More spam appearing on social networks Phishing also is increasingly common, trying to con users into revealing information

Wherever you go on the Web, it seems the riffraff are not far behind.

Consider Facebook, the social network started four years ago for Harvard students that has blossomed into a popular hangout for 70 million users.

Over the last month, some Facebook members have received messages inviting them to download free ring tones or buy male enhancement drugs.

These messages appeared to come from trusted friends, but the links led in one case to an affiliate ad network, Incentaclick, and in other cases to one of several sites offering drugs to improve sexual performance. None of the sites could be contacted for this story.

Other phishing and adware schemes have been reported recently by the TechCrunch blog, Wired.com and several security vendors - Sophos, Fortinet and Cloudmark, which said it's been hired by a top social network that it can't name to improve security and block spam.

The goal of many of these schemes is to collect users' passwords so members' profiles can be used as launch sites for spam delivery and hackers phishing for sensitive information.

Spammers who direct people to an ad network like Incentaclick get paid per click, said Derek Manky, a security researcher at Fortinet, and the drug sites are probably parts of automated "botnets" whose controllers can quickly redirect victims to new sites as older sites are detected and taken down.

People have become accustomed to getting spam in e-mail messages, but finding a message posted directly to your Facebook profile can be jarring, especially if your only contacts are people you know.

"People feel safer on Facebook because of the brand they've built up," said Corey Lewis, a Facebook member who works at the LaunchSquad, a public relations agency in San Francisco.

Attractive targets

He keeps his Facebook applications to a minimum to avoid security problems, he said, so when he received the same invitation last month from two friends asking him to download ring tones, he was startled. "I thought, 'They (Facebook) are not infallible,' " he said.

Social networks have become potentially lucrative targets for advertisers, marketers and cybercriminals, and Facebook - with its professional and increasingly older membership - is a prized trove of information.

"It's happening all across social media," said Jeremiah Owyang, an analyst at Forrester Research. "These networks will learn how to filter content based on your preferences, but no network is doing it well now."

Facebook said it is aware of the security problems and last week posted a blog entry warning people not to click on strange links or re-enter their Facebook passwords on Web sites. People who think they've been targets should reset their passwords, the blog said, as well as keep an eye out for spam on friends' walls and tell them to delete it.

Security has been better at Facebook than at MySpace, the social network owned by News Corp., said Saar Gur of Charles River Ventures, which invests in companies that develop Facebook applications. Anybody could join MySpace from its inception, but Facebook was created as a closed network, with membership open only to people who had e-mail addresses ending in .edu.

Eighteen months ago, however, Facebook threw its doors open to the public. Then last May, the site opened its software platform to outside developers. The market has exploded - there are more than 20,000 applications, Gur said, with 140 new ones added every day. Facebook members have installed applications more than 300 million times.

While the new software makes Facebook even more fun to use - members can throw virtual sheep at, "poke" or "vampire bite" their friends - it's also made Facebook more vulnerable to complaints about spam.

In the last few weeks, for instance, Facebook members have complained about receiving a lewd drawing of a nude woman on their Fun Walls accompanied by a message that said, "Click forward to see what happens." People who took that advice unwittingly sent the drawing to their friends and suffered the further embarrassment of having to ask their friends to remove it from their profiles.

Facebook doesn't make the Fun Wall - it's a product of Slide.com, one of Facebook's most popular developers - and Slide said the drawing isn't technically spam because it wasn't created by an outsider.

"It's coming from within the friend network," said Tammy Nam, Slide's communications director, and is somebody's idea of a joke. Slide has removed the drawing once, she said, but it's reappeared, not just on the Fun Wall but on other Slide applications.

She said Slide is working on giving users more control over their applications. In the meantime, she said, "When you get something that even looks spammy, just delete it."

Not everybody associated with Facebook thinks security is problem. One young entrepreneur - Naval Ravikant, who founded Hit Forge, an angel fund for social media startups - said security is an issue created by the media.

Are reports overblown?

Most Facebook members know how to protect their passwords, he contended, and if your profile does get penetrated, what's the loss? "It's not like you're losing valuable information, like credit card numbers," he said.

But others said Facebook offers extremely valuable information - such as the social graph, the map of a member and all his friends - and is struggling to balance security and openness.

Bob Bickel, a co-founder of Ringside Networks, which builds a server that integrates social networks like Facebook with any Web site, predicts that users soon will be able to customize their security.

"They will figure out a system in the end that will look something like the security panel in a modern browser," he said. "You can choose low, medium or high or set 100 different dials."