Facebook apps or widgets are popular vehicles for malware these days, ever since Secret Crush terrorized Facebook members last year. That piece of software was supposed to help you find who your virtual fans were on the network; it instead put spyware on your computer. The lesson to learn here is, widgets or third-party apps are best installed after you look them up on the Internet for complaints from victims.

The Koobface virus (a play on Facebook) has been the worst recent attack. The virus attacks the computer of a person who has a Facebook membership, finds their Facebook friends and sends them a message on Facebook suggesting an interesting video about some Facebook friend. When they click on it, they download a virus. Antivirus software helps against Koobface; but a better strategy is to never download a plug-in from a pop-up. Take down the name of the plug-in and go directly to the source.

Nigerian scams are so old now that it’s a wonder anyone still gets taken in; but they do. The Facebook Nigerian scam goes like this. Someone gains entry into your Facebook account without your knowledge, takes down the names of your friends on Facebook and sends them a desperate Facebook plea for emergency funds for something urgent. The names of the friends found on your Facebook contacts list are liberally used to make the plea sound believable. The friends think that it’s you who is asking for money, and send it to the address asked for; usually it is to the criminal running the scam. To keep from falling for a scam like this, you could just phone the allegedly troubled friend to make sure. In the end, staying safe on Facebook is no different from staying safe in real life; you need your wits about you.

Some call it a worm, but Facebook denies it on its press release. So how does this piece of malware get its way? No one really knows, but it is likely that it could be a combination Clickjacking attempt and Cross-site Request Forgery attempt. A Cross-site Request Forgery attack occurs when an infected computer tries to use the credentials that a victim has among his friends to, post information on their Facebook Wall. Clickjackingit is a dangerous thing; and Facebook will find it nearly impossible to effectively block it. Clickjacking is when a website tries to get people to click on buttons on a page that are either invisible or use other methods of stealth. HTML code used in webpage programming basically allows a flaw that permits this; the flaw can allow hackers to create special webpages that will trick users into clicking on buttons without being aware of it.

Facebook declares that it has blocked the attack; nevertheless they warn members do not go and click on links that do not trust. It may be a little hard to find out what you don’t trust, given the kind of humor people usually adopt to stand out on the Facebook Wall.

A well-publicised case of Scareware recently visited visitors to the technology blog Gizmodo. Apparently, >malware programmers bought advertising space on the website, posing to be a well-known company. When visitors clicked on the advertisement though, they ended up downloading malware. >A similar attack occurred on the website of the New York Times publication last month too. Perhaps the best answer to these hit-and-run attacks is to use premium antivirus software: that way you would not ever be tempted to check out substandard antivirus findings on websites and would be protected from them if you still were.

Emails with links to infected files are old hat, most infections these days occur when malicious software is automatically downloaded to user computers without their knowledge while browsing infected websites. Often malware is disguised as legitimate software / security updates and people are misled by messages via Facebook, etc into downloading them. These techniques are causing an exponential growth in infection according to RSA, a leading security company. The security firm detected 19,102 Trojan infections in August 2009 as against only 613 Trojan infections in August 2008.

As the complexity of design increases most criminals find that they do not have the technical skills to write their own malware and turn to Do-It-Yourself kits that contain everything needed for writing Viruses and Trojans for those who don’t have the know how to write their own.

A top notch malware kit can be worth a lot of money. The Limbo Trojan kit sold for about $350 at the peak of its popularity and the Zeus Trojan kit, which currently dominates the market sells for anywhere between $1,000 to $3,000. However, the dominance and popularity of a kit rarely lasts long as security companies soon fight back by trying to decipher the code and create general heuristic detection routines for anything created using the kit.

Some of the kit makers with waning popularity are trying to stay alive by releasing their source code. By giving free access to criminal developers to their code they can get a huge pool of talent working on their code and adding and improving features. Of course, the flip side is that the security companies also get their hands on the code making it easier for them to create detection routines.