News aggregate services have become increasingly popular in the Web 2.0 world—whether you prefer Reddit, Digg, or another service, chances are you've heard of them. Malware authors inevitably follow or find ways to exploit popular trends. Now that even the most advanced CAPTCHA systems have been cracked or are manually broken by large networks of crackers based out of China or India, commercial malware companies are testing the waters of community-vetted news aggregates.

Sean-Paul Correll of PandaLabs Security has documented several instances where users falsely submitted "stories" that led directly or indirectly to malware-infested websites; the exact attack vector varies depending on the preferences of the assailant or possibly the technical limitations of his infectious agent. In some cases, malware authors are simply commenting on legitimate stories, while in others, the submitted stories themselves lead directly to infected sites.

The quality of these various hooks can vary considerably. Correll points to some linked articles and submissions that make no sense whatsoever (pick an actress, a sexual act, and a farm animal and you get the idea), while others are well crafted and may have even been hand-written. Once the user clicks on one of the offending links we're treated to the usual song and dance of false codecs, MS Antispyware 2009 (new updated version), and suspicious downloads. As far as the attacks themselves, there doesn't seem to be anything new here—as is so often the case, the new bits are in the attacker's approach rather than in the means by which illicit software ends up on the system.

Digg representative Jen Burton told the InternetNews that the website is committed to removing users that abuse the system. "While we don't comment on specific accounts in order to protect the privacy of our community, malware accounts reported to us by the community are terminated immediately and all content is removed," Burton said. "To date, we have terminated more than 300 accounts for malware."

It's good to see Digg being proactive, but given the size of the website, 300 accounts is an infinitesimal number. For the moment, that may be because the attack method itself has yet to become popular, but should that change, 300 accounts could reasonably represent the number of deletions Digg might need to make in a day. Digg, meanwhile, may not be able to automate the flag/removal system all that easily (at least not without disrupting its user-submitted content model).

So long as such links remain unpopular and never hit the website's front page, the risk is relatively small. The consequences of an infectious direct link going popular and remaining that way for any length of time, on the other hand, could be downright ugly. Obviously Digg doesn't want to precipitate any sort of event that would cause its users to lose faith in the site—for now, a set of human eyes may be the best way to monitor the problem.