By Paul Wallis and Chris Hogg (Part 2 of 2)

As we reported in part 1 of this series, the Web is now home to an entirely new breed of spam taking shape through social networks. Companies like MySpace are doing a lot to try and quash the virtual disease, but they seem hesitant to actually talk to media officially about it (as we learned, anyway). When we handed over a series of questions important to Web wanderers everywhere, MySpace came back to us with a few sentences as a response rather than any meaningful dialogue. We also found internationally renowned antivirus firms who couldn’t handle basic questions about protecting people online (see our previous coverage here).

Our experience trying to get any sense out of Internet heavy hitters was anything but funny. If it hadn’t been for Symantec, we would have scored a pretty low average in terms of gathering opinions and anything resembling a fact.

Which raises the questions: Why do these guys avoid addressing each of our questions, and why the silence?

For those curious to know what exactly is so difficult about the questions we wanted answered from MySpace, here is what we sent them about the endless supply of sketchy Friend requests from 22-year-old American women:

• How does MySpace view incidents like this? Is it abuse, or a loophole in the Friend Request process?

• Realistically, what can be done by users to protect themselves, and MySpace to free the site of unwanted content?

• Is MySpace concerned about any potential similarity to the Russian wedding/dating agency scams?

• What are the risks for users in these contacts, and how do they avoid them?

It’s well known that MySpace does try to keep the site clean, and users are regularly deleted for misbehavior. The problem is that users have different levels of knowledge about what’s allowed and what isn’t.

• How does MySpace educate users and the community about safe net practices?

• How does MySpace view its community commitments in this area?

One of the nastier possibilities of online contacts is finding yourself getting in contact with organized crime.

• Is MySpace concerned about possible links between dating agencies, online scams, and criminal activities?

• What action is being taken to safeguard users?

The 50 word statement we got from MySpace was the answer to those questions. As a child could see, these aren’t really tough questions, just fair questions, reasonable in context with the continuous daily background thunder of Internet crime reports. We just asked for MySpace’s views and barely got anything worth holding on to.

Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. The person on the other end, whom you've never met, links to sex and pornography sites and adding friends on MySpace helps them reach large numbers of people quickly. image:39116:0::0

Crime Syndicates and the Internet

So why all the fuss about spam when it's been around for years? Sure, it has, but the flurry of contacts we began to receive through MySpace began to raise questions about how the problem is growing through social networks. When this story began, both of us were wondering what MySpace was doing about unsolicited spam, but it later evolved into simple questions about who is behind the spam and why. The first thing that comes to mind is money, and where money goes, crime follows. The Internet is the world cash cow, generating a lot of new business. Huge amounts of corporate money are being ploughed into Internet media, services, and commerce.

Crime on the Internet is getting plenty of attention from governments around the world: IC3, the US government Internet Crime Complaint Center, is a joint effort by the FBI, National White Collar Crime Center and Bureau of Justice Assistance, is a coordinating body for investigating internet crime. IC3’s internet crime schemes page is a revealing look at the various categories of criminal activity.

The UK Home Office has a special page on internet crime, which totaled £212 million in 2006.

To find out more about who is involved, and what’s being done on the Web we contacted law enforcement ourselves. An Australian Federal Police (AFP) spokesperson informed Wallis in an email statement that: “Internationally, the AFP is also involved in the Virtual Global Taskforce (VGT), which is made up of law enforcement agencies from around the world who work together to fight online child abuse. The VGT comprises the Australian Federal Police, the Australian High Tech Crime Centre, the Child Exploitation and Online Protection Centre in the UK, the Royal Canadian Mounted Police, the US Department of Homeland Security, Interpol and the Italian National Police.”

So internet crime probably isn’t a secret, after all. Now we know. Organized crime on the Internet isn’t unknown, either. Online casinos, money laundering, there’s quite a range of well known operations, as well as those you can see in the ICS3 list.

Computerworld ran an article in 2004 which pretty much describes the rise of organized crime on the Net. It includes the tale of the famous MyDoom virus, and a comment from Symantec about how it operates.

From a purely journalistic point of view, may we assume that nobody but Symantec has the guts to have any opinions on this subject? It’d save us some time. God knows we don’t expect anyone to grow a spine, but it is a bit of a bore waiting for weeks or months for a “Problem? What problem?” reaction.

Let’s get metaphysical: What a surprise, Auntie Em, those operations described years ago, are exactly like those now using up so much law enforcement time. Organized crime, as defined in 2004, is mysteriously acting much like organized crime in 2008.

Well, gosh. So what’s the mystery? Why is this a non-topic? There are billions of people online, with plenty to worry about. Nearly everybody who’s ever looked at a screen has seen something, or heard something. In the last six months, Wallis himself faced a situation of attempted money laundering, fake websites, job scams, and viral attacks.

Quantifying the threat of organized cyber crime

With cyber crime being a known issue for quite some time now, how has it changed since the advent and growth of social networks? We asked Symantec, who provided some startling answers.

“Cybercriminal networks have become highly organized and commercialized,” Michael Murphy, Vice-President and General Manager, Symantec (Canada) Corp., told us. “According to Symantec’s latest Internet Security Threat Report (ISTR), in the last six months of 2007, Symantec detected 499,811 new malicious code threats. This is a 136 per cent increase over the previous period when 212,101 new threats were detected and a 571 per cent increase over the second half of 2006.”

Big numbers, aren’t they? But wait, it gets better. Symantec says it found 711,912 new threats in 2007 compared to 125,243 threats in 2006 (an increase of 468 per cent). In total, Symantec has found 1,122,311 threats as of the end of 2007. This means that almost two thirds of all malicious code threats currently detected were created in 2007.

Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one. image:39155:0::0

“While there may seem to be no immediate financial gain from stealing account information from a social networking site, attackers could use the compromised account to gather detailed information about the user and the user’s friends,” said Murphy. “Furthermore, many social networking sites allow their users to control the content of their associated site, which would allow an attacker that has compromised such a site to host seemingly legitimate links that point to malicious websites, to host malicious code, to spam users associated with the compromised account, and to even host phishing websites. Using a compromised social networking site account to host a phishing website that targets the social networking site itself will increase the chances of such an attack at being successful.”

Indeed, this threat sounds serious enough to warrant more public education and social networks need to address their users in a more direct fashion than the “please check the spam part of our website for information.” Translation: We wrote a lot of fluffy boilerplate and put it up on a page nobody ever reads to cover our ass. Go there and be quiet.

Symantec gave us quite a bit of context with regards to organized cyber crime online and how and why targeting social networks can have real-world implications. Simply put, virtual-world fraud leverages underlying social context in the same way real-world fraud works.

Symantec provided the following examples:

• Material gains in virtual worlds can have real-world impact. There are often secondary markets where goods inside of virtual worlds can be bought and sold for real currency. Attackers go where the money is.

• Virtual currencies and goods are not regulated. Therefore, the legal implications for performing theft are murky. That’s good news for the attacker.

• Converting virtual currencies and goods can provide a money laundering mechanism. Because currencies and goods can be traded inside the virtual world and then subsequently sold into secondary markets for real money, it becomes difficult to trace a crime.

• Many people are willing to go to great lengths to acquire assets inside a virtual world, and might compromise their security in the process. For example, suppose that the virtual world takes the form of an online game. If a hacker posing as a player or game administrator offers you a tool that claims to improve your performance in the game, you might use that tool without thinking through the repercussions. The tool could really be a keystroke logger in disguise. Virtual worlds offer really interesting opportunities for attackers, and to the extent that attackers can use social context in these worlds, they will be that much more powerful.

Murphy said pornography is just one example of a social-engineering vector cybercriminals use to lure people to malicious websites and he recommends a healthy dose of skepticism before you ever click on an ad.

Are social networking sites protecting their users?

The Net has an image problem. That affects the market, as far as the big social sites are concerned. MySpace got hammered in the media for online sexual predators. Facebook gets its share of flak. YouTube is a regular piñata for various complaints about content.

So the big sites are naturally defensive. It’s not a great option as a media response, because it’s undermining their credibility, as the inevitable gaping holes in their security become more obvious to users and critics.

Social networking sites do in fact work to protect their users, but as Symantec points out they can and need to do better.

“It would be hard to comment on what [social networks] are specifically doing [to protect users], but these sites host third-party applications that increase users’ risks to infection,” says Symantec's Murphy.

Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one. image:39156:0::0

That could get a lot worse. What if something big comes along, a huge scam, using the same methods, but hitting millions of users?

What would be the response to something catchy as a headline, like: “Your kid is two clicks away from saying hello to organized crime.” The brief description of the big sites’ position under those circumstances is “Dead, and hung out to dry.” You could wind up with the biggest class action in history.

Social networking sites can’t pretend ignorance of something which is almost standard practice according to every law enforcement agency on the planet. Maybe this silence has a reason, maybe it’s denial, or another case of management science-based delusional practices.

What the silence represents is either (1) An inability to face facts, which is almost absurd, given that the methods are common knowledge, or (2) Active suppression of information, which is bordering on corporate suicide.

We did not, and do not, accuse any website or related entity of knowingly being party to any illegal act, or failing to act properly against any illegal activity. What we are accusing them of is sheer stupidity. The more publicity, the more heat put on illegal operations on the Net, the better. The more aware the public is, the more it can do to help.

This ain’t Kansas any more. The Tin Man of law enforcement, the Cowardly Lion of the Internet heavies, and the Straw Man of the global media need to work together if Dorothy Q Public’s butt isn’t going to get incinerated.

This article is the second in a two-part series. To see the first article in this series, including our report on how MySpace avoided questions and how Internet security firm McAfee could not answer questions about social networking spam, check out Part 1 here.