There’s no such thing as an innocent compliment. That’s the lesson behind Koobface, a new virus that is tearing around the two biggest social networks, Facebook and MySpace [NWS], posing as a flattering message from one of your online friends.
As far as viruses go, Koobface is a pretty standard piece of malware — once it insinuates itself into your computer, it can steal valuable information like credit card numbers, or highjack your Google [GOOG] or Yahoo [YHOO] searches and take them to doppelganger sites. There, you might be tempted to reveal personal information through a fake iteration of, say, Google Checkout.
Koobface’s special bit of guile is the convincing way it presents itself to users. Once it infects your computer, it sends messages to your Facebook or MySpace friends telling them, for instance, that they “look awesome” in a new movie or photo. Since most users trust messages from their social network friends, they’re more likely to open the message and infect their own machine. And since Web-based messages don’t feel as local as, say, an email on Microsoft [MSFT] Entourage or Apple [AAPL] Mail, users don’t think before clicking.
If you take the Koobface bait, your computer asks you to download something called “flash_player.exe,” which as you might gather, is not actually Adobe’s [ADBE] Flash Player. (It’s thought that the virus will not affect Mac users.)
In what comes off as a rehash of high school sex-ed, computer security experts are usually quick to point out that education is the most effectual measure against virus transmission. But, as with high schoolers, computer users still do stupid things despite all the education available, clicking on dubious links or downloading mysterious files even when they’ve been taught not to. At some point, it will be neccessary for computer and software manufacturers to bake in full-blown preventative software to supplant the expensive, clunky and confusing array of third-party solutions on the market.
According to a recent article in the New York Times, virus coders are becoming increasingly clever and destructive, while anti-virus software-makers are lagging behind. How much worse must the problem become before computer makers (OEMs) are pressed into action? How long before they buy out all the private antivirus software companies and get down to business in earnest?
Apparently, current levels of identity theft have created no market mechanism to prompt that scenario — and by some counts, as many as 10 million Americans suffer from some form of identity theft, though not all of it is electronic. We’re on the verge of an epidemic problem that will cost US companies and consumers hundreds of millions of dollars.
What about a legislative mandate, then? Could the government dictate the online security precautions that must be included in every PC or handheld, just as they dictate the inclusion of seatbelts and other safety equipment in cars, or the safety of food and drugs? Or perhaps they need to establish a governmental ratings agency like The National Highway Traffic Safety Administration that can inspire computer makers to work towards impenetrability?
The Government has gotten involved in cyber-policing before, but most of its efforts are concentrated in the prosecution and prevention of child pornography. While that’s a noble endeavor, it’s no more imperative than the regulation of computer security. Today, Internet users in the UK woke up to restricted access to Wikipedia; the UK government had blacklisted the site for hosting an image of an album cover that portrayed a relief of a young girl in the nude. Nevermind that Amazon [AMZN] also hosts this image, because it sells the album; UK officials put Wikipedia on a government blacklist for child pornographers, which most British ISPs use as a Rosetta stone for what to block. This is an incredibly stupid waste of power and resources.
I’m not advocating that any resources be drained away from the prosecution of other horrid online crimes. But it’s about time that there were regulations and incentives put in place that acknowledge the dire state of online security, and jolt OEMs into action — lest we all become suspicious of every Facebook compliments.