Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Target MySpace and Facebook

Posted by Zonk on from the facebooker-beware dept.

Stony Stevenson writes "The security firm Fortify Software has warned against a series of attacks against Facebook and MySpace. Buffer overflows that enabled hackers to exploit the Aurigma ActiveX image uploading software used by social networking sites were at the heart of the assault. 'Criminal hackers now view social networking sites as their best target for attacks ... [partially because] such sites are designed to be usable by "unsophisticated" consumers, meaning that the barrier to entry for attacks is potentially lower as users are more likely to click on a link that leads to malware.'"

12 of 93 comments (clear)

  1. Internet Explorer based exploit by prajjwal · · Score: 5, Insightful

    I assume this is an internet explorer based exploit? http://www.kb.cert.org/vuls/id/776931

    1. Re:Internet Explorer based exploit by palegray.net · · Score: 5, Informative

      Well, according to this page it allows execution of arbitrary code on the victim's machine. Whatever the user's account permits them to do, the code could do, up to and including actions permissible by other unpatched vulnerabilities on the client machine.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    2. Re:Internet Explorer based exploit by palegray.net · · Score: 5, Interesting

      The ActiveX control doesn't come with IE; it's hosted on the servers that provide the social networking service and loaded into your browser when you elect to upload an image to your profile. What I find really interesting is the date this vulnerability was first published: 02/04/2008 11:26:53 AM

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  2. HEY! by Corpuscavernosa · · Score: 5, Funny
    Check out this AWESOME site! They're giving away all these FREE ringtones!!! I don't even know how they do it!!!

    (received as a comment on my page this morning)

    --
    We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
    1. Re:HEY! by Corpuscavernosa · · Score: 5, Informative
      Noticing my offtopic mod, perhaps I didn't tailor my comment quite properly. There is rampant hacking of accounts for phishing and advertising purposes. One account will get hacked, then using that account, the hacker then sends out bulletins (mass emails to all friends) or comments saying to "click here" for numerous purposes including hacking future sites to send out more ads. When clicking on these sent out comments or bulletins, there will often be a phishing page where it looks like the user has logged out and needs to re-enter login and password info. Additionally, the unwitting 14 year old gives out his/her cell phone number and unknowingly signs up for a ringtone plan that is charged to their cell phone bill usually to the tune of $30/month.

      The hacks are pretty interesting as they are socially viral and not necessarily driven by sofware or the transmission of a virus.

      Maybe I need to RTFA, but this type of hacking has got to be the most prevalent type on Myspace.

      --
      We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
  3. "Legitimate" businesses target young people too. by gnutoo · · Score: 5, Insightful

    Cable, telco and banks and apparel vendors all have young people in their sites. Predatory lending credit cards, special internet "deals" with students and massive advertising budgets that should make the companies involved blush, are aimed at people ages 14 to 25.

    Why? because that's where the money is.

    Why do the theives use ActiveX exploits? Because they can.

    Sheep, meet Mr. Slaughter. Mr. Slaughter .... gross!

  4. A Troll's Dream by Anonymous Coward · · Score: 5, Funny

    Oh man, a slashbot troll's dream -- do I start ranting about myspace and their userbase or do I start ranting about activex?

    1. Re:A Troll's Dream by badboy_tw2002 · · Score: 5, Funny

      Tie them into a rant about hacker != cracker and you've got a troll triple word score!

  5. Re:Just what kids on Myspace and Facebook need... by themushroom · · Score: 5, Funny

    Is a goatse different than puckering, making a faux 'thoughtful' face with hand on chin, and making a gang-style hand sign that means nothing a dozen times into the webcam with poor lighting in the photo gallery?

    I can't really tell the difference.

    --
    Laughter is the Spackle of the Soul.
  6. Re:That... by palegray.net · · Score: 5, Interesting
    Given the fact that it's a client-side issue, it's far more likely the attackers are looking to achieve two goals with this sort of exploit:
    1. Turn the client computer into a zombie, which participates in the attacker's efforts to spew out spam and scan networks for machines vulnerable to other exploits.

    2. Scan the user's local machine and any network shares for "interesting" data that might be used to compromise financial institution accounts.

    3. Capture login information on the local machine and relay it to the attacker.
    The contents of the user's MySpace or Facebook profile information probably ranks rather low on the list of useful information.
    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  7. Re:Just what kids on Myspace and Facebook need... by Brian+Gordon · · Score: 5, Funny

    I've had seven different passwords and they've got them all so far.

  8. Re:In other words.. by palegray.net · · Score: 5, Informative

    In other words, social networking website users are more prone to social engineering attacks. While your comment may be a nifty play on words, if you're going to use the term "social engineering," you really ought to use it in the right context. This is a system vulnerability attack, not to be confused with social engineering attacks. Somewhere Kevin Mitnick is frowning.
    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.