Spam and malware rockets on social networking sites

LinkedIn was highlighted by Sophos as a potential risk to organisations

Nearly three-quarters of companies have been sent spam or malware via social networking sites, potentially putting corporate systems and sensitive information at risk, according to new research from security vendor Sophos.

The Sophos Security Threat Report 2010 (PDF) quizzed over 500 organisations, and found that the amount of spam and malware being sent through these burgeoning channels has shot up over the past year.

Nearly 60 per cent of respondents have been spammed via social networking sites, a rise of 71 per cent from last year, while 36 per cent have been sent malware via social networking sites, up 70 per cent from last year.

Sophos senior technology consultant Graham Cluley argued that, although the figures are a lot lower than email-borne spam and malware, the growth in the past 12 months is nonetheless worrying.

"People are scanning their emails and looking for spam and Trojans, but social networks are another route into the organisation," he said. "Users are more susceptible to clicking on links when they believe they've been sent by a friend on their network."

Cluley acknowledged that social networks are getting better at monitoring and preventing these threats, but believes that more proactive scanning technology needs to be implemented.

LinkedIn was singled out for particular criticism in the Sophos report, despite being rated 'most feared social network' by just four per cent of respondents.

LinkedIn is not a serious vector for the spread of spam and malware, unlike Facebook for example, but is being used by hackers to mine useful corporate information which could be used to launch targeted attacks, according to Sophos.

"You can effectively get the corporate directory of an organisation, and even who its newest recruits are," said Cluley. "I could forge an email claiming to come from HR and send it to those new recruits. There's a real danger there."

Cluley added that, given the risk of personal and corporate information being abused in this way, individuals should reappraise whether they are getting any real value from being on these sites.