On Friday the top story on the social bookmarking site reddit.comlinked to a website that downloaded malware onto visitors’ computers.Social bookmarking sites like Reddit and Digg link to stories ranked bythe popularity of these stories with their users. The malware on thesite appeared to be a variant of Trojan.ByteVerify that downloaded more malicious programs onto the users’ machines.
It is interesting to consider how effective in spreading malware alink on a social bookmarking site is. How many infections can beachieved by a story linked to a popular social bookmarking site thatinstalls malware on the viewer’s computer? The number of infections amalicious website can cause is the number of people who view thewebsite multiplied by the fraction of these viewers who are susceptibleto this malware.
E-Consultancyclaims that if a page gets to the popular listing on Digg, over twelvethousand users can be expected to view the page. In a way similar tohow spam is used to socially engineer people into running malware, itwould be naïve to think that malware authors will not attempt tosocially engineer these websites in an attempt to drive users tomalicious websites.
How could a malware author attempt to make their page popular? Thefirst strategy is to create many accounts and to use each to upvote thestory to make it popular. This problem of cliques upvoting stories has been seen on social bookmarking sites in the past, and can be at least partly remedied.
The second strategy is to create an attention-grabbing story andheadline. The users of each site have characteristics that could beexploited in order to increase the popularity of a story. For example,the headline “Hey, cool, someone wrote an article about Digg!” was suggested as a prototypically-popular Digg story.If malware authors start using social engineering principles todeliberately drive users to malicious website pages, they couldincrease infection rates.
The second question is how likely each view is to lead to infection.The users of social bookmarking sites tend to be technologically aware.This means they are likely to have up-to-date patches and antivirusdefinitions on their systems, and also likely to use differentoperating systems and browsers. The heterogeneous nature of thecomputing platforms used by the readers of social bookmarking sitesmeans that any threat that solely targets one browser and one operatingsystem will not infect the majority of the site’s users.
How can those who run social bookmarking sites reduce the risk thatthey will be used to lead visitors to malicious websites? One possibleanswer is to use an automated system to check if any site links areused to download software onto a user’s machine. A number of operatingsystems and browsers would need to be used to test that a site is notdownloading malware. This makes such automation difficult.
Any of the many technically-aware users that use these sites couldquickly discover that a website is malicious. This crowd wisdom couldresult in malicious web pages being buried or reported before theybecome popular. In the recent Reddit case this crowd wisdom did notdiscover the malicious website until it had become the most popular onthe site. Once the users of Reddit recognised the malicious site it wasrapidly removed from the Reddit listings.