I've been lucky so far and haven't been hit by the Facebook porn spam, but based on the comments of friends who have been, I can see why this would be a good reason for companies to reconsider the use of social media sites. The images were apparently pretty graphic and not the type of images you'd want popping up at work.
According to Computerworld, Facebook said the spam was the result of a "self-XSS browser vulnerability." The article stated:
The Insidious Nature of Outbound Spam
A recent survey by Osterman Research examines the problem of outbound spam.
I have noticed that Facebook users like to copy and paste status reports and share links, so it would make sense to me that they wouldn't hesitate to copy and paste information based on a spam message.
Now, I don't know if this is related to the porn spam or not, but I have been getting spam messages for the past week, encouraging me to click on a link in order to keep my Facebook page up and running. I saw it as spam straight off and didn't do anything about it, especially since it was sent to me and the hundreds of other people on this person's friends list. Others did click on the link and reported they were asked for credit card information.
Just the other day, an online group I belong to was having a discussion about an email many members received with an attachment. I was stunned to see how many smart and Web-savvy people opened the attachment automatically. It never dawned on them that they might be putting themselves at risk, and I wondered how that could be possible in 2011.
These incidents beg the question: Is enough being done to educate people on basic online security measures? I don't think so, and it appears I'm not the only one who feels that way. As Bill Morrow, executive chairman, Quarri Technologies, said in an email to me:
Facebook announced that the recent pornography-related attacks are the result of a combination of a browser vulnerability and user error. This is yet another example of how educating the end user is just a first step. Cybercriminals and online hacktivists are taking advantage of the personal information people provide to social networking sites because the trust they have in these sites presents the perfect opportunity to create socially engineered attacks.
If employees aren't educated to know how to spot spam or a malicious link, or to not automatically follow instructions that come from a "trusted friend," how can we expect them to practice good computer security?