; pop-ups proliferate; and if nothing's done, the user eventually encounters the "Blue Screen of Death."
To mitigate the risks associated with this new attack vector, companies should be sure to include the use of social networking sites in an Internet acceptable use policy and use content filtering to block prohibited sites, Dang advised. Enterprises also should install antispyware and antivirus software that's updated regularly and check firewalls for proper configuration.
Dang noted that spyware is coming bundled in a wider variety of sites now, including song lyrics sites and even homework help Web sites aimed at schoolchildren.
"Any site where they have to have traffic to make money from ad revenue is susceptible to propagating spyware," he warned.
Aluria recently teamed with the U.S. Secret Service, local law enforcement and the University of Central Florida to examine security issues as related to social networking sites. It's created an outreach program called Digital Knights to educate parents, teachers and children how to safely navigate the Internet.