Black Hats are finding social networking sites attractive targets for mischief.

As social networks like Facebook, MySpace and Linked-in have gained popularity among Web surfers, they’ve also attracted the attention of the Internet underworld. That’s because the likelihood of infecting a computer with malware distributed through a SocNet is much better than conventional email methods. How much better? Some security experts reported earlier this year that infection success rates were as high as 10 percent for malicious code circulated through a social network. That’s 10 times the infections that could be expected from an email spam campaign.

As Black Hats have turned their attention to SocNets, they’ve begun experimenting with going beyond exploiting the sites for distribution of bad apps and using the webposts for activities such as issuing commands and controlling the operation of botnets.

Just last week, security researchers uncovered a Trojan, dubbed Whitewall, that could use Facebook to coordinate its nefarious deeds. The sinister software is circulated by exploiting known vulnerabilities in Adobe Acrobat and Microsoft Office files. The documents look legit. They may look like communications from courier companies or headlines from news media.

The malware targets the mobile version of Facebook. It receives its marching orders by reading the notes section of that program. If a note contains the title “Wells,” it will contain a timestamp for when a machine is infected. If it’s “WebServer,” the app will execute a URL contained in the note from which it will receive commands. If the title is “White,” the Trojan will follow a URL to a site from which it will download a pernicious payload. If any other words are in the title, the software will do nothing and wait for further instructions.

At this point, White Hats say, the Trojan hasn’t infected a significant number of computers. Its discovery, though, may be important because it may be a proof of concept for hackers mulling ways to use SocNets as command and control servers.

Social networks have also been exploited for more conventional cracker attacks. At the end of October, for instance, more than 350,000 spam mails flooded inboxes claiming to be from Facebook. It told its  recipients that their Facebook password had been changed and instructed them to click on an attachment to obtain their new one. The attachment contained malware that turned its host into a zombie on a botnet.

The Facebook password con is just one example of how info highwaymen are leveraging the reputation of SocNets to spread their mischief. Not only are users more apt to engage in insecure behavior when they receive spam masquerading as email from one of their favorite social networks, but spam filters are less likely to scrap the correspondence before it reaches its target. For example, in a recent ethical phishing  experiment, a charade purporting to be from LinkedIn evaded all the anti-spam filters it was tested against.

The message concocted by the researchers was a mock invitation from Bill Gates, of Microsoft fame, to join his network on LinkedIn. LinkedIn was chosen because it’s known and trusted among many professionals and as such, mail originating from it would be recognized by many corporate email systems. As is typical in this kind of scam, the link in the email leads the user to a site that mimics a legitimate  LinkedIn page, but information collected in the forms at the site is sent to Black Hats. The campaign had a 100 percent success rate, with none of the malevolent mail being filtered out by the target system’s spam filters.

The simple solution to foiling cyberbandits milking the popularity of social networks for their own odious ends would be to shut down network access to such sites. That, however, may not only be an ineffective solution, but an insecure one as well. Younger workers expect to have access to their social networks from work. Failure to meet those expectations could affect a company’s ability to attract the kind of talent it needs to be competitive in its industry. Moreover, shutting down access to SocNets will only drive usage underground where it will open up potential security breaches in a corporate network. A better solution would be to allow access to social networks but carefully monitor    and regulate their use, as well as educating employees about “best practices” when using SocNets in the workplace.