But experts warn that victims of more sophisticated scams won't get off so easy. The same kind of hucksters who dreamed up e-mail scams featuring Nigerian dictators are now focused on cracking social networks to peddle products and engage in identity theft.
In more organized campaigns, scammers distribute free widgets that purport to help users decorate their profile pages but secretly use the log-on information to spam their friends, as happened to Maris. Other crooks surreptitiously install software that records keystrokes to steal financial data, or they use personal details gleaned from the profiles to make e-mail fraud attempts more credible.
One common technique on social networking sites involves sending messages that appear to come from an online buddy, inviting the recipient to check out a new profile page. The page then asks the recipient to log in.
It's a scam. Although the page looks as if it's on MySpace or Facebook, thieves have set it up to capture log-in names and passwords. The con artists can then try those names and passwords to gain access to e-mail accounts, financial accounts and other websites, given that many people use the same password widely.
For scammers, knowing the names of a target's friends can be a powerful tool. Last year researchers at Indiana University used simple tools to crawl through major networking sites and record the connections among Indiana students they found. They then sent e-mails that appeared to come from a friend also enrolled at the school.
About 72% of the recipients clicked on the e-mailed link and then entered their university user names and passwords at a fake site. In a control group where the e-mails came from strangers at the university, only 16% fell for it.
MySpace and other sites that rely on outside advertising networks also have been compromised by malicious banner ads that take advantage of security holes in users' Web browsers to install spyware. In addition, both MySpace and Facebook recently had security vulnerabilities in their systems for uploading photos. "Toolkits" for exploiting those vulnerabilities to forcibly install "malware" circulated rapidly in hacker communities.
Most attacks work only against people who lack updated firewalls, anti-virus systems and anti-spyware programs, but some can victimize anyone clicking the wrong link.
