More than four in 10 users of the Facebook social networking site give up personal information after simple inquiries, according to a study released today by anti-virus vendor Sophos.

Sophos researchers set up a fake Facebook profile page for "Freddi Staur" – an anagram of "ID fraudster" – a small plastic frog. Freddi then sent out 200 friend requests, divulging little information about himself in the process.

Nearly half (87) of those queried responded, with 82 percent leaking some personal information in the process.

The number of respondents who revealed personal information that could be used for identity theft was consistently more than 70 percent, according to data supplied by Sophos.

Seventy-two percent of respondents told researchers at least one personal email address, 84 percent gave up their birthdate, and 78 percent revealed their current address or location.

Employers have reason to worry as well. Nearly nine in 10 respondents (87 percent) revealed information about their workplace or educational background.

Sophos, which has its U.S. headquarters in Boston, noted that user profiles are available for viewing when the recipient of a message responds to a query or "poke." However, Facebook provides security options to privatize profile information within account settings.

Ron O’Brien, senior security analyst at Sophos, told SCMagazine.com today that Facebook differs from MySpace in that the site gathers and stores information about users, making it easier to search for specific interests.

"There’s a big difference between Facebook and MySpace in the way that Facebook aggregates its data. If you go in and play with it at all, you’ll find a wealth of information, and the tools that they provide you are very sophisticated," he said. "MySpace effectively gives you a webpage. In the case of Facebook, you’re providing data that’s going into a large database, available to everyone."

O’Brien added that, in the wake of large spam attacks containing malware-laced fake greeting cards, personal information databases could be used for targeted phishing attacks

"Phishing becomes an obvious result, especially considering the results of the email greeting card spam that we just saw," he said. "If I know that your birthday is coming up, and I send you an email card embedded with a trojan, you’re more likely to open it if you receive it around your birthday."

The security of social networking sites has come under increased scrutiny in the past year, but mostly for efforts to keep child predators and sex offenders from communicating with teenagers.

Late last year, experts from MessageLabs and Sophos said they expected malware creators to more heavily target social networking sites throughout 2007.

Last month, researcher Jared DeMott released arbitrary code for a client-side ActiveX flaw in the Internet Explorer toolbar for business networking site LinkedIn.

DeMott said he decided to go public with the exploit after an official with Mountain View, Calif.-based LinkedIn hung up on him.

 

Click here to email Online Editor Frank Washkuch.

Click here for the latest SC Magazine Podcast – Aug. 13, 2007: Spam - why won't it just go away?