Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Target MySpace and Facebook

Posted by Zonk on from the facebooker-beware dept.

Stony Stevenson writes "The security firm Fortify Software has warned against a series of attacks against Facebook and MySpace. Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault. 'Criminal hackers now view social networking sites as their best target for attacks ... [partially because] such sites are designed to be usable by "unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.'"

5 of 93 comments (clear)

  1. Internet Explorer based exploit by prajjwal · · Score: 5, Insightful

    I assume this is an internet explorer based exploit? http://www.kb.cert.org/vuls/id/776931

  2. "Legitimate" businesses target young people too. by gnutoo · · Score: 5, Insightful

    Cable, telco and banks and apparel vendors all have young people in their sites. Predatory lending credit cards, special internet "deals" with students and massive advertising budgets that should make the companies involved blush, are aimed at people ages 14 to 25.

    Why? because that's where the money is.

    Why do the theives use ActiveX exploits? Because they can.

    Sheep, meet Mr. Slaughter. Mr. Slaughter .... gross!

  3. That... by MikeRT · · Score: 4, Insightful

    And with the way that people spew out personal information on Facebook and MySpace, they probably figure that if they get it just right, there's the potential to hit the motherload of information for identity theft.

    1. Re:That... by Orion+Blastar · · Score: 4, Insightful

      Read the article, it was the image uploading ActiveX control that got exploited. Chances are that people who uploaded images recently and ran Internet Explorer that used the ActiveX control might have gotten their password and personal information stolen. Those Windows users who use Firefox should know that Firefox does not support ActiveX controls unless the user installed an ActiveX Plugin that allows limited ActiveX controls to be used. If the user did not install the ActiveX Plugin, I seriously doubt they got hit with this exploit if they used Firefox.

      Linux, Macintosh, BSD Unix, and Non-Windows systems do not support ActiveX controls anyway so it is mostly Windows systems that are effected by the exploit, and only Windows users who use Internet Explorer and not those who use Firefox.

      I am guessing that a lot of 12 to 24 year olds that have their own credit card or their parent's credit card or bank account or somehow work an have their own bank account are the ones targeted by this, as people aged 12 to 24 are most likely to use Windows with Internet Explorer and not know about the exploits out there, and just surf and click on anything they want.

      A lot of family members and friends have children aged within that range who use their family's computer and after it gets so infected with malware that they cannot use it, they call me to come over and fix it for them. Nope, Linux, BSD Unix, or switching to a Mac is not an option for them, in some cases I switched them to Linux only to have them make me switch them back to Windows because certain web sites only work with Internet Explorer, or certain games they bought won't run under WINE or they have no idea how to configure WINE to run them for them. Dual-Booting just confuses them more, as does running Windows in a virtual machine. If they bought a Mac, a few weeks later they'd tell me to remove OSX off it and put Windows on it. So basically, they stick to Windows and Internet Explorer, even if I install Firefox for them. Also I install the Google Pack with StarOffice, but of course they want MS-Office instead because their friends and co-workers don't know how to open up ODT open text format documents, and they keep forgetting to "Save As" into MS-Word 97-2002 Format so their coworkers and friends can read their documents.

      --
      Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
  4. Not just client-side ActiveX issues on Facebook by StuffedFrogYK · · Score: 4, Insightful

    May I mention that hacking Facebook takes no real effort? Simply manipulating a browser's client side input forms (using Firebug, maybe) allows one to post to any Superwall (Faceboo application) whether you are the person's friend or not. Anonymous attakers could put links posing as coming from people's friends on the people's Superwalls. Reasoning: If it comes from my friend, it must be good and safe. The click-rate becomes much higher, and an attacker has just used a form of social engineering to lead people to a malware site. Most applications are not built with security in mind. They just (fatally) assume that the end user would never do such a thing. Dream on, app developers!