Hugely popular services such as Facebook, MySpace and LinkedIn are being blamed for a boom in sophisticated email scams in which criminals mining the information on social networking sites to create personalised attacks.
These so-called spear phishing emails appear to come from a trusted source and aim to persuade the victim to hand over valuable data such as banking details or passwords to corporate networks.
Rob McAdam is the chief executive of Pure Hacking, an Australian "ethical hacking" company. Companies contract him and his team to test their defences by trying to break into their networks - and business is brisk.
Mr McAdam regularly performs spear phishing "attacks" on clients, tailoring the email to a company's employees by using details from online sources.
"We'll try to trick them into giving up their username and password into the organisation," Mr McAdam says. "Every single time bar one that we have run that exercise we have been able to get people to cough up their details. It's as if they are expecting it as a consumer but aren't expecting their business to be attacked. It was surprising first up, but now we expect to be able to do it every time."
Nitesh Dhanjani is a US online security expert who specialises in the phishing underworld and its inhabitants. He says the most sophisticated spear phishers may work on an attack for months, using information found online to create so-called influence graphs that plot the target's social networks in an effort to work out who the target is most likely to trust.
They will even research the style of writing to use so as to add authenticity to the attack email.
"It not only has to seem to come from somebody they trust but also to sound like somebody they trust," Mr Dhanjani says. "If the email is formed and written like it was from a trusted person then I am more likely to say, 'Yeah, it must be this guy'."
In one exercise Mr Dhanjani set up an account for a friend on the business networking site LinkedIn. "Two days later I had 86 requests from other people who realised he had joined LinkedIn," he says. "So suddenly out of nowhere I know all the other powerful people he knows."
Spear phishing is the latest twist in a crime that has plagued the online world for several years and is showing no signs of abating. Basic phishing attacks are familiar to anyone who uses email. And while you might imagine only a few unsophisticated users would fall for them, the phishermen are reeling in victims at an astonishing rate.
Last year phishing scams snared 3.6 million adults in the US alone. They lost a total of $US3.2 billion, the research group Gartner says, 50 per cent more than in the previous year.
Meanwhile, the online security company Symantec reported the number of phishing sites worldwide tripled, to nearly 90,000, in six months.
Mr Dhanjani says it is easy to start committing the fraud.
"The barrier to entry in the phishing game is really low. The sort of technical skill required shouldn't impress anybody. Anyone can do it. Today it's harder to get a minimum wage job than it is to initiate a career in phishing."
Initially all it takes to enter the phishing underworld is to perform a simple Google search on one of the unique slang words used on phishing discussion sites.
"Once you log on to some of these message boards there is all sorts of activity and conversations happening," Mr Dhanjani says.
"There are the newbies asking 'How do I get started?', then there are conversations between slightly more technical phishers.
"And there are other conversations happening for more political reasons. We found a couple of message boards in the Middle East that wanted to phish people and post US citizens' identities just because they hated America."
Once they have entered the phishing "ecosystem", budding crooks will download a so-called phishing kit. This is a readily available, convincing copy of a legitimate website belonging to a bank or financial services company.
The kit is "deployed" to one of tens of thousands of hacked computers around the world. The phisher sends out possibly hundreds of thousands of emails to one of the lists easily found online, then waits for the passwords and usernames to flow to their inbox.
Typically, those details will be offered for sale at say $US10 each on the black market. The criminals who buy them will go on to steal money from the compromised accounts.
Mr Dhanjani says that ult-imately no one is safe from a determined and highly sophisticated phisherman.
"You could take any person on this planet … even me - and I have been doing this [IT security] for most of my career - and, given enough time, I could be compromised."
By Nick Galvin