The rash of attacks on social networking sites is continuing, this time in the form of a cross-site scripting worm that is currently plaguing Reddit, the popular social bookmarking portal. The Reddit attack is interesting in that it requires a minimum of user interaction in order to spread.
The attack looks to be part of a spam campaign that was designed to submit a certain comment over and over again. Any user who copied a certain chunk of JavaScript code into the address bar of his browser would then find that he would automatically reply to all of the comments on a given page. A Reddit user then took this code and combined it with some other JavaScript code that had the effect of executing as soon as a user hovered his mouse over a specially designed link.
The result is the self-replicating worm that is causing serious issues on Reddit today. Many users have found themselves victimized by the attack, which, with its spam component, could damage users’ repuations on the service. Reddit, like many similar services, relies on user input to rate and recommend various pieces of content.
Reddit is just the latest of these sites to fall prey to such an attack. The notorious Koobface worm has plagued Facebook since last year, with new versions popping up regularly throughout this summer. And Twitter has become rife with spammers and criminals using mutitple accounts to send out links to phishing sites and other malicious destinations. Twitter staff have begun identifying and disabling these accounts, but hundreds of new ones crop up each day, making it a difficult process.
The shift of attention by attackers to sites such as Reddit, Facebook and Twitter is a natural evolution of their simplistic, but effective, business model: go where the users (and money) are. Social networking sites rely on an implied level of trust among their users, who connect to people they may not even know offline and blithely share personal information which is then used by attackers to tailor messages and links to their interests.
Twitter even has attracted the the attention of botmasters, who have started using it as a command and control mechanism. But the attacks themselves are not necessarily that innovative; it’s simply a new venue for old wares. But as long as large numbers of potential victims gather in one place, the attackers will follow.