Published July 09, 2009
You can take candy from a baby in cyberspace — and it's enough to make a grownup cry.
The popular Web site Neopets has a reputation for being kid-friendly and kid-safe. Owned by the media giant Viacom, Neopets lets its members — roughly 25 million people — "adopt" cyber pets and earn points by playing games to purchase items for them.
Nearly half of players are between the ages of 8 and 12, although some are as young as 6, and they communicate with each other while at play.
But Neopets has been hit by Internet pirates, according to Christopher Boyd, director of malware research at FaceTime Communications Inc., a California-based Internet security company.
The scam takes advantage of kids willing to pay big for a "magic paintbrush," the rare and pricey item that lets kids change their pets' colors.
They're sent a seemingly innocuous e-mail or private message on the Neopets bulletin boards telling them about a secret Web site (Neopets does not let users copy and paste links) that will let them make their own magic paintbrushes — without having to spend precious points for them.
But when the child browses to that third-party Web site, which may be spoofing the official Neopets look and feel, he or she is not actually downloading and installing a magic paintbrush, but malware — software created to damage or penetrate a computer system.
Not only does the child never get the anticipated paintbrush, the malicious software then is in place to wreak havoc with his or her parents' financial data by culling private information from the now-infected PC.
"I think it's despicable that someone would target little kids, but unfortunately, I'm not entirely surprised," comments Tela Durbin, a 33-year-old advertising copywriter in Cincinnati who blogs for the Working Moms Against Guilt Web site.
Passwords to banking sites, account information, Social Security and credit card numbers all become fair game.
"The overall aim is hoping a child's parent does [online] banking," says Boyd, a security expert. "The child is being used as a launch pad to get to the parent."
Boyd heard of the scam when a friend's child, a Neopet user, was sent the message and the parent asked Boyd to check it out.
Cara Reeves, a 32-year-old advertising copywriter in Cincinnati, has a 6-year-old who's a big fan of Webkinz, a Web site similar to Neopets, and was shocked to learn that her children could become targets of scammers.
"Although I'm usually in the same room or nearby when he's playing, I know he could easily click on something without my knowledge," she says. "Hearing about this scam makes me think I should be monitoring him more closely — or avoid 'kid-safe' community Web sites altogether."
Boyd, who blogged about the problem last week, says such ploys of offering "something for nothing," whether it's free gaming software or Web design software, all follow the same basic principles.
Once a curious surfer clicks on the link and downloads the malware, his PC is compromised, and the information on it is "sent back to base" for the bad guys to use as they choose, says Boyd.
Another security expert isn't surprised by the scam.
"Cybercriminals are looking to attack people where they gather and where they feel safe — and that defines our online social networks," says Marian Merritt, Norton Internet Safety Advocate at Cupertino, Calif.-based PC security giant Symantec.
For its part, Viacom says it is investigating.
"The blog post by Mr. Boyd was not an indictment of Neopets security practices, but rather one example of a 'social engineering' scam used by third parties to lure members of community websites to unaffiliated websites where they may be deceived into providing user name and password," Viacom said in a statement.
"Neopets values the security of our users and educates them about these types of scams. We aggressively investigate all reported instances of social engineering, phishing and any other attempts by malicious individuals to deceive Neopets members."
A Web of Deceit
While social networking sites such as MySpace, Facebook and Neopets spell out conditions against such practices and publicly warn users of the potential threats of infiltration, it's really up the user — or the user's parents — to watch out for sinister pop-ups and e-mails, says Boyd.
"People come up with the scams randomly," he says. "It's up to the people to monitor these things."
Kelly Land, a stay-at-home working mother from Asheville, N.C., points out that it's best to always be on your guard.
"The Internet is very much the Wild West," says Land. "You wouldn't have sent [Little House on the Prairie author] Laura Ingalls Wilder out in the middle of the night to fetch water from the river. Something terrible could have happened to her.
"It's the same with your kid. Don't just let them go out there and think everything will take care of itself and [that] your kid is smarter than a scammer. Odds are ... they are not. And the outcome could be absolutely devastating."
Symantec's Merritt says parents need to keep tabs on what their kids are doing online — even if it's a reputedly rock-solid safe site like Neopets.
"When your children are using social networks, remind them to be careful about who they add as a friend, show them how to set privacy settings to keep private information and photos away from the public, and make sure they know not to click on links or programs sent to them, even by their friends," she says.
The threat of malware isn't just isolated to one hacker stealing one person's information, say security experts. Devious software can sniff out passwords stored in browsers or word documents on a computer that hold personal information, and then pass this data along.
"The bigger issue with [the Neopets-based scam] is the botnet aspect of it," says Michael Fitzpatrick, CEO at NCX Group Inc., a California-based information risk management firm.
The installed malware, explains Fitzpatrick, not only steals personal data — it also lets the hacker "herd" the infected PC into a "botnet," a giant Internet-based virtual computer that can be used to send spam e-mail, attack other Web sites or pump out more malware, all without the rightful owner's knowledge.
While security firms like NCX and Symantec, which makes the well-known Norton anti-virus line of software, are always trying to improve their technology to combat the changing threats, it's an arduous and nebulous task.
"We have to get better on the defense each year," says Fitzpatrick. "It's a process that never stops."
Still, says Boyd, bringing attention to this particular scam means the bad guys will have to go back to the drawing board.
"Shining a light on these corners of the Web tends to make them scatter," he says.
Or, as Land puts it: "Being a cool, passive parent has never been so uncool."