Optimists often look for the most positive events over the year to attach to the label, The Year of…, realists however, take a different approach. And while 2012 is still young and holds a lot of promise, this year could very well be known as the year of social spam.

Social spam is nothing new. In fact, spam first infiltrated Internet bulletin boards in 1994 to mark the first major commercial spam campaign when Laurence Carter and Martha Siegel, a husband and wife team of lawyers, posted bulk messages to Usenet groups advertising their immigration law services in what became known as Green Card spam.

Social interaction on today’s Internet is far more sophisticated than the simple posting of messages and hyperlinks however. Nowadays, spammers turn to social networks and guise their spam as links, content, video, audio and executable files.

The nature of social spam has also changed as the platforms that deliver these messages have also developed over time.

No longer is spam only used to deliver advertising and marketing messages alone. With a more sophisticated field on which to play, spammers have used social sites to not only deliver their advertising, but also malware that: steals credit card numbers, captures user names and passwords and turns computers into zombies.

But if social spam has been a problem for so long, why would 2012 be any different? Take a look and see…

The Facebook Example

On January 4, 2012 the Wall Street Journal reported that social spam is on the rise and to combat this, social networks are hiring more staff to help fight this problem. Facebook was named specifically because according to reports, the volume of spam on Facebook is growing faster than its user base.

On Facebook, spam usually spreads when users are tricked into liking, and then sharing, content that is spam. This practice, known as like-jacking, usually works when a user’s computer is infected with malware that allows the spammer to take control of the user’s Facebook account.

The spammer then posts a message on your friend’s profile that would be interesting to others. Commonly, free dinner coupons are used as the bait as are offers for free iPads or other give aways.

When the user’s friends click on the free offer, they are instructed to download the coupons. These coupons actually contain malware that infects the computers of the user’s friends thus continuing the cycle.

Of course the malware does more than just spread itself via Facebook. It can be used to deliver Trojan horses, keystroke loggers, or any other type of malware.

And just how prevalent are these messages? By Facebook’s own admission, they block over 200 million malicious actions every day. In 2008 the company employed four engineers working to fight malicious use of their site. The same department today, named site integrity, now has 31 team members. Additionally, there are 46 people working on security 300 focused on user issues and over 1,000 others (engineers, lawyers, risk analysts, etc.) who help to fight spam on the site in other ways.

Others Not Immune

Of course other social networks and content sharing sites are hardly immune to the problem of social spam. Twitter has long been a hot bed for spammy posts created by malicious users.

Twitter, by nature, set itself up for spam from the very beginning. As a great way to share content to other like-minded users, Twitter allowed people to share short messages that were less than 140 characters long; short, sweet and to the point.

Since URLs were often lengthy, companies – including Twitter – developed URL shorteners. Now, http://www.allspammedup.com could become http://bit.ly/3KmvyZ to save precious character space.

The problem is, no one really knows if http://bit.ly/3KmvyZ will take you to All Spammed Up or a malicious web site.

Google also out how quickly spam could infiltrate even a carefully planned social network.

Originally opened through an invite only process, Google+ users found the site a welcome break from other social sites that had turned into spam havens. Since early adopters were tech savvy, spam was quickly reported and accounts spewing spam were shut down.

Then came the public release and the ability to create business pages and spammy comments and shares began to fold the network causing one well known legitimate marketing professional to comment:

Wow, Google+ must be taking off. Spotted not one but two pieces of comment spam today.

As users find it easier than ever to share content with their friends and family, spammers will find it easier to manipulate this process. Because we have become so trusting of the content our “friends” share with us, we never consider the fact that what may be the coolest thing on someone’s wall may just wind up infecting our computer.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Is 2012 the Year of Social Spam?

While I personally do not understand the appeal of Facebook, I have to acknowledge that it is a major force on the Internet, and an important part of a lot of Internet-savvy folks’ lives. It’s not just for the kids; even my CEO is on Facebook, and I swear his VCR was blinking 12:00 at last year’s Christmas party! Look around your office, and then check your web proxy logs (or your DNS server’s cache if you don’t filter Internet access) and I guarantee you’ll see that Facebook is a big deal in your office too. It’s that almost universal appeal that makes it such a useful tool for attacking unwitting users.

I’m starting to see dozens of emails each day that on the surface appear to be notifications from Facebook to users informing them that they have a lost message on Facebook. The sender shows up as “Facebook.” The graphics are simple but accurate (let’s face it, Facebook isn’t exactly known for its stunning visuals,) the fonts are the same, and the text is just close enough to realistic to be believable. Here’s a snap of the most commonly encountered message.

obviously NOT a real Facebook notification

Of course, this message is a fake, and can easily be identified as such by anyone who takes more than a second to look at it. Mousing over the blue Facebook, the link to the “lost message,” the link in the FAQ, or even the unsubscribe at the bottom of the message (not shown), all reveal that this is a phishing message. All of those links go to some website in an .FR domain which is definitely NOT a Facebook site, but is designed to deliver malware to vulnerable browsers. But it’s not the vulnerable browsers that worry me nearly so much as it is the vulnerable users that will click on those links.

I can protect my users at the office by filtering out these messages, but I’m absolutely certain that they are getting through lesser filtering systems maintained (or not) by my users’ personal ISPs. Considering the almost rabid addiction many of them exhibit towards Facebook (come on, next time a coworker’s phone beeps in a meeting, get up to see whether it’s really a work-related message, or just a notification that someone posted on their wall), the likelihood that they will click on the link to see what message was lost is dangerously high.

And while you may think that their personal computer is not your problem, think again. Do you not offer webmail? Do you prohibit (and enforce) working on company files using home computers? Those users check their company webmail using that computer. They work on company documents at home when they are on a deadline, or staying home with a sick child. And any malware they get on their personal computer becomes a problem for you. Key-loggers alone should be enough to keep you up at night.

Once again, I am calling upon you to raise awareness amongst your users. Let them know these messages exist, and that they should not be fooled. Point them to this post or better yet, go over it in a company meeting. Do whatever you can to help your users identify this sort of thing and avoid becoming a victim. Trust me, you’re also helping yourself.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Phony Facebook Notifications – More Trick, Less Treat

For the first part of the invite only phase, people were clamoring for invites. A search for Google+ meant weeding through the throngs of web pages either pleading for an invite or those offering them, and even though the social network is now open to everyone those sites still clog up the SERPs for that term.

People wanted them so badly that some of the lucky ones to receive an early invite were selling off their 150 invitations on eBay, Craigslist and anywhere else they could find buyers.

And when it was only open to early adopters, Google+ was a nice place to meet up, share resources and follow interesting people. The level of spam was relatively low during the first 20 million people because it was policed by the users.

Of course opening it up changed all of that.

A couple of public posts regarding spam on Google+ read:

Oof. So much G+ spam, typically in the form of “[fake-sounding or often Russian or Indian name] has shared a private post with you.” What a deluge in the last 48 hours. Bet the G+ dev team has their hands full with this issue right now. Update: shortly after posting this whiney G+ complaint, a spammer invaded the comments on this very post, with a “normal/non-foreign-sounding,” white, female, American profile.

I’m seeing the amount of spam growing exponentially since G+ opened to everyone. Are you?

Comment spam is getting really bad on G+. I would prefer to have a moderation queue rather than have comments show up directly. It’s getting to the point where it is difficult to keep up with the deleting & blocking of spam on my posts.

How can I block people in Google+? More an more spam here.

So it is definitely becoming a serious and annoying problem for many plusers to deal with.

But is that what Google had intended all along?

In an interesting post by Barry Adams for the State of Search blog, the author calls Google out and asks the question, is Google+ a honeytrap to study future search metrics?

The Case For

Despite any preconceived prejudices you have against Google there is one thing for certain, they truly care about the quality of their search results. And they are trying to keep them as solid as possible.

The latest Panda, or Farmer, update provides a stable argument for this as it was geared towards reducing the amount of content spam from the search engine results pages, or SERPS, and devaluing any links from content farms and other forms of link spam.

But Google also knows that the future of search lies within the social metric, not only the link metrics states Adams. So it needs to know how social media can be used to effect rankings. Since spam is a pervasive problem in social media through comment spam, fake shares and votes that are bought for pennies, Google needs to know just how social signals can best serve their ranking algorithms without giving spammers another avenue to exploit.

“I believe Google+ is a huge laboratory designed to analyse social behaviour in an effort to develop algorithms that can, with a high degree of accuracy, detect genuine and authentic shares and upvotes and let those count in Google’s search ranking mechanisms,” claims Adams.

And this wouldn’t be the first time Google released a product that merely served as a laboratory for something greater.

Ever used Goog 411? Many people did because it offered free directory information services instead of the pricey ones offered by phone companies.

But what Google was really doing was building a phoneme database from these voice queries so it could build a quality speech recognition engine for their voice search.

Pretty smart on their part, huh?

The Case Against

Of course, Google may just be offering its social network because it knows that in order to stay relevant, it needs to offer products that are relevant.

People share so much through Facebook, Twitter, StumbleUpon and other social tools because users trust what others recommend more than they do a search engine spider. So while shares and votes are certainly going to be part of Google’s algorithm, it could also be that they know the playing field is changing and they had better adapt.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Google+ Experiment

A study by social media analysts, Impermium, has found that cybercriminals are selling fake and hijacked Facebook accounts for the bargain price of $15 each. Times are tough all over it seems – last year such accounts were going for over $100.  Spammers are presumably snapping them up since, as we reported here earlier, the same study revealed that up to 40% of all social media accounts are fake.

Spammers love these accounts – not only to give them access to the large audiences on Facebook, but to help them place their spam on blogs and websites that are integrated with Facebook connect – many of them won’t allow comments unless you’re logged into a Facebook account. The more popular Facebook gets, the lower the volume of email spam seems to get. Facebook has such value to spammers because of the high trust users have for those on their friends lists. It makes them more likely to click on the links they find in their newsfeeds.

Buying and selling accounts is big business on the web. A quick Google search revealed offers to trade Facebook accounts for verified Paypal accounts, 100 YouTube accounts for $15, phone verified (used in many foreign countries) Facebook accounts for $5 each, and more. People even sell “Likes” for people’s Facebook fan pages. It’s a thriving black market economy which doesn’t appear to be going away anytime soon.

It will be interesting to see what happens when Google finally decides to open Google+ to the general public. Spammers will of course move right in and fake and hijacked Google+ articles will go on sale. Any ideas what Google might have planned to fight back? Facebook hasn’t been too successful so far-do you think Google has learned from their mistake?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers Selling Fake Facebook Accounts

Yet in this case, you can’t really find fault in Facebook’s actions. They are simply a victim of circumstance.

The problem

Anyone who is unaware of the enormous amount of spam that has infested Facebook is either not using the social network or hasn’t read Google news in the past few months. And like any company, they chose to address this problem head on so they implemented an anti-spam solution based on an algorithm that would help weed out spam from their network.

That algorithm was just a tad bit too sensitive for some posts, and activist groups found their messages flagged as spam and blocked from showing up.

At first, certain groups were under the assumption that the messages were being censored by Facebook due to their content being viewed as controversial.

Andred Noyles, a spokesman for Facebook, stated that censoring activist groups or controversial content is not a policy of Facebook’s nor will it be.

“Facebook is not — and has never been — in the business of disabling accounts or removing content simply because people are discussing controversial topics. On the contrary,” he went on to say, “we want Facebook to be a place where people can openly express their views and opinions, even if others don’t agree with them.”

And those organizations who found their accounts disabled after being labeled as spammers, they received a quick apology from Facebook stating:

“Your account was mistakenly blocked from posting on Pages. We apologize for any inconvenience this has caused. We’ve lifted the block from your account, and you should now be able to post again.”

What went wrong?

When it comes to corporate email services, keeping spam messages from getting through to users is usually a full time job. So in a messaging service with a population of over 750 million you can imagine the challenge to Facebook when it comes to keeping the network free of spam.

To fight back they put automated systems in place that rely on algorithms to identify messages that follow certain patterns and flag them as spam. Sometimes these algorithms are not sensitive enough and spam gets through.

Unfortunately as the spammers find these weak spots and exploit them as a way around the filters, when this happens, the algorithms are changed to tighten up the holes. An unfortunate side effect of this is the false positive where legitimate messages are identified as spam and stopped from reaching their destination.

The same thing happens with email spam filters as well. Spam can become such a problem that email administrators use filters that are so sensitive that the rate of false positives is extremely high.

Other times, the algorithms that power the filtering engine simply don’t do a good enough job at preventing false positives and users find their emails not being delivered.

What to do about this

It is reasonable to expect some false positives anytime a computer algorithm is used to do quality control. A computer just doesn’t have the capability of thinking like a human and understanding the context of a message.

So while false positives may be expected, they don’t have to be the norm.

When looking for solutions to help your organization deal with spam, knowing how often false positives are reported can be as equally important as knowing the percentage of spam is blocked from making it to your users’ inboxes and should certainly be a factor in the solution you choose to implement.

There is quite a bit that can be learned from the recent Facebook flub. First, the way they handled the situation is commendable. They recognized the error, apologized and looked into the best way to fix the problem. Second, it serves as warning to us all that preventing spam requires constant vigilance, and even then organizations are bound to take some casualties.

There will be more stories of communications being blocked as Google+ grows and newer technologies come to the marketplace. As users we need to remain patient and supportive when it comes to dealing with false positives while at the same time encouraging the products we use to do what they can to ensure a certain quality of service.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

False Positives and Spam Prevention

This arrogance about his business practices probably won’t win him any friends as he faces 11 new counts – six for electronic mail fraud, three for intentional damage to a protected computer and two for criminal contempt. All of which he pleaded not guilty to in his most recent court appearance on August 4, 2011. If found guilty of these charges, Spamford faces up to 40 years in prison and up to a 2 million dollar fine.

The charges stem from Wallace compromising roughly 500,000 Facebook accounts between November 2008 and March 2009 and using them to send over 27 million spam messages to other users.

And just how did he manage to capture this many accounts? By sending phishing messages out on compromised accounts he was able to trick more victims into giving up their user information. These accounts would also be used to capture more compromised accounts to send out even more spam.

Released on a 100,000 dollar bond, Sanford is due back in court August 22. Of course these charges haven’t prevented him from creating a Google+ account to take the place of his court ordered ban from accessing Facebook or MySpace.

Didn’t reports say spam levels are at an all time low?

Stories like these often get buried by stories with a bit more flair. That is unfortunate because if more people were to read up on this story it could be a significant weapon in the fight against spam. Need a bit more explanation?

Other recent spam related news boasts on how spam is on the decline. When the public hears this, they immediately look for a new boogey man to worry about. I have written quite a few posts here explaining why I think that thinking we have won in the fight against spam is dangerous. Sanford Wallace’s recent indictment proves that.

Spam levels may be down when it comes to email spam, but as we all know this is only one way spammers are able to make money. As the playing field shifts, so will their tactics.

And should we let our guard down and think less of protecting our inboxes rest assured, they will pounce back to using email more frequently.

The story of Sanford Wallace should be used to show people that the threat of spam remains, regardless of reports that it is fading away.

Are people still that oblivious?

Something else that we can use in the fight against spam is the knowledge that people are still willing to give up their account credentials without question.

Wallace was able to con half a million users out of their passwords. Granted, it is a drop in the bucket when you consider Facebook has over 700 million users. But still, that number represents a large number of people who trust things on the Internet far too easily.

According to the Internet World Statistics site there are 2,095,006,005 Internet users worldwide. If just over 7 percent of Facebook uses were willing to fork over their credentials to a phishing attack, then 149,583,429 people could logically fall for a similar con.

There is still money to be made

Wallace had formally retired from the spam business in 1998 but has since been linked to pop-up advertising and scareware scams before jumping back into the game.

In 2004 he was ordered to pay over 5 million dollars in fines for his SmartBOT marketing scam and in 2008 he was ordered to pay 230 million dollars in fines for a later spam campaign using MySpace. In 2009, a judge ordered him to pay 711 million dollars to Facebook for compromising their servers. The order also prevented him from accessing Facebook.

This didn’t stop the Spam King from trying his hand at sending spam via the world’s largest social network gain creating the account called “David Sinful—Saturdays Fredericks”. Why? Obviously because there is still money to be made if you job is to send spam.

So spam fighters, users and curious onlookers beware. If nothing else, the tale of Sanford Wallace shows us that spam is still a problem we face every time we access any communication device. Be it our email, cell phone, mobile device or social network.

So will spam ever stop? Not as long as there is enough money to be made allowing you to pay close to a billion dollars in fines. But it can be controlled.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Sanford Wallace Back in Court: A Win For Spam Fighters?

Of course, sudden growth has its problems. Early on Vic Gundotra, Senior Vice President of Engineering at Google, had to send out an apology to users. Apparently, the system had spammed those involved in the beta test because the servers ran out of disk space causing the system to send out notice after notice.

Unwanted email for sure, but spam? I would hardly think so.

However some insiders think that it is just a matter of time before users start getting hit by some really nasty spam inside the network.

Basing their theories on the fact that Facebook and Twitter have become huge targets for phishing attacks, many see Google+ as the next logical target.

Will it become a problem?

To get a sense of what Google+ users think of spam on the network, let’s look at what some of the most influential users have to say:

• Spam away, as far as I’m concerned, because I don’t want to miss something good just because nobody bothered to tell me about it! : )  +Will Wheaton
• One thing that’s been nice (so far) about G+ is the lack of spam accounts. There are lots of those on Twitter. +Wesley Fryer
• One of the things I have seen is that people will share posts with you to pitch you on their message. Sometimes this is very effective. Other times, though, I find myself blocking these people since their posts are pure sales/i.e. spam. Hopefully G+ won’t become a haven for spammers. How do we manage this? Should we be tagging the spammers back? +Steve Rubel
• Of course whenever we review a profile, if we determine that the account is violating other policies like spam or abuse we’ll suspend the account. +Natalie Villalobos
• Imagine SEO/SEM with spam weeded out through your circles & interests. Game Changer for sure! +Tom Anderson
• G+ allows you to actually see who you want to see without all of the ads and spam messages. +Robert Scoble
• Spam can be dealt with. Google is already very good at detecting this type of thing in Gmail, the rest can be crowd sourced. +Vic Gundotra

Now let’s take a moment to address the comment made by Vic Gundotra.

In Google+ fellow users can be blocked. If they insist on spreading junk you have the option to block them so none of their posts show up, even if they comment on someone else who you are following.

While invites are scarce, this method will work against those without the foresight to create multiple accounts right from the beginning. However, once this product gets out of beta, what will happen? Once a spammer is blocked too many times, he or she will just create another account. The same is true if they are kicked off the network for being reported as a spammer.

And, as any Gmail user can attest to, spam does get through their filters; no more than any other email service, but it does get through.

What holds the most promise for fighting spam is crowd sourcing.

The Google+ community so far has been extremely helpful to one another. A link that is spam would quickly be identified by other users so that others would not fall victim as well. Combining the users with whatever technologies Google employs to fight spam may very well take the profitability out of using Google+ to deliver spam.

I would be interested in hearing from other Google+ users as to their experiences with spam on the network and what they think will best keep it at bay.

Author’s Note –  many people are reporting that emails being sent to their inbox claim to contain a link that will provide the reader with an invite to Google+. The link actually takes the person to a pharmacy site offering drugs like Viagra, Cialis and Levitra.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google+ Will It Become a Magnet for Spam?

Recent activity indicates a significant reduction in spam levels, but no one should find comfort in this news. Spammers are making it personal, a new report from Cisco suggests, and at fault may be the law enforcement community for taking down the likes of Rustock and other botnets.

If email spam is a recurring nightmare from which you cannot seem to wake, read on. At the half year mark of 2011, some seemingly good news has poked its head over the horizon, with the promise of a brighter future. Unfortunately, the news isn’t all good; in fact, like spammers, it’s a little deceiving.

According to a new (June 2011) report published by Cisco Security Intelligence Operations (SIO) entitled “Email Attacks: This Time It’s Personal,” cybercriminals are dumping the ‘throw it against the wall and see if it sticks’ approach of indiscriminate spam, so much so that Cisco’s reports the, “annualized cybercrime business activity caused by mass, indiscriminate email attacks has declined by more than half.” The report goes on to state that the volume of overall random spam in the past year has declined by more than 80 percent, a figure that sounds a little on the high side, but no one can deny that spam volumes have dipped since the Rustock Botnet takedown in March.

Cisco SIO reports that the financial impact of this decline is significant.

“Cisco SIO estimates that the cybercriminal benefit resulting from traditional mass email-based attacks has declined more than 50 percent: from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.”  

The direct impact of spam emails is even greater, down from 300 billion spam messages a day in June 2010 to 40 billion a day in June 2011.

Generally speaking, people continue to be smart enough to recognize a scam when they see one, but interestingly enough, those who aren’t are getting taken for more money. While Cisco SIO reports that the average user continues to be smart enough not to click that link, resulting in low user conversion rates (the amount of people who actually end up getting fleeced), that this figure “is partially offset by increases in the average user spending on conversions.” Cisco SIO attributes this increase in the spam artists using personalization tools, better-crafted scams and more effective malicious attacks, and reports that the level of personal information being divulged has resulted in larger paydays for the scammers.

So how much does an errant click cost? $250, according to the report. Cisco SIO explains the methodology used in arriving at this figure:

“This amount is in line with the low-end estimate of recent publicly disclosed scams and malicious attacks. For instance, in June 2011, the U.S. Federal Bureau of Investigation (FBI) announced a scam email directing recipients to send $350 to obtain a Clearance Certificate or else legal action would be taken against the recipient.”

Now for the bad news:  even though random email spam has experienced a large decline, the amount of money being made by the scammers has quadrupled. Using the estimates explained above, Cisco SIO reports that “scams and malicious attacks (as a sub-category of mass attacks) have grown from US$50 million to US$200 million over the last year on an annualized basis.”

Oh, the irony!

In what feels like a ‘why did they kick the hornets’ nest?’ moment, the Cisco SIO report explains how, in the past year, the face of global cybercrime has morphed into something different, and quite possibly, more dangerous.  “Starting in 2010 and continuing into 2011, the criminal ecosystem has been changing dramatically. Law enforcement authorities and security and industry organizations worldwide have been collaborating to shut down or limit the largest spam-sending botnets and their associates. SpamIt, a large spam-sending affiliate network, ceased operations in October 2010 after its database was leaked and Russian police pressed charges against its owner. Major botnets were severely curtailed or even shut down, including Rustock, Bredolab, and Mega-D.” The end result? “By disrupting the financial and technical business models of key cartels,” Cisco SIO reports, “threat volumes have declined in favor of more lucrative activities.”

Oh, the humanity! If what this report states is true (and it sure sounds about right), then by deposing the former ruler – the incessant glut of email-pushing online pharmacies, instant university degrees, Internet casinos, and secret fortunes waiting to be smuggled out of some foreign country – in its place the law enforcement community has established a new despot: the smarter, more focused scammer!

Evolutionary Change and Survival of the Craftiest

In fact, Cisco SIO reports:

“as part of the evolution of the criminal ecosystem, [the growing number of scams and malicious] attacks are becoming highly focused.”

Scammers are taking greater care in their approach as they carry out schemes designed to rob people of their hard-earned Benjamins. They’re taking to other means – such as SMS, social media like Facebook, Twitter and Tumblr, the tried-and-true telephone scam, and even  eBook readers – and they “are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position.” Examples of these scams, Cisco SIO reports, are:

• SMS financial fraud scams to specific locales
• Email campaigns that use URL shortening services
• Social media scams, where the criminal befriends a user or group of users for financial gain

Spearphishing is on the rise and has experienced its own evolution, Cisco SIO states:

“Spearphishing attacks are aimed at a specific profile of users, often high-ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content.”

If the cyber scammers are getting smarter, then it’s imperative that we, too, evolve. Cyber criminals made $150 million this year from spear phishing, according to Cisco, and that kind of return on investment speaks for itself. Spam won’t go away, ever. But like a nasty super virus that evolves and mutates into an antibiotic-resistant strain, spam marches on, even if it’s only to the beat of a new drum.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spam Reduced, Targeted Attacks on the Rise: Cisco

Traditional phishing attacks require the attacker to trick the victim into clicking on a malicious link sent to them via email or instant message. The link then takes the victim to a web page that has been spoofed to look like PayPal or the victim’s bank so that the attacker can collect login credentials.

Tabnapping is much more sophisticated and it no longer relies on a victim clicking on a link. Instead, it directly attacks open tabs on the victim’s browser.

The addition of tabbed browsing opened up web surfing to an entirely new level of productivity, or time wasting depending on how you use the Internet. Users could now reduce the clutter caused by multiple windows, bookmarking became much more efficient, multiple tabs loaded faster than multiple windows and it made web content much easier to manage. However tabs are often left idle, and that is what opens the door up to this type of attack.

Walking through the tabnapping attack

We all know that cybercriminals can spy on your browser history to see what sites you frequently visit using spyware. They can also tell when a browser tab has been inactive for a while. Using malicious code the attacker can replace the site that is open in the idle tab with a spoofed site of their own, say a bank or email page. Thinking the session has been logged out, the victim logs back into the spoofed page that appears in the tab. Now, the phisher no longer has to lure unsuspecting victims in with email spam as bait and, more importantly, he/she does not have to gain the trust of their victim. Unsuspecting users simply login to a page that they believe they have already opened.

Fortunately, this attack has only been seen so far as a proof of concept attack that was developed by Aza Raskin, creative lead for Mozilla Firefox. Unfortunately, he was able to simulate this type of attack on all the major browsers for both Windows and Mac OS X computers.

“You can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate log-in screen and favicon on demand”, Raskin explaines about this discovery.

“Even more deviously, there are various methods [one can use] to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML Web page in a script tag … You can make this attack even more effective by changing the copy. Instead of having just a log-in screen, you can mention that the session has timed out and the user needs to reauthenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.”

Prevention

Right now, browsers are not expected to release any patches to fight against this type of threat. According to Microsoft’s security response center, the issue isn’t considered a vulnerability per se. The attack simply exploits the way browsers work. But that doesn’t mean there is no defense.

Like any phishing attack, tabnapping can be thwarted by making sure you always check the URL before entering any login credentials or account information. If the URL is different or if it doesn’t have the https then you may be visiting a spoofed page.

Other steps you can take to prevent falling victim to this type of attack are to close out any tabs that ask for reauthetication and go back to the page in a new tab to log in. Another move that is advised is to avoid online banking and visiting sensitive sites with new tabs. Do your banking first and then surf the web to mitigate any attacks.

At the browser level you can also utilize plug-ins and tools designed to filter our malicious sites and those that contain malicious code. This would give you an added layer of defense, but it is not one you can rely on solely.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Defending Against Tabnapping – No Fix Coming Soon

In the most recent spam scam to assault Facebook, users are being greeted with a message advising them to ‘verify’ their account, seemingly a noble act of spam prevention and surely not spam itself, right? Not so fast. Those rascally little hackers have swapped out the ‘Like – Comment – Share’ links with a ‘== VERIFY MY ACCOUNT ==’ link, making clicking eminently attractive and practically unavoidable for the uninformed user. Clicking the link, of course, has exactly the opposite effect advertised by the malware, not only posting the message on the user’s wall, but in fact spreading JavaScript that, according to The Register, is “highly obfuscated.” (If interested, you can check out an interesting analysis of the script here.)

“Facebook has become a veritable cesspool of spam, with fake links promising to show users things like how many people have visited your profile or the never-released photos of Osama bin Laden’s body,” reports the Detroit Free Press.

In fact, it seems that these clickjacking schemes have become the norm and Facebook, by its own admission, has only been able to react to the scams as they appear.

“We’ve been shutting down the scammy pages that are the source of this spam as soon as we detect them or they’re reported to us,” Facebook’s Fred Wolens told the Free Press.

So let’s return to the kingdom of the blind. No disrespect to any Facebook user intended, but knowing how to recognize a genuine security threat often requires three things: experience, specialized understanding in what goes on under the hood, and the requisite savvy that comes with being an IT professional. The first one is easy. Think about the first time you learned that touching an open flame wasn’t such a good idea. Anyone who’s been nailed at least once by a malicious link will testify that they think twice before clicking again. The second and third, however, require specialized information that, simply speaking, aren’t part of the average computer user’s frame of reference. And to be fair to Facebook users everywhere, they shouldn’t need to have that specialized knowledge. It would be counterintuitive to the concept that Facebook is easy to join. Easy to use.

To give Facebook credit, last week the website announced several new features implemented to combat clickjacking:

• Web of Trust (WOT) – Web of Trust is a free service that grades sites based on user experience. Basically a community that relies upon reported links, WOT intercepts links in Facebook, warning the user that the link could be dangerous, if it has been frequently reported by the community.
• Clickjacking Prevention – Since clickjacking is based on tricking the user into thinking they’re clicking on one thing when in fact they’re clicking on another, Facebook has implemented extra security measures to detect whether links are trying to pretend they’re something else. In essence, users will be required to confirm their choices when they click “Like.”
• Cross-Site Scripting (XSS) Protection – Malware often tricks users into pasting malicious code into the browser address bar. Facebook has added an extra layer of protection, providing a popup window advising the user that he or she is trying to address a bad link.
• Login Approvals – Facebook has added an optional – but highly recommended – layer of security by offering two-factor authentication, meaning that whenever a user tries to log on to Facebook from a new device, he or she will also have to enter a code sent via SMS to the user’s mobile device.

If you’re reading this and you have responsibility for office workers who have access to Facebook, you’re probably already copying and pasting into an enterprise-wide email. That would be a wise choice.

Let’s face the facts. Social networking does a great job of bringing people together in cyberspace. The problem: it also makes it way too easy to put hackers, spammers and cyberpunks together with innocent users who are not trained – or even interested in being trained – in how to recognize malicious code and spam when and where it appears. As memberships continue to grow in unprecedented proportions, hackers will continue to figure out how to exploit the system.

You had better hang on. The one-eyed men aren’t going away anytime soon. In fact, they’re fitting themselves for crowns.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Spam Prevention Scam Propagates, Hackers Rejoice

Anytime an attack method is used via Facebook you can be assured that it will be big news so when the social network was found to be a tool used in clickjacking attacks it quickly became a topic that everyone was talking about.

On the surface clickjacking , also known as a UI redress attack, is a relatively simple attack. The attacker gets the victim to visit a web page where the code has been exploited to do something harmful.  Of course, attacks are never quite that simple.

The complexities that are involved with a clickjacking attack come from disguising the malicious intent. That is essentially where the name is derived from. The victim is tricked into clicking what they think is a harmless link, the play button on a video, a Facebook “Like” button, a Twitter follow button, etc. In actuality, the web page has another web page that is a transparent layer over the dummy page. When the victim thinks they are clicking on the valid button or link, they are actually performing the activity that the transparent page is directing their browser to do. Essentially, this attack hijacks your browser and/or computer as a result of the click – hence, clickjacking.

What Can Clickjacking Make Me Do?

The simple and honest answer to this question is: whatever the attacker programs it to do. But here are a few examples that show exactly what can happen if you fall victim to a clickjacking attack:

• The Facebook attack

The most recent attacks involving Facebook trick the victim into watching a video. When they attempt this, the code adds “Likes” to the victim’s Facebook newsfeed in hopes that the spam is spread to the victim’s friends as well so any of the victim’s friends who also click on the link will wind up spamming everyone on their own friends list as well. This helps to perpetuate the attack.

Often times this attack is paired with having the victims fill out surveys or sending them to other sites that generate money for the attacker. The more spam they are able to send out via Clickjack attacks, the more money will potentially make.

• The Flash attack

No these aren’t quick attacks; it targets a vulnerability in Adobe Flash and is one of the most notorious examples of Clickjacking there was. This attack was launched against the Adobe Flash plugin settings page and caused the page to load into an invisible iframe that allowed the attacker to trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera. In plain English, the attacker could sit back and watch and listen to what you were doing while in front of your computer’s camera and microphone. They didn’t even have to work for the Philadelphia school system to do this.

• Tricking the user to take action

While these are more proof of concept attacks, they clearly show what else can be achieved by a successful clickjacking attack.

The attacker spams as many email addresses as they can with a link to a video. The victim visits the page with the video but another valid page, for example a product page on amazon.com, is hidden on top or underneath the “PLAY” button of the video. When the user presses the play button for the video he or she actually “buys” the product from Amazon.

Of course there needs to be a stored cookie for Amazon or a recent login for this to work, but if enough spam is sent out by the attacker odds are they will see some reward from this.

Thwarting Clickjacking Attacks

Facebook has made efforts to not only educate users as to the dangers of clickjacking on their network, but have also instructed users as to how they can remove the spam from their newsfeed by hovering over the right of the post in the newsfeed and clicking on the X to “Remove and unlike” them.

Another option that many people take is to install the NoScript add on for the Firefox browser. This tool only allows activity on web sites that you trust and alerts users to potential threats.

Of course, stopping clickjacking at the source is one of the best avenues to take when fighting it. Since this attack relies on victims clicking on malicious links, one of the primary delivery methods is through email spam. Effectively educating users about spam and using a proven spam fighting solution will go a long way in stopping clickjacking attacks against your users.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Art of the Clickjack Attack

Newmark: Facebook email is spam killer.

Facebook will be rolling out in the coming weeks a new messaging system that will include email. For the first time, you won’t have to be an employee of the world’s largest social network to have an @facebook.com email address.

The new system has been called by some a Gmail killer, but others, including Mr. The Social Network himself, Mark Zuckerberg, have called it a spam killer. Here are some of basics about the system.

It’s based on an instant messaging paradigm. If you’re online in Facebook, all messages–email, chat and network missives–will appear in a chat window. If you’re on your phone, communications will be routed to the mobile.

The system has three folders–one for Facebook friends, another for less important messages and a third that’s essentially a junk mail folder.

Because users will have a Facebook email address, people from outside the network will be able to add messages to a user’s message stream.

In addition, users can downgrade the status of friends so their messages will appear in a lower priority folder.

Much of what the system does can be done–and done better–with a decent email program. Microsoft Outlook, for instance, allows you to use filters to direct incoming email to specific folders. Moreover, you aren’t limited to three folders, but to as many folders as you want or need to keep your mail organized. Defining and maintaining filters takes some sweat equity, but the payoff is the kind of granularity that can’t be achieved in the Facebook scheme and increases the effectiveness of email.

So where does spam killing enter the picture? By giving the highest priority to messages from Facebook friends, you can essentially create a “white list” of trusted people and screen out everything else, including all spam.

          “The deal is that a Facebook identity (profile) pretty much ensures that there’s a real person behind it,” Craig Newmark, founder of Craigslist, wrote for the Huffington Post. “Spammers can create their own Facebook identities to try to work around this,” he acknowledged, “but that’s way more expensive than getting temporary email addresses, and that raises the cost of spamming people. So, if Facebook does this, it might provide the most personal, and spam-free email available, and it might be relatively easy to do so. That’s killer.”

Sindre Lia, writing for Infosync, also believes the social network’s scheme will be a spam killer.

          “Facebook Messages is destined to become the place to go for a spam-free messaging experience,” he declared. “Surely, there are ways to achieve that already, but the Social Inbox makes it all simpler while also acting like a communications hub regardless of your communication form (SMS, chat, email or Facebook Messages) where your communications history is saved in the cloud,” he added.

While he concedes that Facebook’s scheme will require an attitude adjustment by those who wish to use it as an email substitute–there are no subject, CC or BCC lines, for example, or even contact lists–it does remove much of the hassle of existing email systems.

          “Facebook describes this as an instant communication form that is free of worries, including worries about how to reach your friends,” he explained. “The friends you don’t already have on Facebook can be added to your Messages experience. Everything else, including spam, can be dug up through an ‘Other’ folder.”

In its announcement, Facebook put its vision this way: 

          “Relatively soon, we’ll probably all stop using arbitrary 10 digit numbers and bizarre sequences of characters to contact each other. We will just select friends by name and be able to share with them instantly. We aren’t there yet, but the changes today are a small first step.”

Not everyone agrees with Newmark and Lia, however.

          “I think everybody needs to calm down a little,” chimes in Graham Cluley at the Naked Security blog. “Because it’s time for a reality check.”

He argues that Facebook email, far from ending spam, may increase another kind of spam. All kinds of malignant mischief has been on the rise in social networks. For instance, from April to December 2009 alone, spam reports on social networks increased more than 16 percent, phishing attacks by nine percent and malware assaults by more than 14 percent.

          “So,” he continued, “just because you receive a message from a verified Facebook user who you have already connected with doesn’t mean that the email is kosher. All it means is that the Facebook account was used to send the spam.”

“More emphasis by Facebook on email could mean that the social network becomes even more attractive for spammers to abuse,” he added.

Moreover, Facebook’s venture into email may, rather than kill spam, may just increase it, asserted Fabrizio Capobianco, writing for The Guardian. He maintains that the best part of Facebook is that it prevented strangers from sending messages to you.

          “Now strangers can send you messages in Facebook,” he wrote. “They can spam you on Facebook.”

          “Facebook has decided to welcome spam in their system,” he added. “The one thing that made their system great, because it was not there.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

What are your thoughts about Facebook email killing spam?

Observers are split as to the repercussions that the new Facebook Messages could have on the spam industry, with a number of well-known sites such as PC Pro declaring that “Facebook looks to kill spam with messaging system.”  Other such as ComputerWorld are less sanguine however, observing that far from it, hackers and spammers will in fact be attracted to Facebook Messages.

At first glance, the inherent trust-based nature of a social network-based messaging system looks like the perfect tool for the combating of spam.  After all, your friends would hardly send you links or malware that will harm you, isn’t it?  And not only will the annoying spammers be automatically excluded from clustering up your inbox, the ability to look only at messages from your friends means that your online peers also play an inadvertent part in helping to sieve out fake or malicious messages.

Zuckerberg himself was quoted elaborating on precisely this topic, noting that: “Because we know who your friends are… we can do some really good filtering for you so you only get the messages you want.”  While not incorrect, there are unfortunately a couple of dangerous assumptions made that can lead to an unfortunate false sense of security from unsolicited digital trash and link-baiting attempts.

Let’s take a look at a few of them here.

Are your friends really your friends?

The “friends” used by Facebook is really a misnomer originating from the desires of the social network giant to be the hub that facilitates your communication channel with people you already know.  These days however, we befriend just about anyone who sends us a request; while many businesses have worked hard to garner a robust number of friends as part of their marketing and branding efforts.  The herd mentality of blindly accepting friends request to the liberal dose of prize giveaways has resulted in network of friends that are really acquaintances or “friends of friends.”

Honestly, how can one be even sure that the identity of the new friend is who he or she claims to be, and not a bogus account created with ripped off photos obtained from somebody’s online photo gallery?  In addition, spammers could just as easily create disposable Facebook identities, befriend you, and then proceed to spam via Facebook.

The use of automated tools

One minor point that is often missed by novice computer users has to do with how spam is practically never sent manually.  In fact, it is common for criminals to remotely engage the use of compromised servers and computers systems from around the world to spam.  Indeed, an entire ecosystem has sprung up in which tens of thousands of commandeered machines are “rented out” to spammers- for a fee.

On the same token, is it reasonable to expect these same hackers to refrain from writing automated tool that can sign up for Facebook accounts en masse from which they will be used to spam you, or from participating in the trading of compromised Facebook accounts?

Compromised systems

The same tools that allow spammers to harness commandeered computers to surreptitiously send their spam also allow them to spy on their victims.  It really is trivial to capture all typed keystrokes in order to obtain the password to legitimate Facebook accounts.  From there, it is but a small step to spread spam and malware havoc by leveraging on the established web of trust.

As Charles Arthuron over at the Guardian.co.uk wrote: “I think that’s underestimating how peoples’ systems can be compromised.  Remember that Facebook has seen scores of spam attacks and virus attacks which have spread at huge speed through the network… ”

Back to traditional defences

Ultimately, I feel that the ideal of the social network being able to defend users from spam is but a fallacious hope.  Indeed, fellow writer John P Mello Jr recently blogged about how nicked accounts are the cause of spam sent via Facebook – the new Facebook Messages will certainly not be able to change this.  If anything, the very fact that Facebook operates a spam prevention system underscores how spam detection and filtering are still essential components required in corporate and personal email systems.  So don’t throw away your spam appliance just yet.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Will Facebook Messages kill Spam?

That method for distributing spam on Facebook is one of the most common exploited by junko artists, according to researchers at Northwestern University and the University of California in Santa Barbara. In a paper, entitled “Detecting and Characterizing Social Spam Campaigns” which they will be presenting next month at the Internet Measurement Conference in Melbourne, Australia, it was revealed that more than 97 percent of all malicious wall posts on the social network originate from compromised accounts, rather than fake” accounts created solely for the purpose of spamming.

The spam sent from my friend’s account was annoying but relatively harmless. That’s not true for much of the malicious spam pumped to Facebook members. Some 187 million “wall postings” (messages posted to the pages of Facebook members) were scrutinized by the six researchers conducting the study. Only a small amount of it (200,000 postings, or 0.1 percent of the total) was malicious spam. But unlike the spam sent from my friend’s account, 70 percent of the malicious spam advertised phishing sites, according to the academics from Northwestern - Hongyu Gao, Jun Hu, Zhichun Li and Yan Chen, and UCSB – Christo Wilson and Ben Y. Zhao.

According to the researchers, online social networks (OSNs) have become prime targets for Internet miscreants because it’s felt that potential targets feel insulated from malevolence inside the socnets.

          “As communities built out of friends, family, and acquaintances, the public perception of OSNs is that they provide a more secure environment for online communication, free from the threats prevalent on the rest of the Internet,” the researchers wrote.

“Unfortunately, recent evidence shows that these trusted communities can become effective mechanisms for spreading malware and phishing attacks,” they noted. “Popular OSNs are increasingly becoming the target of phishing attacks launched from large botnets and OSN account credentials are already being sold online in underground forums.”

“Using compromised or fake accounts, attackers can turn the trusted OSN environment against its users by masquerading spam messages as communications from friends and family members,” they added.

According to the scientists, their study is the first of its kind to measure and analyze attempts to spread  malicious contents on social networks.

The researchers acknowledge that the wide range of attacks being mounted within social networks is beyond the scope of their study. Instead, they focused exclusively on detecting and measuring large-scale spam campaigns launched via wall postings on Facebook pages. Traditionally, spam refers to massive, unsolicited email campaigns to sell goods; however, the researchers chose to analyze a number of attacks mounted through the wall postings. These included:

• Product advertisements
• Phishing attacks
• Drive-by download attacks

While the purposes of the attacks studied by the researchers vary, they all share some common characteristics. For instance, in all cases the attackers leverage large numbers of existing or created accounts to distribute spam posts to an even  larger numbers of users. The posts themselves contain a URL, often in obscured form, along with text designed to persuade the target to visit the URL. If the target clicks the URL, they’ll be taken to a malicious website associated with the spam campaign.

What bait did spammers use in their wall posts to hook  guppies on Facebook? Romance topped the list with 51,082 posts suggesting “someone has a crush on you.” Freebies also scored high with 31,329 posts offering free ringtones. That old standby Viagra was popular, too, appearing in 17,614 posts.

Two common phishing scams the researchers found when analyzing Facebook spam posts attempted to pry personal information or money from users. In one  campaign, members are promised free ringtones. When they click on the ringtone URL, however, a fake Facebook login page appears. If a user types in login information, it will be captured by the spammer and used to compromise the user’s account.

Another dodge has a member take a “love compatibility test.” To see the results of the test, though, the user has to sign a “terms of service” agreement and enter his or cellphone number into a form. That information is used to subscribe the user to some kind of mobile service that charges a monthly fee, for which the spammer gets a cut.

Although the researchers did not determine how effective spam campaigns mounted through social networks are, one thing is certain. “[O]ur results clearly show that online social networks are now a major delivery platform targeted for spam and malware delivery,” the researchers asserted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Most Facebook spam sent through nicked accounts

Guerbuez insists he is not a spammer and has done nothing wrong, saying if people don’t want a particular email, they should use their delete key. It doesn’t look like the court ruling will be of much help to Facebook as Guerbuez has filed for bankruptcy and listed the site as one of his creditors-a common tactic used by spammers who have had huge judgments levied against them.

His lawyer said the judgment was excessive and that his client had no choice but to file bankruptcy because there is no way he could ever pay such a huge amount, which equals $1 billion in Canadian funds.

Guerbuez says he is a highly skilled internet marketer and says the whole Facebook issue has helped him gain attention and helped his business. He also claims to have both a book deal and a movie in the works.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Canadian Court Upholds Facebook Spammer’s Verdict

The findings shouldn’t be too surprising to anyone familiar with Facebook. A problem with email spam is that much of it is anonymous. If a junk message is lucky enough to evade a network’s spam defenses and end up in a recipient’s inbox, it lacks credibility because the recipient has no idea who sent it. A message appearing in a Facebook news stream, on the other hand, has at least a veneer of credibility because it originates from a network of “friends” created by the recipient. Add that to the size of the target pool–500 million active users and counting–and their high activity rate–50 percent of them log on to the network on an given day–and you’ve got an irresistible attraction for spammers.

Unlike their email counterparts, social network spammers don’t need large volumes of dupes to make substantial sums, according to the study. However, it added, Facebook scams have been known to produce hundreds of thousands of clicks once they go viral on the network.

A common scam perpetrated by Facebook spammers involves SMS subscriptions. It works like this. Spam news feeds are used to lure Facebook members to pages where they’re asked to complete surveys or questionnaires. For example, testing one’s IQ in something is a favorite on the service. What’s your baseball IQ, for example, or your World Cup IQ? Once the questionnaire is filled out, the spammer will ask for a cell phone number as a condition of revealing the results of the IQ test to the victim. The number is then used to subscribe the target to an SMS service. Those services send unsolicited messages to a phone on a periodic basis. The target is charged for the message and the spammer gets a cut of that charge.

The problem with surveys and questionnaires, though, is that people flitting the Internet don’t have the patience to fill them out. Clicking a button to indicate one “likes,” or gives a thumbs up to something, barely puts a crimp in a cybernaut’s surfing session. Filling out a survey or questionnaire–not a cherished activity either inside or outside cyberspace–is another matter entirely. When the bloom was first on the questionnaire approach, merely offering results may have been an effective way for spammers to induce guppies to take the hook of a scam in their mouths, but it rapidly lost its efficiency.

Spammers found they had to raise the ante if they wanted meaningful participation numbers in their shenanigans. They began to disguise their intent better by creating fan and group pages. Some of those pages, stripped of their injurious content, have been gathered by a website called bypassfanpages.com. Many of the pages try to attract a target with a tantalizing headline. “10 Secret Tips To Get Any Guy to Ask You Out!” shouts one headline. “OMG! You WON’T believe what this SICK old man put in a 9 year old GIRLS halloween candy!!” screams another containing grammatical errors, a trademark of spammers the world over.

Once they attract potential victims to one of those pages, they offer them various perks, always bogus, to snare them. They may offer free products, some kind of bonus or an enhanced feature set for joining the group, getting others to join the group and finally, for filling out the nefarious questionnaire.

Even those methods, though, are beginning to wear thin with social networkers, the study reported. Its authors discovered that in many cases, while clicks indicating visitors favored a page might be zooming, click-throughs to the content being teased by the page were pallid, as low as a few dozen.

          “That’s good news,” the study said. “Examination of the data demonstrates that fewer and fewer people actually continue on to ‘step 3,’ which is filling out the survey.”

“The vast majority of people bail out of the process after simply liking the page, or after sharing the link,” it added.

While the word about Facebook scams spreads quickly, it doesn’t seem to be deterring the scammers, the study noted. That’s because the junko artists still appear to be able to turn a buck with their schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook trumps email for spam success

That seems to be the case with the recent hullabaloo over the “dislike” button in Facebook.

Members of the vast Facebook social network have the ability to click a button when they “like” a posting they see in their news feeds, but unlike other websites that solicit mob opinion on their content, Facebookers can’t show their displeasure with what they see on the network. That omission has vexed more than a few of the Facebook faithful, including columnist Dan Tynan.

          “Like many people of an inherently cynical nature, the fact Facebook only allows you to express your ‘Like’ on various topics, posts, and advertisements irks me,” he wrote. “I know I’m not alone, and so do Facebook scammers, which is why the latest viral ‘Dislike button’ scam has spread so quickly.”

As many popular scams begin on Facebook, a member sees a message with an enticing pitch. In this instance, it was “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!” or “Get the official DISLIKE button NOW!” Included with the message is a shortened URL, so victims don’t know where they’re going when they click on it.

Clicking on the short URL in the Dislike message displays a screen for installing the Dislike Button. When members attempt to install the feature, they’re asked to give their permission to allow the app to access their basic information, post to their “walls” and access their data at any time, which pretty much opens the door to the chicken coop for the foxy spammers.

Once they have access to your Facebook information, the spammers use the member’s information to promote–under the member’s name–the Dislike Button to all the member’s friends.

Meanwhile, the member still doesn’t have a Dislike Button. Before he or she gets the button, they must fill out a survey, which makes the scammers some cash. After finishing the survey, the member is sent to a website where they can install a browser add-on called Dislike Button. The app began as a Firefox add-on, but now it can be downloaded as a executable file that will work with Chrome, Internet Explorer and Opera. Support for Apple’s Safari browser is in the works.

What got lost in all the hubbub about the scam, though, was the fact that the Dislike Button is a legitimate add-on. Its makers, FaceMod, were being victimized by the scammers as much, if not more, as Facebookers clicking on the URL in the fraudster’s pitch message. Unfortunately, the maker’s message was lost in the digital din that erupted when the scam was revealed by a malware fighting firm.

          “Recently, the Dislike Button has been mentioned in several articles, blogs and tweets, in conjunction with a scam, which silently sends the link to users’ Facebook friends, and requires the user to then take an online survey, which makes money for the scammers,” FaceMod wrote on its website. “Due to the high demand for the Dislike Button,” it continued, “unaffiliated people and/or groups are attempting to monetize FaceMod’s products by re-directing to online surveys. FaceMod does not require a user to fill out a survey, is not affiliated with this Scam and urges users to avoid unofficial posts.”

For the sake of clarity, FaceMod’s add-on only works with other Facebook members who have installed the app in their browsers. In other words, if you click “dislike” and the person who posted the item you disapprove of doesn’t have FaceMod’s software installed in their browser, they won’t see your thumbs down.

Initially, FaceMod sent a message to a person when a user of its app gave the thumb’s down to an item, but it removed that feature–although the company’s website still says it’s there–after receiving complaints from people who received what could be interpreted as spam messages announcing they’d been “disliked.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The curious case of the Facebook Dislike button

If a spammer can get a target to trust them, then they’re 90 percent home in completing their manipulative mission. That’s why spammers have increased their activity on social networks. A member of a socnet is much more likely to trust a message from a “friend” than they would an email with dubious origins.

But frequently socnetters aren’t very careful whom they befriend, as some anti-spam researchers discovered with an experiment aimed at Facebook, which has about five percent of the world’s population in its membership.

The researchers, who presented their findings at the MIT Spam Conference held in Cambridge, Mass. recently, explained how they enticed Facebook members to blithely accept perfect strangers to enter their inner circle of acquaintances on the social network.

The group, led by George Petre, of BitDefender, began their experiment by setting up bogus profiles on Facebook. The profiles fell into three categories. One had very little information about its subject; another had a little info on its fake creator; and the third had detailed data in it.

After setting up the profiles, the researchers used them to join popular groups on the service. A group can be created around almost anything–a TV show, a celebrity, a company, a product and such. Once nested in a group, the boffins started sending out friend requests to its members, hoping the credibility of the group would rub off on those requests.

According to the researchers, Facebook groups are a popular target for spammers. For example, following the earthquake earlier this year in Haiti, a group was formed that claimed Facebook would donate a sum of money to relief efforts for every person that joined the group. Two million members joined the group before Facebook discovered the scam and shut it down. Meanwhile, the group was used to spam the people joining it.

Within 24 hours, the researcher’s scam began to bear fruit. As might be expected, the more information included in the phony profile, the better the response to its request for fellowship. For the skimpy profile, the researchers received 85 acceptances from members; for the moderate profile, 108; and for the detailed one, 111.

Occasionally, members would message the researchers asking for additional information about the fictitious person requesting friendship. Although the researchers ignored those messages, many of those correspondents approved the friendship request anyway.

Social networks typically have messaging systems that allow their members to communicate with each other privately. Facebook has such a system, and it scrutinizes the traffic in it. But, the researchers found, the filters applied to that traffic seemed better suited for identifying phishing attacks than catching spam.

We don’t know how familiar the researchers were with Facebook’s workings, but there’s another kind of profile that would have been interesting to test. It’s one where the maximum security settings are applied to the profile. When a member tries to access that kind of profile, they receive a message saying the creator of the profile only allows friends to see detailed information about them. Such a profile might even be more effective than a detailed profile because it makes the author appear to be security conscious, and it piques the curiosity of the target to find out more about this mystery person who wants to be their friend. Maybe the next bunch of researchers probing Facebook’s vulnerabilities will test that hypothesis.

As the experiment continued, the researchers found that acceptances began to accelerate. They attributed that to the power of mutuality. Once someone accepted a counterfeit profile as a friend, the profile would appear as a mutual friend to all the acquaintances of that someone. If a member receives a friendship request from someone who is friends with someone who is already friends with the member, the researchers discovered that there was a 50 percent chance that the friendship request would be approved.

Once the researchers had a band of followers for their fictive profiles, they posted a link, without any comments, on the walls of the profiles. The link could have led anywhere–to a phishing site, a driveby malware Webpost or any number of dens of maliciousness in cyberspace–but 25 percent of the friends of the profiles followed the link blindly.

If the experiment by these researchers illustrates one thing, it’s that psychology is becoming increasingly important to junco artists, especially those targeting social networks for distribution of spam. Spam and malware companies are actively recruiting people with backgrounds in psychology, University of Akron professor of computer science and chair of the MIT conference Kathy Liszka told Technology Review.

“If we don’t get up on the psychology aspect, we’re going to start losing ground again,” she asserted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers turn hungry eyes on socnets

A study by security researchers has found that only 14% of Generation Y (adults aged 18-24) rate identity theft as their top security risk.

The company says:

The fact that 18-24 year olds have different attitudes towards security and are much more open about putting their personal details online, heightens their vulnerability to theft.

Cyber criminals are focussing a lot of attention on social media sites because they are such a target rich environment, while at the same time they often have the least security measures in place to prevent their users from becoming victims of an attack.

This  month Facebook users were subject to a massive spam run that sent fake password reset messages to millions of users.  The attack is intended to infect the victim’s computer with a Trojan horse to steal passwords, data, and put the computer under the control of a botnet.

These types of blended attacks are also becoming more personalized, using the information about themselves that people make public, as well as more targeted, as seen in the Google hack in which specific individuals were targeted due to their proximity and relationships with the key people who would have access to the data sought by the attackers.

One security professional writes:

“Obviously, the security risks abound in this area and it is up to security professionals to embrace new working ways whilst still ensuring that organisation’s information is protected.”

So what can organizations do about it?

Identify and Understand

To deal with any risk it must first be identified and fully understood so that effective measures can be introduced to mitigate it.  A thorough understanding of new threats to businesses is the first step to take.

Implement Solutions

Once the risks have been understood the business must take ownership of them.  Instead of relying on third parties like Facebook and Twitter to protect users, implement solutions that will protect your business.

Educate Staff

Technology can only solve a part of the problem.  Completely blocking useful web services that employees rely on for communications could do your business more harm than good.

Instead use a combination of technology and end user education.  Teach employees about the risks that they face when using social networks and other web services, particularly when they are discussing the company or sharing business information.

Just as cyber criminals use blended attacks businesses must use blended solutions that can protect them without removing the valuable ways that new generations are using the web.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Weakest Link is Getting Weaker

Classmates settled with members for $9.5 million.

Millions of netizens hounded every day by spam from Classmates.com must have felt a measure of vindication last week when the company agreed to settle for an estimated $9.5 million a lawsuit leveled against it by its members.

What prompted the lawsuit filed in federal district court in Seattle was Classmates’ practice of sending emails to registered users telling them one of their schoolmates from the past was looking for them. If you want to see who’s allegedly trying to contact you, though, you needed to upgrade your membership to the “gold” level at $39 a year. (Currently, those memberships are being deeply discounted to $9.95) Problem was, after upgrading their memberships, people were finding no one was looking for them at all.

Under the terms of the settlement of the class action lawsuit initially filed in 2008, everyone who upgraded to a gold account after receiving an email enticing them to do so to see  a classmate who signed their “guestbook” has the choice of receiving $3 in cash or a $2 credit when they renew their membership. It’s estimated that could affect an estimated 3.16 million members.

In addition, all paying and non-paying members who have joined the outfit since Oct. 30, 2004 must be offered a $2 credit should they decide to renew or buy a gold account.

What’s more, Classmates must pick up the legal tab for the members who sued it, which amounts to $1.3 million, and will be restricted, through an injunction, for two years on how it can use the term “guestbook” and must clarify how guestbooks at the site work.

As is often the case in these kinds of lawsuits, Classmates did not admit to any wrongdoing as a condition of settling the litigation. “Neither this Settlement Agreement, nor any document referred to or contemplated herein, nor any action taken to carry out this Settlement Agreement, is, may be construed as, or may be used as an admission, concession or indication by or against Defendants of any fault, wrongdoing or liability whatsoever,” the settlement agreement stipulated.

For years, the company has been a consumer complaint magnet. At ConsumerAffairs.com there are 177 pages of gripes, largely about unauthorized credit card charges, about the service dating back to January 2006.

The company has also been linked to three companies engaged in dubious “post-transaction marketing” tactics. Those tactics sometimes offer consumers additional offers as part of the online payment process that squeeze more money from buyers without their knowledge.

The companies–Affinion, Vertrue and Webloyalty–were cited last November in a probe of the practice conducted by a Congressional committee . In that investigation, legislative bloodhounds found that 88 companies made more than $1 million by partnering with Affinion, Vertrue, and Webloyalty, including Classmates.com, which made more than $70 million.

“[T]his Committee has found that the companies we are investigating have figured out very clever ways to manipulate consumers’ buying habits so they can make a quick buck,” U.S. Senate Committee on Commerce, Science, and Transportation Chairman John D. (Jay) Rockefeller IV, D-W. Va., said in a statement.

“Millions of Americans are getting hit with these mystery charges every month,” he added. “We have to do all we can to protect the hard working families relying on us to look out for their wallets and well-being.”

Recently, Classmates’ parent company, United Online, said its agreements with the three companies were being either “terminated or modified.”

Classmates isn’t out of the legal woods yet. Last week, two members sued the company over changes it made to its default settings to make member information more generally available on the Internet. Those changes, the lawsuit maintains, open up members to all kinds of unsavory activities such as identity theft, harassment and stalking. It also asserts that the changes are a breach of the service agreement between Classmates and its members, as well as violate the federal Electronic Data Privacy Act and Washington state consumer protection law.

In recent months, privacy has been a sore point at social networking sites. Changes in the privacy settings used by Classmates’ leading rival, Facebook, set off howls of protest on the Internet.

“These new ‘privacy’ changes are clearly intended to push Facebook users to publicly share even more information than before,” railed Senior Staff Attorney Kevin Bankston in a commentary published at the Electronic Frontier Foundation Web site. “Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Classmates settles spam suit