Most Facebook spam sent through nicked accounts

Last week I received a Facebook invitation from a trusted friend to visit a community page on bungee jumping. Since that kind of physical exertion seemed out of character for my friend, the invitiation seemed queer to me, but I followed it up anyway. Sure enough, it led me to a Facebook spam page. My friend’s account had been compromised and was being used to lure innocents to the junk site.

That method for distributing spam on Facebook is one of the most common exploited by junko artists, according to researchers at Northwestern University and the University of California in Santa Barbara. In a paper, entitled “Detecting and Characterizing Social Spam Campaigns” which they will be presenting next month at the Internet Measurement Conference in Melbourne, Australia, it was revealed that more than 97 percent of all malicious wall posts on the social network originate from compromised accounts, rather than fake” accounts created solely for the purpose of spamming.

The spam sent from my friend’s account was annoying but relatively harmless. That’s not true for much of the malicious spam pumped to Facebook members. Some 187 million “wall postings” (messages posted to the pages of Facebook members) were scrutinized by the six researchers conducting the study. Only a small amount of it (200,000 postings, or 0.1 percent of the total) was malicious spam. But unlike the spam sent from my friend’s account, 70 percent of the malicious spam advertised phishing sites, according to the academics from Northwestern - Hongyu Gao, Jun Hu, Zhichun Li and Yan Chen, and UCSB – Christo Wilson and Ben Y. Zhao.

According to the researchers, online social networks (OSNs) have become prime targets for Internet miscreants because it’s felt that potential targets feel insulated from malevolence inside the socnets.

          “As communities built out of friends, family, and acquaintances, the public perception of OSNs is that they provide a more secure environment for online communication, free from the threats prevalent on the rest of the Internet,” the researchers wrote.

“Unfortunately, recent evidence shows that these trusted communities can become effective mechanisms for spreading malware and phishing attacks,” they noted. “Popular OSNs are increasingly becoming the target of phishing attacks launched from large botnets and OSN account credentials are already being sold online in underground forums.”

“Using compromised or fake accounts, attackers can turn the trusted OSN environment against its users by masquerading spam messages as communications from friends and family members,” they added.

According to the scientists, their study is the first of its kind to measure and analyze attempts to spread  malicious contents on social networks.

The researchers acknowledge that the wide range of attacks being mounted within social networks is beyond the scope of their study. Instead, they focused exclusively on detecting and measuring large-scale spam campaigns launched via wall postings on Facebook pages. Traditionally, spam refers to massive, unsolicited email campaigns to sell goods; however, the researchers chose to analyze a number of attacks mounted through the wall postings. These included:

• Product advertisements
• Phishing attacks
• Drive-by download attacks

While the purposes of the attacks studied by the researchers vary, they all share some common characteristics. For instance, in all cases the attackers leverage large numbers of existing or created accounts to distribute spam posts to an even  larger numbers of users. The posts themselves contain a URL, often in obscured form, along with text designed to persuade the target to visit the URL. If the target clicks the URL, they’ll be taken to a malicious website associated with the spam campaign.

What bait did spammers use in their wall posts to hook  guppies on Facebook? Romance topped the list with 51,082 posts suggesting “someone has a crush on you.” Freebies also scored high with 31,329 posts offering free ringtones. That old standby Viagra was popular, too, appearing in 17,614 posts.

Two common phishing scams the researchers found when analyzing Facebook spam posts attempted to pry personal information or money from users. In one  campaign, members are promised free ringtones. When they click on the ringtone URL, however, a fake Facebook login page appears. If a user types in login information, it will be captured by the spammer and used to compromise the user’s account.

Another dodge has a member take a “love compatibility test.” To see the results of the test, though, the user has to sign a “terms of service” agreement and enter his or cellphone number into a form. That information is used to subscribe the user to some kind of mobile service that charges a monthly fee, for which the spammer gets a cut.

Although the researchers did not determine how effective spam campaigns mounted through social networks are, one thing is certain. “[O]ur results clearly show that online social networks are now a major delivery platform targeted for spam and malware delivery,” the researchers asserted.