Facebook spam is more successful than email spam and more lucrative, too. Those were some of the findings in a study performed by an Internet collective of security professionals, according to the Winnipeg Sun.

The findings shouldn’t be too surprising to anyone familiar with Facebook. A problem with email spam is that much of it is anonymous. If a junk message is lucky enough to evade a network’s spam defenses and end up in a recipient’s inbox, it lacks credibility because the recipient has no idea who sent it. A message appearing in a Facebook news stream, on the other hand, has at least a veneer of credibility because it originates from a network of “friends” created by the recipient. Add that to the size of the target pool–500 million active users and counting–and their high activity rate–50 percent of them log on to the network on an given day–and you’ve got an irresistible attraction for spammers.

Unlike their email counterparts, social network spammers don’t need large volumes of dupes to make substantial sums, according to the study. However, it added, Facebook scams have been known to produce hundreds of thousands of clicks once they go viral on the network.

A common scam perpetrated by Facebook spammers involves SMS subscriptions. It works like this. Spam news feeds are used to lure Facebook members to pages where they’re asked to complete surveys or questionnaires. For example, testing one’s IQ in something is a favorite on the service. What’s your baseball IQ, for example, or your World Cup IQ? Once the questionnaire is filled out, the spammer will ask for a cell phone number as a condition of revealing the results of the IQ test to the victim. The number is then used to subscribe the target to an SMS service. Those services send unsolicited messages to a phone on a periodic basis. The target is charged for the message and the spammer gets a cut of that charge.

The problem with surveys and questionnaires, though, is that people flitting the Internet don’t have the patience to fill them out. Clicking a button to indicate one “likes,” or gives a thumbs up to something, barely puts a crimp in a cybernaut’s surfing session. Filling out a survey or questionnaire–not a cherished activity either inside or outside cyberspace–is another matter entirely. When the bloom was first on the questionnaire approach, merely offering results may have been an effective way for spammers to induce guppies to take the hook of a scam in their mouths, but it rapidly lost its efficiency.

Spammers found they had to raise the ante if they wanted meaningful participation numbers in their shenanigans. They began to disguise their intent better by creating fan and group pages. Some of those pages, stripped of their injurious content, have been gathered by a website called bypassfanpages.com. Many of the pages try to attract a target with a tantalizing headline. “10 Secret Tips To Get Any Guy to Ask You Out!” shouts one headline. “OMG! You WON’T believe what this SICK old man put in a 9 year old GIRLS halloween candy!!” screams another containing grammatical errors, a trademark of spammers the world over.

Once they attract potential victims to one of those pages, they offer them various perks, always bogus, to snare them. They may offer free products, some kind of bonus or an enhanced feature set for joining the group, getting others to join the group and finally, for filling out the nefarious questionnaire.

Even those methods, though, are beginning to wear thin with social networkers, the study reported. Its authors discovered that in many cases, while clicks indicating visitors favored a page might be zooming, click-throughs to the content being teased by the page were pallid, as low as a few dozen.

          “That’s good news,” the study said. “Examination of the data demonstrates that fewer and fewer people actually continue on to ’step 3,’ which is filling out the survey.”

“The vast majority of people bail out of the process after simply liking the page, or after sharing the link,” it added.

While the word about Facebook scams spreads quickly, it doesn’t seem to be deterring the scammers, the study noted. That’s because the junko artists still appear to be able to turn a buck with their schemes.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook trumps email for spam success

In newspaper circles, when a correction to a story has to be written, a rule of thumb used by many organizations is to omit the original mistake from the correction. That’s not to eschew embarrassment, although it often works out that way, but to avoid printing the incorrect information twice. Bad information, you see, has a way of sticking to little gray cells when it’s the first to arrive in the information marketplace. Repeating it, even in a correction debunking it, tends to add to its stickiness.

That seems to be the case with the recent hullabaloo over the “dislike” button in Facebook.

Members of the vast Facebook social network have the ability to click a button when they “like” a posting they see in their news feeds, but unlike other websites that solicit mob opinion on their content, Facebookers can’t show their displeasure with what they see on the network. That omission has vexed more than a few of the Facebook faithful, including columnist Dan Tynan.

          “Like many people of an inherently cynical nature, the fact Facebook only allows you to express your ‘Like’ on various topics, posts, and advertisements irks me,” he wrote. “I know I’m not alone, and so do Facebook scammers, which is why the latest viral ‘Dislike button’ scam has spread so quickly.”

As many popular scams begin on Facebook, a member sees a message with an enticing pitch. In this instance, it was “I just got the Dislike button, so now I can dislike all of your dumb posts lol!!” or “Get the official DISLIKE button NOW!” Included with the message is a shortened URL, so victims don’t know where they’re going when they click on it.

Clicking on the short URL in the Dislike message displays a screen for installing the Dislike Button. When members attempt to install the feature, they’re asked to give their permission to allow the app to access their basic information, post to their “walls” and access their data at any time, which pretty much opens the door to the chicken coop for the foxy spammers.

Once they have access to your Facebook information, the spammers use the member’s information to promote–under the member’s name–the Dislike Button to all the member’s friends.

Meanwhile, the member still doesn’t have a Dislike Button. Before he or she gets the button, they must fill out a survey, which makes the scammers some cash. After finishing the survey, the member is sent to a website where they can install a browser add-on called Dislike Button. The app began as a Firefox add-on, but now it can be downloaded as a executable file that will work with Chrome, Internet Explorer and Opera. Support for Apple’s Safari browser is in the works.

What got lost in all the hubbub about the scam, though, was the fact that the Dislike Button is a legitimate add-on. Its makers, FaceMod, were being victimized by the scammers as much, if not more, as Facebookers clicking on the URL in the fraudster’s pitch message. Unfortunately, the maker’s message was lost in the digital din that erupted when the scam was revealed by a malware fighting firm.

          “Recently, the Dislike Button has been mentioned in several articles, blogs and tweets, in conjunction with a scam, which silently sends the link to users’ Facebook friends, and requires the user to then take an online survey, which makes money for the scammers,” FaceMod wrote on its website. “Due to the high demand for the Dislike Button,” it continued, “unaffiliated people and/or groups are attempting to monetize FaceMod’s products by re-directing to online surveys. FaceMod does not require a user to fill out a survey, is not affiliated with this Scam and urges users to avoid unofficial posts.”

For the sake of clarity, FaceMod’s add-on only works with other Facebook members who have installed the app in their browsers. In other words, if you click “dislike” and the person who posted the item you disapprove of doesn’t have FaceMod’s software installed in their browser, they won’t see your thumbs down.

Initially, FaceMod sent a message to a person when a user of its app gave the thumb’s down to an item, but it removed that feature–although the company’s website still says it’s there–after receiving complaints from people who received what could be interpreted as spam messages announcing they’d been “disliked.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The curious case of the Facebook Dislike button

Trust to spammers is like blood to a tick.

If a spammer can get a target to trust them, then they’re 90 percent home in completing their manipulative mission. That’s why spammers have increased their activity on social networks. A member of a socnet is much more likely to trust a message from a “friend” than they would an email with dubious origins.

But frequently socnetters aren’t very careful whom they befriend, as some anti-spam researchers discovered with an experiment aimed at Facebook, which has about five percent of the world’s population in its membership.

The researchers, who presented their findings at the MIT Spam Conference held in Cambridge, Mass. recently, explained how they enticed Facebook members to blithely accept perfect strangers to enter their inner circle of acquaintances on the social network.

The group, led by George Petre, of BitDefender, began their experiment by setting up bogus profiles on Facebook. The profiles fell into three categories. One had very little information about its subject; another had a little info on its fake creator; and the third had detailed data in it.

After setting up the profiles, the researchers used them to join popular groups on the service. A group can be created around almost anything–a TV show, a celebrity, a company, a product and such. Once nested in a group, the boffins started sending out friend requests to its members, hoping the credibility of the group would rub off on those requests.

According to the researchers, Facebook groups are a popular target for spammers. For example, following the earthquake earlier this year in Haiti, a group was formed that claimed Facebook would donate a sum of money to relief efforts for every person that joined the group. Two million members joined the group before Facebook discovered the scam and shut it down. Meanwhile, the group was used to spam the people joining it.

Within 24 hours, the researcher’s scam began to bear fruit. As might be expected, the more information included in the phony profile, the better the response to its request for fellowship. For the skimpy profile, the researchers received 85 acceptances from members; for the moderate profile, 108; and for the detailed one, 111.

Occasionally, members would message the researchers asking for additional information about the fictitious person requesting friendship. Although the researchers ignored those messages, many of those correspondents approved the friendship request anyway.

Social networks typically have messaging systems that allow their members to communicate with each other privately. Facebook has such a system, and it scrutinizes the traffic in it. But, the researchers found, the filters applied to that traffic seemed better suited for identifying phishing attacks than catching spam.

We don’t know how familiar the researchers were with Facebook’s workings, but there’s another kind of profile that would have been interesting to test. It’s one where the maximum security settings are applied to the profile. When a member tries to access that kind of profile, they receive a message saying the creator of the profile only allows friends to see detailed information about them. Such a profile might even be more effective than a detailed profile because it makes the author appear to be security conscious, and it piques the curiosity of the target to find out more about this mystery person who wants to be their friend. Maybe the next bunch of researchers probing Facebook’s vulnerabilities will test that hypothesis.

As the experiment continued, the researchers found that acceptances began to accelerate. They attributed that to the power of mutuality. Once someone accepted a counterfeit profile as a friend, the profile would appear as a mutual friend to all the acquaintances of that someone. If a member receives a friendship request from someone who is friends with someone who is already friends with the member, the researchers discovered that there was a 50 percent chance that the friendship request would be approved.

Once the researchers had a band of followers for their fictive profiles, they posted a link, without any comments, on the walls of the profiles. The link could have led anywhere–to a phishing site, a driveby malware Webpost or any number of dens of maliciousness in cyberspace–but 25 percent of the friends of the profiles followed the link blindly.

If the experiment by these researchers illustrates one thing, it’s that psychology is becoming increasingly important to junco artists, especially those targeting social networks for distribution of spam. Spam and malware companies are actively recruiting people with backgrounds in psychology, University of Akron professor of computer science and chair of the MIT conference Kathy Liszka told Technology Review.

“If we don’t get up on the psychology aspect, we’re going to start losing ground again,” she asserted.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers turn hungry eyes on socnets

The end user is the weakest link in the security chain, and as new generations enter the workforce the awareness of security risks decreases.

A study by security researchers has found that only 14% of Generation Y (adults aged 18-24) rate identity theft as their top security risk.

The company says:

The fact that 18-24 year olds have different attitudes towards security and are much more open about putting their personal details online, heightens their vulnerability to theft.

Cyber criminals are focussing a lot of attention on social media sites because they are such a target rich environment, while at the same time they often have the least security measures in place to prevent their users from becoming victims of an attack.

This  month Facebook users were subject to a massive spam run that sent fake password reset messages to millions of users.  The attack is intended to infect the victim’s computer with a Trojan horse to steal passwords, data, and put the computer under the control of a botnet.

These types of blended attacks are also becoming more personalized, using the information about themselves that people make public, as well as more targeted, as seen in the Google hack in which specific individuals were targeted due to their proximity and relationships with the key people who would have access to the data sought by the attackers.

One security professional writes:

“Obviously, the security risks abound in this area and it is up to security professionals to embrace new working ways whilst still ensuring that organisation’s information is protected.”

So what can organizations do about it?

Identify and Understand

To deal with any risk it must first be identified and fully understood so that effective measures can be introduced to mitigate it.  A thorough understanding of new threats to businesses is the first step to take.

Implement Solutions

Once the risks have been understood the business must take ownership of them.  Instead of relying on third parties like Facebook and Twitter to protect users, implement solutions that will protect your business.

Educate Staff

Technology can only solve a part of the problem.  Completely blocking useful web services that employees rely on for communications could do your business more harm than good.

Instead use a combination of technology and end user education.  Teach employees about the risks that they face when using social networks and other web services, particularly when they are discussing the company or sharing business information.

Just as cyber criminals use blended attacks businesses must use blended solutions that can protect them without removing the valuable ways that new generations are using the web.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

The Weakest Link is Getting Weaker

Classmates settled with members for $9.5 million.

Millions of netizens hounded every day by spam from Classmates.com must have felt a measure of vindication last week when the company agreed to settle for an estimated $9.5 million a lawsuit leveled against it by its members.

What prompted the lawsuit filed in federal district court in Seattle was Classmates’ practice of sending emails to registered users telling them one of their schoolmates from the past was looking for them. If you want to see who’s allegedly trying to contact you, though, you needed to upgrade your membership to the “gold” level at $39 a year. (Currently, those memberships are being deeply discounted to $9.95) Problem was, after upgrading their memberships, people were finding no one was looking for them at all.

Under the terms of the settlement of the class action lawsuit initially filed in 2008, everyone who upgraded to a gold account after receiving an email enticing them to do so to see  a classmate who signed their “guestbook” has the choice of receiving $3 in cash or a $2 credit when they renew their membership. It’s estimated that could affect an estimated 3.16 million members.

In addition, all paying and non-paying members who have joined the outfit since Oct. 30, 2004 must be offered a $2 credit should they decide to renew or buy a gold account.

What’s more, Classmates must pick up the legal tab for the members who sued it, which amounts to $1.3 million, and will be restricted, through an injunction, for two years on how it can use the term “guestbook” and must clarify how guestbooks at the site work.

As is often the case in these kinds of lawsuits, Classmates did not admit to any wrongdoing as a condition of settling the litigation. “Neither this Settlement Agreement, nor any document referred to or contemplated herein, nor any action taken to carry out this Settlement Agreement, is, may be construed as, or may be used as an admission, concession or indication by or against Defendants of any fault, wrongdoing or liability whatsoever,” the settlement agreement stipulated.

For years, the company has been a consumer complaint magnet. At ConsumerAffairs.com there are 177 pages of gripes, largely about unauthorized credit card charges, about the service dating back to January 2006.

The company has also been linked to three companies engaged in dubious “post-transaction marketing” tactics. Those tactics sometimes offer consumers additional offers as part of the online payment process that squeeze more money from buyers without their knowledge.

The companies–Affinion, Vertrue and Webloyalty–were cited last November in a probe of the practice conducted by a Congressional committee . In that investigation, legislative bloodhounds found that 88 companies made more than $1 million by partnering with Affinion, Vertrue, and Webloyalty, including Classmates.com, which made more than $70 million.

“[T]his Committee has found that the companies we are investigating have figured out very clever ways to manipulate consumers’ buying habits so they can make a quick buck,” U.S. Senate Committee on Commerce, Science, and Transportation Chairman John D. (Jay) Rockefeller IV, D-W. Va., said in a statement.

“Millions of Americans are getting hit with these mystery charges every month,” he added. “We have to do all we can to protect the hard working families relying on us to look out for their wallets and well-being.”

Recently, Classmates’ parent company, United Online, said its agreements with the three companies were being either “terminated or modified.”

Classmates isn’t out of the legal woods yet. Last week, two members sued the company over changes it made to its default settings to make member information more generally available on the Internet. Those changes, the lawsuit maintains, open up members to all kinds of unsavory activities such as identity theft, harassment and stalking. It also asserts that the changes are a breach of the service agreement between Classmates and its members, as well as violate the federal Electronic Data Privacy Act and Washington state consumer protection law.

In recent months, privacy has been a sore point at social networking sites. Changes in the privacy settings used by Classmates’ leading rival, Facebook, set off howls of protest on the Internet.

“These new ‘privacy’ changes are clearly intended to push Facebook users to publicly share even more information than before,” railed Senior Staff Attorney Kevin Bankston in a commentary published at the Electronic Frontier Foundation Web site. “Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Classmates settles spam suit

British ISPs have reacted strongly to the suggestion of Trend Micro CTO David Rand that the ISPs should actively combat the problem of spam on the internet.

Rand’s suggestion is the blocking of TCP port 25 (the port used for SMTP, or email, communications between servers on the internet), making contact with customers who they suspect may be the source of spam outbreaks, as well as stronger government legislation.

The legislation idea has merit, after all the lack of cooperation between government agencies is how many international spam operations manage to go unpunished.  The blocking of SMTP on the other hand is impractical and costly to implement, both from a technical and a service perspective.

The basis of the idea is this.  Customers send mail using SMTP, therefore by blocking SMTP and requiring that customers send mail via the ISP’s mail servers allows close monitoring of email traffic and detection of spam.

The solution is problematic though because many ISP customers, both home users as well as businesses, have perfectly good reasons to not send their email via their ISPs mail servers.  These customers would need to be unblocked from using SMTP, and hence cannot be closely monitored.

The monitoring itself also presents two problems – firstly customers object to having their email correspondence inspected by other parties including their ISP.  Secondly, any false positives could have disastrous consequences if important emails were blocked.  ISPs do not want the exposure to liability if they block an email that results in monetary loss for the sender or recipient.A serious issue is also that of costs.  A higher email load combined with more thorough monitoring means more costs to the ISP for servers and software to do those jobs.  The human resource costs also increase, both in the management of the systems as well as the teams who need to contact and support customers who are suspected of sending spam.

Although email is currently the largest source of spam on the internet there are other forms of spam that are quickly becoming very common that would not be addressed by this solution.  Social networks such as Facebook and Twitter have become rich hunting grounds for spammers and phishers who are able to target victims with highly personalized attacks thanks to the open nature of these networks.

In a world where ISPs block spam email from customers the focus of botnets would simply shift to exploiting social networks and identity theft for the same outcomes.  Because these networks run simply as interactive websites they become impossible to block at the protocol level, and blocking them on a site by site basis would immediately outrage customers.

The British ISP heads who commented are correct in their view that businesses and email administrators need to take the responsibility of blocking spam that is sent to them, rather than expect ISPs to do all the work for them.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

ISPs Don’t Want to be Spam Cops

Business Week reports that a study by researchers in New York reveals that as many as one in five young, overweight people have been a victim of email spam.

The study revealed some interesting statistics:

• 88% of overweight individuals reported receiving spam pitching weight loss products, compared to 73% of other respondents
• 42% of overweight individuals said they opened the spam, compared to 18% of other respondents
• 18% of overweight individuals said they bought products promoted in the emails, compared to just 5% of other respondents

Firstly why do overweight people receive more weight loss spam?  One theory is that these people are visiting more web sites on that topic than other people, and therefore end up in marketing databases.  This means that the spam is either coming from the website owner, or another party that is given access to the database of email addresses.  This access may be either from selling the list or by using co-registration, which is a legitimate lead-sharing strategy that is often abused by spammers.

For any email marketer a 42% open rate is outstanding.  It means that the subject line for the email was very effective at enticing the recipient to open the email and read more.

For a spammer sending 1,000,000 emails 42% open rates do not mean 420,000 people opened them.  Most of those recipients will never receive the spam due to anti-spam protection on their email server or their computer.  But even a 1% penetration could mean several thousand people open the email.

Finally the conversion rate for overweight people is very good at 18%.  Several hundred conversions of a weight loss product likely to cost $50-$200 is a good day’s pay for the spammer.

So what does this tell us about why spam works?  Well like any form of marketing with more accurate targeting comes higher conversions.  Valentines Day spam converts better in January/February, and Christmas spam converts better in November/December.

Interestingly the statistics above are only for email spam.  This type of spam is the most common and is still quite easy to accomplish (for example by requiring an email address submission before revealing the “25 Amazing Weight Loss Tips for 2010”).  Spam is perceived as a big problem and yet email addresses are perceived as low value and are quickly given up.

But the last few years have seen a strong emergence in other types of spam such as in social networks, where the targeting is much easier for spammers because of how much information we make public about ourselves.

Consider how easily a spammer can send messages to people who post “I want to lose weight” on Twitter as a new year’s resolution, sending them a link to those “25 Amazing Weight Loss Tips for 2010” so as to capture their email address.  Or how easily single women aged 35-45 can be targeting with a Facebook ad for weight loss, leading to a female-focused website, and then female-focused follow up email messages.

More accurate targeting means higher conversions.  So why does spam work?  Because we give spammers everything they need to know to make it work.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Weight Loss Scams Reveal Why Spam Works

New Koobface variant exploits holiday spirit.

Malware miscreants have traded their black hats for Santa hats with their latest escapade targeting the 350 million member Facebook community.

Security experts have spotted a new variation of the Koobface worm that gives its prior social engineering techniques a holiday twist to lure Facebook users into its wicked web.

The new variant, Koobface.GK, posts a link to a Christmas video on the message wall of a Facebook user. When a social networker clicks the link, he or she is taken to a bogus video player. Clicking the play button on the spurious application produces no video, but it does download the worm to the clicker’s computer.

The malware then produces a captcha screen that threatens to shutdown the user’s computer if the captcha form isn’t filled out within three minutes. When the captcha form is filled out, the shutdown message appears again. Each time the form is filled in, a new domain is registered where infected files will be hosted. In that way, the worm propagates itself.

If a target decides not to act within three minutes, nothing will happen. However, his or her computer will become unresponsive. According to White Hats, a clean install of Windows isn’t needed to recover control of a computer infected with the worm. Presumably, the problem could be eliminated by pulling the power plug on the machine and rebooting into a state where a virus scan could be conducted on the computer or the box could be restored to a point before it was infected.

This latest Koobface attack shouldn’t surprise anyone as Christmas has always been a prime time for Internet bandits. The Zafi.D worm, for example, was introduced in 2002 and is still making the holiday rounds clandestinely opening ports on computers and downloading malware. Other Christmas suprise packages include MerryXA, which contained a malicious attachment that installed a keystroke logger designed to steal personal information from its victims, and the Navidad family of worms also distributed through email.

To avoid infection from the likes of Koobface, Malware fighters are cautioning computer users not to click on links from dubious sources. There’s a problem with that advice, though, when it’s applied to social networks. When something is posted to a Facebook wall or message arrives under the guise of a message from Facebook, it may very well appear to originate from a trusted source.

Another precaution recommended by security experts is to eyeball the link to determine its validity. For example, if a Facebook URL contains a .ru domain, it might not be on the level. On the other hand, links can be hidden behind plain English labels or worse, be in a shortened format that’s inscrutable to the eyeball test. If the short URL appears in Firefox, there are tools that will expand  the Web address or preview the link without clicking it.

Of course, it’s also a good idea to be very careful when you’re solicited online to download software.

Koobface surfaced this summer working the video angle on Twitter users. “Tweets” were sent to members of that network containing the message “My Home Video” and a link. It also tricked Facebook users by creating some very convincing facsimiles of that social network’s service pages. As word spread about the worm, it began adopting subterfuge to avoid detection. It started altering its payloads automatically inserting into them text like Ha-Ha-Ha, WOW, LOL and OMFG, and it commenced using short URLs.

In response to the new found interest by cyber criminals in their services, Twitter and Facebook have made efforts in recent weeks to tighten up their security, but their efforts aren’t moving fast enough for some concerned netizens. A group of Swedish students hijacked hundreds of Facebook groups last month to expose just how insecure the service is. The posse, calling itself Control Your Info, exploited a design flaw in the social network to conduct its shenanigans. It seems that if an administrator leaves a Facebook group, anyone in the group can assume the throne. Control Your Info members joined groups without administrators and announced to their members in a message.

“Hello,” the message began, “we hereby announce that we have officially hijacked your Facebook group.”

“This means we control a certain part of the information about you on Facebook,” the message continued. “If we wanted we could make you appear in a bad way which could damage your image severly [sic].”

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

New Koobface worm duping Facebook users

Black Hats are finding social networking sites attractive targets for mischief.

As social networks like Facebook, MySpace and Linked-in have gained popularity among Web surfers, they’ve also attracted the attention of the Internet underworld. That’s because the likelihood of infecting a computer with malware distributed through a SocNet is much better than conventional email methods. How much better? Some security experts reported earlier this year that infection success rates were as high as 10 percent for malicious code circulated through a social network. That’s 10 times the infections that could be expected from an email spam campaign.

As Black Hats have turned their attention to SocNets, they’ve begun experimenting with going beyond exploiting the sites for distribution of bad apps and using the webposts for activities such as issuing commands and controlling the operation of botnets.

Just last week, security researchers uncovered a Trojan, dubbed Whitewall, that could use Facebook to coordinate its nefarious deeds. The sinister software is circulated by exploiting known vulnerabilities in Adobe Acrobat and Microsoft Office files. The documents look legit. They may look like communications from courier companies or headlines from news media.

The malware targets the mobile version of Facebook. It receives its marching orders by reading the notes section of that program. If a note contains the title “Wells,” it will contain a timestamp for when a machine is infected. If it’s “WebServer,” the app will execute a URL contained in the note from which it will receive commands. If the title is “White,” the Trojan will follow a URL to a site from which it will download a pernicious payload. If any other words are in the title, the software will do nothing and wait for further instructions.

At this point, White Hats say, the Trojan hasn’t infected a significant number of computers. Its discovery, though, may be important because it may be a proof of concept for hackers mulling ways to use SocNets as command and control servers.

Social networks have also been exploited for more conventional cracker attacks. At the end of October, for instance, more than 350,000 spam mails flooded inboxes claiming to be from Facebook. It told its  recipients that their Facebook password had been changed and instructed them to click on an attachment to obtain their new one. The attachment contained malware that turned its host into a zombie on a botnet.

The Facebook password con is just one example of how info highwaymen are leveraging the reputation of SocNets to spread their mischief. Not only are users more apt to engage in insecure behavior when they receive spam masquerading as email from one of their favorite social networks, but spam filters are less likely to scrap the correspondence before it reaches its target. For example, in a recent ethical phishing  experiment, a charade purporting to be from LinkedIn evaded all the anti-spam filters it was tested against.

The message concocted by the researchers was a mock invitation from Bill Gates, of Microsoft fame, to join his network on LinkedIn. LinkedIn was chosen because it’s known and trusted among many professionals and as such, mail originating from it would be recognized by many corporate email systems. As is typical in this kind of scam, the link in the email leads the user to a site that mimics a legitimate  LinkedIn page, but information collected in the forms at the site is sent to Black Hats. The campaign had a 100 percent success rate, with none of the malevolent mail being filtered out by the target system’s spam filters.

The simple solution to foiling cyberbandits milking the popularity of social networks for their own odious ends would be to shut down network access to such sites. That, however, may not only be an ineffective solution, but an insecure one as well. Younger workers expect to have access to their social networks from work. Failure to meet those expectations could affect a company’s ability to attract the kind of talent it needs to be competitive in its industry. Moreover, shutting down access to SocNets will only drive usage underground where it will open up potential security breaches in a corporate network. A better solution would be to allow access to social networks but carefully monitor    and regulate their use, as well as educating employees about “best practices” when using SocNets in the workplace.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why social networking spam reaps more rewards than email

Last month I joined a new discussion forum.  The owner of the forum decided to charge members a monthly access fee of $1.95.  I gladly subscribed because the value of the forum far outweighs the membership cost.

Now several weeks later and with thousands of members joining the forum I realize the biggest benefit of the membership price – there is no spam.

For the average internet user everything they do online is free.  After they have paid for a computer and an internet connection from an ISP most people will not pay another cent for any of the intangible experiences that the internet has to offer.

Thousands of popular websites offer streaming videos, games, instant messaging and social networking without charging a cent for access.  Email is the ultimate free communication medium, costing nothing to acquire and use.  These services all attract spammers.

Free online services face a difficult challenge in preventing spam.  Their users want free access, but also resist overt monetization efforts by the website owner.  And yet without a revenue stream the websites can’t afford to invest heavily in security and support.  Without the money to fund a developer focus on proactive spam prevention, and a support team to handle reactive spam prevention, the spammers have a large window of opportunity to exploit these free services for their own gains.

The fallback monetization strategy for most of these websites is simple advertising.  MySpace added advertising early on.  YouTube is slowly introducing advertising models to support their massive infrastructure costs.

Facebook’s advertising system has an ironic twist – spammers can indirectly exploit the system by using free Facebook apps and games to gain access to users’ profile information, then use that information to personalize advertisements and target them more closely to certain demographics.  These advertisements are often unethical – for example targeting 15 year old girls to sign up their mobile phone (paid for by their parents) to a ringtone subscription service in order to earn more points to use within a popular Facebook game.

The irony is that so much money is made by the advertiser, who in turn pays fees to Facebook, that the spammers are largely responsible for generating the revenue streams that make it more feasible for Facebook to invest more in security and spam prevention.  Would this problem exist if services such as Facebook were not free?

This idea meets with a predictably mixed response.  A decade ago people my age spent money every month in phone calls and postage stamps communicating with our friends and family.  These days we do it for free online, but the concept of paying for this service is not out of the question for most.

Younger generations are more used to the idea of instant, global communication at zero cost.  Paying for such access seems ludicrous, despite the obvious irony that many of them spend hundreds or thousands each year on computers, internet access and mobile phones to make use of the free services.

A monthly or yearly fee would no doubt lower the signup rate for these websites.  Would Facebook have 350 million users today if each had to pay $30/year?  Not likely, especially if free alternatives (even lower quality ones) existed.  Would they prefer to have 1/100^th of the users if it meant a consistent revenue stream and more secure experience?  Probably not.  Success online is measured in eyeballs not dollars.

Would charging for Facebook or Twitter accounts solve the spam problem on the internet?  Not completely.  For the spammer the target audience is perhaps much smaller, but the ultimate free spam vector – email – still remains available to them.  Only now the attacks are easier.

Consider the success of bank phishing scams.  The emails are effective because they play to the fears of the victims – that their hard earned money may be in jeopardy if they do not take the action the spammer asks them to (e.g. verify their account password because of a recent suspicious transaction).

When you attach a value to something it makes phishing that much easier.  Losing your free Facebook account is a minor inconvenience.  Losing your paid Facebook account is a blow to the hip pocket.  Just like the bank phishing email for a specific bank, although the Facebook phishing scam would reach fewer actual Facebook users but each would be more likely to fall for it because of the higher value of the account.

As long as email is free spam will exist.  A spammer doesn’t need access to Facebook, free or paid, to exploit the popularity of the service in order to trick victims into giving up their account passwords or installing malware on their computer.  All they need is the ability to send email, which comes at a cost so close to zero that almost any level of success can lead to a positive ROI.

This ultimately means that the responsibility for preventing spam rests with businesses and end users.  You must take ownership of the risks and protect yourself instead of waiting for free online services to deliver protection for you.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Would Spam Exist if the Internet Wasn’t Free?

Facebook announced on Thursday that it has won its lawsuit against notorious spammer Sanford Wallace. A judge in San Jose, CA awarded the site a $711 million judgement, the second largest in history to be awarded under the CAN-SPAM Act.

“While we don’t expect to quickly collect the full amount, we’ll work hard to get everything we can,” Simon Axten, a privacy and public policy associate at Facebook, said in a statement.

The suit was filed in February and accused Wallace and his accomplices Adam Arzoomanian and Scott Shaw of running a spamming and phishing scheme on the site. The trio sent messages to Facebook members that contained links leading to malicious sites that stole their login info. They used that info to spam everyone on the compromised account’s friends list. In addition to the hefty judgement the three spammers face possible prison sentences.

Wallace is no stranger to the legal system. MySpace won a $234 million judgement against him last year and in the last decade he has been sued by AOL, CompuServe, Earthlink and many other ISPs. He usually ignores the suits and refuses to show up in court. Earlier this year he filed for bankruptcy to avoid MySpace’s attempts to collect their judgement.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Wins Suit Against Spammer

The Sydney Morning Herald reports that a South Australian woman became a victim of identity theft when her Facebook account was taken over by hackers.  The hijacked account was then used to send messages to her friends saying that she was stranded overseas after being robbed and requested that money be wired to her to help her get back home.

The victim became aware of the hijack only after a friend phoned her from Singapore to verify the story.  This was unfortunately too late for one other friend who had already wired $1000 to the scammers.

This type of phishing scam occurs all too often on free social networking services due to several combined factors.Firstly weak passwords are an easy attack vector for hackers.  Most social networks do not require strong, complex passwords, and the perceived risk to most regular people is very low.  Where a person might consider their online banking password to be important and worthy of complexity, the password they choose for a fun social networking service just needs to be easy to remember.

Compounding this problem is weak password recovery systems.  These are often based on questions such as “What is your pet’s name?“, information that many people readily reveal about themselves online.

The hackers were also able to change the account’s password and email address, preventing the victim from recovering the password herself.  Stronger authentication systems will require the account holder to click a link in a verification email before allowing such important changes, which would have notified the victim of the hacking attempt as well as thwarting the email address change by the hackers.

Along with the weaknesses in social network backend security the nature of the networks themselves makes them ripe for these types of phishing scams.  Messages from friends come with a higher perception of trust than messages from strangers, lowering our usual threat awareness level.

The hackers can also target their messages more effectively by analyzing the personal information that people reveal to their online friends.  Spam messages can be crafted around people’s listed interests and recent conversations.  For example, if I were to ask my online friends for recommendations for my wife’s birthday a spammer who has hijacked one of my friends’ accounts could send me links to counterfeit perfume websites.  Again this message would carry a much higher perception of trust being from a friend, but also would tap into an interest or desire that is on my mind at the time.

The last and possibly most frustrating element of this particular incident was the support that the victim received from Facebook.  Customer service for free online services is, unsurprisingly, not very prompt.  With no phone numbers to call and only an email address to send abuse reports to (which no doubt is a very long queue of both valid and frivolous complaints) the victim was unable to rapidly recover her account to prevent further scam attempts on her friends.

This is basic social engineering at play, building trust and using targeted scams to improve success rates.  Social networks are yet another vector for hackers to perform these types of attacks, and an effective one too.  And unlike a bank who will absorb customer losses from fraud, social networks leave the victims completely exposed to these risks.

Be on the alert for unusual requests from your online friends that might be scams in disguise, and always attempt to verify them using other means such as by telephone.  And always protect your own accounts with strong passwords and secret password recovery answers.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Facebook Friends Lead to Big Money Scams

On Thursday Facebook shut down six rogue apps that were attempting to steal personal info from its users. Within hours after the apps, called “Streams”, “Posts”, “Your Photos”,  “Birthday Invitations” , “Inbox (1)” and “Inbox (2)”, were shut down, five new ones appeared. Those apps, called “Friends”, “Friends Gifts”, “Matching”, “Pok” and “Your Photos”, where also shut down.

When the fake notifications generated by the apps were clicked, users were asked to log in with their FB username and password. This information was transmitted to a remote server. At the same time, the app spammed everyone on the user’s friends list with the same fake notification they clicked on.

Rogue apps have been a constant issue on Facebook. Since the site doesn’t require anything more than an email address in order to be given the developer tools needed to create apps, and doesn’t have an app approval process in place, it’s very easy for scammers to get access to the hundreds of millions who use Facebook.

It’s not yet known if the same person/group is responsible for all 11 apps.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Rogue Apps Unleash Phishing Attacks on Facebook

A new study says phishing scams make up 7% of all spam sent and that on average, 55,000 people a month fall for them and give up their personal info. Social networks such as Twitter and Facebook are an increasingly popular target for phishers. Twitter has been hit by two phishing attacks lately. One, the Twitter Porn Name scam, claimed to be a seemingly harmless game where Twitter users were told to put the name of their first pet with their mother’s maiden name and/or first street they lived on to get their “porn name” and then tweet it. Those particular pieces of information are gold to a phisher because they are the answers to the questions most websites ask when a user needs to retrieve or change their password. The second scam was the TwitViewer scam. Users got a tweet inviting them to check out the TwitViewer site to find out the last 200 people who visited their Twitter profile. The site asked for their Twitter name and password. Once entered the visitor was shown a screen full of thumbnails that claimed to be those of the last 200 people that had visited their profile. They weren’t, they were just random people, and the visitor found their account spammed everyone they were following and Twitter at large with the same invite they had responded to, and if they clicked on any of the thumbnails their account automatically followed them. Twitter claims to be working on tightening security but their recent roll out of their new URL blocking system shows they have a long way to go.

Phishing attempts in email are still rising as well. Most of these attacks target banks and other financial institutions; in fact the top 2 targets of phishing attempts between January and June of this year were Bank of America and Paypal. While in the past phishing emails and the fake sites they lead to could be easily spotted due to their extremely poor grammar and sloppy formatting, experts are finding that more recent phishing attacks have shown a sharp rise in attention to detail with nearly perfect layouts and error-free grammar. Of course they still can’t hide the true destination of their fake URLS though. Hover your cursor over the link (don’t click) and the real URL will be revealed in the information bar.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Study Finds Phishing Scams Fool Over 55,000 a Month

The first electronic spam that many businesses ever encountered came via email.  Before that spam was only in the form of “junk mail” delivered by post or received by fax.  Although a minor annoyance most pre-electronic spam was fairly harmless.  Rarely was a piece of junk mail intended to be malicious or an outright scam (beyond a normal degree of outlandish marketing hype anyway).

As email became a crucial business tool the spam problem rose rapidly to become the major problem it is today.  Regular research is released that puts spam at over 90% of global email traffic.  Despite this not every business takes it seriously enough to actually do something about preventing it.  Those that do will implement a quality anti-spam solution for their email and continue about their business hopeful that it will protect them from those on the internet with malicious intent.

However as the web evolves new spam threats have emerged that also need to be considered by businesses.

Email Spam

Email spam is a continually shifting landscape of new threats as spammers develop new techniques.  For example, spammers have gone from putting spam content in emails, to putting it in file attachments, to putting it in password-protected file attachments, to putting it in image files, to putting it on web pages that they link to, each technique intended to keep them a step ahead of anti-spam vendors and the protective measures built in to their products.

Spammers have used, and continue to use, home PCs on broadband connections that have been compromised by viruses.  When these don’t work thanks to RBL providers such as Spamhaus, they turn to free webmail services and simply break through the CAPTCHAs that are in place by breaking their algorithm or simply paying people in developing countries to manually enter the CAPTCHAs for them.

This continually evolving threat highlights the need to deploy serious protection for email spam.  A “bits and bobs” solution cobbled together from separate free components will not have the effectiveness of a comprehensive, integrated anti-spam product from a vendor committed to ongoing support and protection for new threats.

Social Networking

The emergence of social networking has changed business communication forever.  Although email remains critical to businesses more and more we see interaction occurring outside of email using social networking services such as Facebook and Twitter.  Staff may be using social networking only for personal use, but business use is also becoming common.

The threat posed by social networking is that messages will not be scanned or filtered by an email anti-spam solution. This leaves users open to phishing attempts and scams.  Although web filter technology can be used to simply block these services entirely, that makes them unavailable for genuine business use.

A better solution is one of user education.  Although social networking fosters close relationships with people around the world the same level of suspicion should be applied to social networking interactions as it is to email.

URL Shortening Services

The explosive popularity of Twitter has lead to an equal explosion in the use of URL shortening services.  These services convert a very long URL into a much shorter one, making them perfect for the limited space available in a Twitter post.  Because of this their use is spilling over to other social networking services, and also being used in emails.

The problem presented by these services is it disguises the true destination of the URL, which can thwart content filters that check for URLs for domains with a reputation for spam.  I was recently working at a customer site where all such URL shortening services were outright banned, which is a short sighted approach to the problem.  Given that the URL redirects the browser to the real destination, and that destination is still accessed via the same web proxy, the proxy could still apply URL filtering to the ultimate destination.

Rather than viewing URL shortening services as the problem, a better solution is to ensure that all web traffic is subject to URL filtering that will block known malicious websites.  This makes web filtering part of an overall anti-spam solution, by protecting users from malicious short URLs sent via email or over social networks.

Free File Hosting

Terry Zink of Microsoft recently considered the problem of free file hosting services and who is responsible for scanning the content stored in them for viruses.  The spam problem here is an email saying “Check out this important file…” which links to a malicious file at a free hosting service run by an otherwise trusted and reputable web company.

He makes a good point but businesses don’t need to wait for the problem to be sorted out by the providers, nor do they need to be blocked entirely which deprives users from making genuine use of them.  Instead the same approach can be taken as for URL shortening services.  By utilising web filtering that scans file downloads the threat can be greatly reduced.

Comprehensive Strategy

As new threats emerge it demonstrates a need to consider spam prevention not just in respect to email, but for all online interactions that our end users might engage in.  With a combination of email protection, web filtering, and end user education a business can be protected from these threats as they evolve.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Dealing With New Spam Threats to Business

Yesterday I experienced quite a scare.  Several client social networks I created and maintain all had fake member registration forms filled out. I immediately identified each registration as spam. Luckily all registrations must be manually approved by the administrator.  I found this to be a very sophisticated spam attack. In each instance the spammer even uploaded a required picture of a pretty girl.  The registration form field entries each had the same entry of “I’ll tell you later”.  This indicates an automated spam machine was used. The different email addresses entered all used the malinator.com domain.  All the social network administrators have been notified to be on alert.

With account registration moderation in place, the scenario above is a more controlled environment. So spam infiltrations are much harder to achieve. More mainstream popular social networks, like Facebook and Twitter, do not moderate registration. So spammers can slip in very easily to target legitimate members.

As mentioned in a previous article “Belated Spam Predictions“, spammers will continue to phish social networks, but use more sophisticated approaches. The goal is to collect not only personal information, but also retrieve information surrounding a person’s inner circle of friends and associates.

Continue to educate your email users to be prudent about information entered into their social network profiles. People must be more vigilant about the nonchalant acceptance with the comfort and trust in entering all types of information about themselves on social networking sites.

A balance must be created between personal branding or making networking connections, while keeping your personal information safe. If a phishing spammer gets to you, that means your friendship connections are also at risk.

It may seem innocuous to share your favorite books or movies on your profile. How about providing your real birth date as opposed to making yourself 10 years older or younger? So what, if you receive those automated or personal friend birthday wishes on the wrong day. At least you make your personal identification information safer. Your hobbies and interests may seem like it’s not a big deal. The more profile information you share, just makes it that much easier for cyber criminals to assume your identity. The more personal information shared, the higher the chances another person can become YOU to get closer to scamming your friends.

The next time you receive a “heart” invitation, a virtual “drink” or a “birthday” card from a friend on Facebook, look closer at the safety message displayed. It says “Allowing Birthday Cards access will let it pull your profile information, photos, your friends’ info, and other content that it requires to work.”  Each time the “Allow” button is clicked, your personal information and your friends list is being shared.

Social networks are powerful marketing and networking tools.   How much personal information do you think a person should share in a profile? Will the profile accuracy impact personal or business relationships?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Social Network Spam Scare