Seventy percent more companies reported spam and malicious infections arrived via social networks in 2009 vs. 2008. By the end of last year, 72% of companies expressed concern that their employees' use of popular social sites could result in a security breach. And 60% of companies now consider Facebook to be the riskiest social network out there.

Those findings, released Monday, come from a survey of 500 companies worldwide conducted by security firm Sophos. They help quantify the rising tide of spam and malicious infections proliferating on Facebook, Twitter, MySpace, Bebo and other such social networks.

As the planet' s largest social network, Facebook might naturally be expected to emerge as the No. 1 target of cybercriminals, says Graham Cluley, a senior analyst at Sophos. But he says Facebook has exacerbated matters by asking its members to embrace a new, more granular privacy setting. Cluley demonstrates in this video how the new setting, in effect, authorizes Facebook to expose more of its member-generated content to everyone on the Internet.

Facebook's new privacy setting gives the company leeway to submit more content to Google, Microsoft Bing and Yahoo Search so the search services can incorporate more Facebook content into real-time search results, much as they've begun doing with Twitter microblog postings, says Cluley.

However, the wider release of Facebook members' data "inevitably means more information will be made available to cybercriminals who want to target you or you company for an attack," says Cluley.

Facebook continues to defend its new privacy setting as flexible and easy to change. But privacy advocates continue to criticize the move. And last week the Office of the Privacy Commissioner of Canada launched an investigation into a citizen's complaint about the new settings.

Meanwhile, Sophos' new survey includes extensive analysis about how Facebook, Twitter and other social networks have become like a candy store for data thieves. The fast-morphing Koobface social network worm is a case in point:

Most notably, the notorious Koobface worm family became more diverse and sophisticated in 2009. The sophistication of Koobface is such that it is capable of registering a Facebook account, activating the account by confirming an email sent to a Gmail address, befriending random strangers on the site, joining random Facebook groups, and posting messages on the walls of Facebook friends (often claiming to link to sexy videos laced with malware). Furthermore, it includes code to avoid drawing attention to itself by restricting how many new Facebook friends it makes each day. Koobface's attack vectors broadened, targeting a wide range of sites other than the one that gave it its name (i.e., Facebook). Social networking sites, including MySpace and Bebo, were added to the worm's arsenal in 2008; Tagged and Friendster joined the roster in early 2009; and most recently the code was extended to include Twitter in a growing battery of attacks. It is likely we will see more malware following in the footsteps of Koobface, creating Web 2.0 botnets with the intention of stealing data, displaying fake anti-virus alerts and generating income for hacking gangs.

By Byron Acohido