Facebook expands blacklist of malicious URLs

Facebook has added seven more antivirus vendors to its AV Marketplace, a move that gives the social network a total of a dozen companies whose databases it can tap to identify malicious website links on the site.

Facebook identified the additional partners Tuesday. They include avast!, AVG, Avira, Kaspersky Lab, Panda, Total Defense and Webroot. The companies join Microsoft, McAfee, Norton, TrendMicro and Sophos in selling or offering for free antivirus products for PCs, Macs and mobile phones.

In expanding the choices on its antivirus marketplace, Facebook is expanding its blacklisting reach with more databases it can use to check that may have been placed there by a hacker. Legitimate links on Facebook are sometimes hijacked by criminalsto direct someone to a website where malware can be automatically downloaded.

In 2008, Facebook launched a security system called “the link shim” that checks the URL whenever a link is clicked to check the destination. If it is on a blacklist, then a warning pops up notifying the user he could be headed to a malicious website. 

Bolstering the tool is expected to help businesses, as well as consumers. Many companies have built what Facebook calls Pages on the site for marketing products and building a fan base. Having a better mechanism for catching hijacked links prevents embarrassment.

“If I was Facebook, I would do whatever I could to publicize [link shim] and to push it to whatever extent I possibly could,” said Dan Olds, and analyst for the Gabriel Consulting Group. “It’s features like that that will make businesses more confident in giving greater freedom to Facebook users within a company.”

The effectiveness of Facebook security has been questioned in the past. In August, the company revealed that it found 14 million user accounts it considered “undesirable,” meaning they are likely spewing spam or deploying malicious links and content.

While the number was a small percentage of the 955 million users of the site at the time, it was still large enough to worry security experts Some recommended better user-verification tools to help combat problems associated with bogus accounts.

[See also: 10 security reasons to quit Facebook]

Facebook has added security features over time to improve user safety. On Monday, the company stopped letting people find others by using the mobile phone number used for two-factor authentication. The move came less than two weeks after a security researcher disclosed that someone could match randomly generated phone numbers with Facebook users.

If businesses using Facebook follow best practices, such as keeping applications and antivirus software up to date, then they are likely to avoid many of the risks on the site, Olds said. Businesses should also educate employees on Facebook how to avoid scams that try to trick them into giving out user IDs, passwords and other personal information.

“It’s hard to believe that there are still people out there that will give up personal information on these kinds of scams,” he said. “But if people wouldn’t give up information, then hackers wouldn’t keep doing it.”