I’m sitting here on a lazy Sunday afternoon contemplating this question. Hi, my name’s Mike and I’m a security geek. =)
Yes, Myspace is evil when my wife blows a whole week by designing some really cool pictures just so she can put them on MySpace, so I have a little bit of bias (I mean, my $diety, how many times does your profile name need to be changed per day). =)
But it’s interesting if you go poke around on $favorite_search_engine for something like “myspace spam spyware connection”, you start to find some interesting articles.
- Security Protocols just linked to an expose on Myspace and its origins in spammers and spyware pushers. (This is what originally got me started down this tangent)
- Then there’s this article, it’s the text of the YouTube Videos plus a little bit more.
- Myspace Censorship Continues hmmm, seeing a trend here.
- And then, Combing the Shadows of MySpace and Part 2: Deeper into the Shadows of MySpace.
Looking around, it should be a little bit of an eye-opener if you’re naive and living in the backwoods of Idaho. I’m willing to bet that at the heart of most social networking sites there is a little PII-gathering daemon that threatens to share our innermost secrets for $5 per thousand. I’m pretty sure that my old boss in startup land had a history of playing with Herbalife, pr0n, and spam^wopt-out marketing, and we were building shopping cart software. Makes me cringe to think that the endgame was selling information, only they didn’t tell me about it. =)
But then again, I don’t think we’ve figured out yet what to do with the massive amounts of data aggregation that google does on the average web user.
But anyway, I’ve been thinking about a social networking attack over the past couple of years that works like this:
- Build social networking site (let’s call it MikeSpace for the purpose of simplicity, shall we?)
- Harvest email addresses and names from MikeSpace registrations
- Sell email addresses and names
- Make a seed file using MikeSpace account names and passwords
- Probe email accounts using the seed file
- Auto-forward email accounts to your Big Data Hoover (TM)
- Spider other social networking sites using the seed file
- Point the Big Data Hoover at the accounts you’ve compromised
- Agressively pursue password recovery on other sites using captured email accounts
- Data warehousing and some bayesian analysis to determine each user’s preferences
- Sell the aggregated information on people for mucho dinero
About now, all of you are checking the Interweb to see if I’m behind any social networking sites. Rest assured, I’m not, but the scary thing is that when I’m stepping through this process, I can visualize the database backend and the core code for each step of the ‘sploit.
Nor is this a new idea. My friend Lempi always wanted to create her own cult along the same lines, but she was beaten to the punch by some people who will not be named because they actively sue. =)