Social Networking Can Attract Some Unwelcome “Friends”

By Gene Marks — from Symantec

David never considered himself a gossip. He wasn’t a big computer guy. And as the owner of a profitable business he barely had enough time to spend with his family. But still, he heard all about these social community websites and the need to do online social networking for business and got curious. He decided to check out what all the fuss was about.

The experience wound up almost shutting down his business for two full days. David’s paper supply company employs sixty people. The company was started by his grandfather back in 1922. It’s operated through depressions, recessions and a World War. But never has David’s company faced a bigger challenge than what happened after he started using Facebook.

By now, most of us are familiar with Facebook, MySpace, Linked-In, Twitter and the other popular social networking applications. They attract millions of users every day, posting photos and updates from their daily lives, making contact with friends and business associates, connecting with new people through groups and events.

After years of nudging from his friends and kids, David decided to take the plunge and start his own Facebook page. It was free, he thought, so why not? He created a simple site for himself and began searching and connecting to friends. After a while, other people from his past began finding him too. Before he knew it he had built up a list of more than fifty Facebook “friends”. He found people he once knew but had lost contact with. He checked out girls he used to date to see how mother nature’s treated them. He linked up with family members, including his teenage kids. He was having a good time.

And then something happened that almost shut down his business. While at work, David received a message from a Facebook friend. To reply he was asked to log into his account. This is a pretty typical process, but David thought this was kind of strange because he was already logged into his account. However, he shrugged, like most of us do when some quirky technology thing happens, and logged in again. The page he landed on looked different. And the “message” that he received from his friend wasn’t a message at all, but merely a generic statement. David knew something was strange. And then strange things started to happen. His computer began to act a little funny. Slower. Like something was going on in the background. After a while, it seemed that everything was back to normal. “I hope I didn’t mess anything up,” he thought to himself. But everything seemed OK again, so he shrugged off the experience and moved on to other work.

A few hours later, after business had closed, the chaos began. A virus found its way to his company’s server and started to corrupt files. And not just any old files. It specifically targeted documents, spreadsheets and pdfs. Worse, it also damaged any files it found with an .exe extension. At the same time, the virus spawned other viruses which searched the workstations of David’s employees and corrupted their files too. It searched out email addresses he had stored and started sending out unintended emails to every email address found on his computer.

David’s company routinely stores invoices, quotes, estimates and important analysis files on the infected server. The next morning, after the virus had done its work people started getting error messages when trying to open these files. And then when they tried to get into the company’s order entry and production system they were unable to load the program – the executables (exe’s) had been deleted.

It turns out the Facebook message David received wasn’t a real message. It was a fake one, called “phishing”, hijacked from one of his friends’ accounts. And David was right when he suspected something was fishy. Because when he logged on again, he wasn’t logging on to Facebook, but to another site that immediately downloaded malicious code to his computer. The code stayed dormant until that night. And then it did it’s evil work. It infected local files. And it spread. Even outside of the company because David did not have adequate security solutions in his company’s systems.

This attack doesn’t surprise people in the computer security industry. Recently an industry trade magazine reported on the results of a poll that revealed that “63 percent of system administrators worry that employees share too much personal information via their social-networking profiles, putting their corporate infrastructure — and the sensitive data stored on it — at risk. The findings also indicate that a quarter of businesses have been the victim of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

The article went on to warn that “Frequent use of social-networking sites makes them a prime target for cybercriminals intent on stealing identities, spreading malware, or bombarding users with spam.”

David shouldn’t be mad at Facebook. The blame is with him. He was the one who cut corners and didn’t have security software in place at his company. And he remembers when this decision was made. It was about a year ago, when he was buying that new server from his computer guy. Anti-Virus software was included in the package and he specifically asked to have it removed to save a few bucks and decided to use the free download software.

Now he’s spending thousands with his computer guy to get the mess cleaned up. He’s praying that his backup systems worked and that his files can be restored. He’s about to suffer significant data loss from the time his last backup was performed to the time of that day’s infection. He’s calling and apologizing for late shipments. He’s forced to hold off on accepting new orders until his systems have been restored.

Oh, and that little virus just kept on giving. Remember those emails it sent out? Many of those went to unwitting customers and vendors. So now poor David is writing letters and making phone calls to hundreds of customers to apologize to them for potentially infecting THEIR systems too. Not exactly the kind of service he was hoping to provide.

It could have been even worse. Some of the same “phishing” incidents that have been known to affect other Facebook and users of social community websites have resulted in the loss of credit card data and other personal information. David could have had his entire personal identity stolen too. Instead, he just lost two days of production in his business. There is similar “phishing” going on with Twitter, and probably with other social media communities.

Now David’s writing some checks. Not just to the computer guy, but also to purchase good security software. Software that will scan every incoming email AND every outgoing email too and block malicious emails. Software that will automatically check with the service provider for new viruses, worms and Trojans and protect against them. He’ll gladly fork over the annual fees for this service too. Good business owners make tons of mistakes. But his company didn’t stay in business for 85+ years by making the same mistakes twice. At least not very often.

David will survive this episode. His business will recover. And with medication, his blood pressure will be brought back under control. He learned his lesson from this experience. He’s not going to stop using social media sites. But he is going to now try to spend more time with his family then on Facebook. He’s now become more wary of the potential risks of these sites. And most importantly he learned that network security for business owner in this era of social networking websites just isn’t an option anymore.