Social networking sites like MySpace and Facebook have become a regular part of many people's daily Internet usage. Malware authors, who are always on the lookout for new and undefended avenues of attack, have noticed this and increased their attacks on social networking sites accordingly, since many of these sites are vulnerable to these attacks. According to the latest Symantec Internet Security Threat Report (PDF), a total of 1,501 vulnerabilities—61 percent of all security weaknesses studied—were found in web-based applications from January 1 to June 30 of this year. This is, however, a drop from 66 percent in the July to December 2006 period, which may indicate that social networking sites are improving—albeit slowly—their security procedures.

Prior to this decrease, Symantec had reported a rise in the proportion of Web application vulnerabilities, starting in the first half of 2004 and ending in the first half of 2006. This period roughly corresponds to the surge in popularity of social networking sites and "Web 2.0" in general. The exuberance over these then-new technologies left security considerations little more than an afterthought, not only for web site designers but for their users as well. Security attacks such as the WMF exploit on MySpace brought the issue to the public attention, and so did third-party security audits such as the Month of MySpace bugs.

Social networking sites are attractive to hackers not only because of potential security holes in the applications themselves, but the fact that the very nature of the site works as a way to spread attacks to more people. "In such a scenario, the attacker may use the legitimacy of the Web site to attract victims of subsequent attacks," the Symantec report said. "Sites with large user bases, such as MySpace, have already been abused in this manner."

Because the site is known and trusted, users are more likely to fall victim to unsolicited e-mails or invites and be tempted to download unknown attachments. Once compromised by a trojan, attackers gain access to personal information about the victim, including passwords to other sites, and can easily find other victims to attack via the user's own friend lists.

The malware problem in general continues to grow. According to the latest report from security firm PandaLabs, there has been more malware detected in the most recent quarter than was found in all of 2000-2004, putting a strain on traditional key signature methods of malware identification. The number of virus-laden e-mails and phishing attacks are trending slightly downwards according to the latest data from MessageLabs, but this is more a function of increased targeting of attacks to specific people rather than a decrease in the number of attacks in general—the bad guys have had a busy harvest season collecting e-mail addresses and are trying to reap what they sowed as quickly as possible.