A group led by George Petre at BitDefender, an antivirus software company based in Bucharest, Romania, performed an experiment to test the effectiveness of spamming techniques geared toward a social networking site. They found it surprisingly easy to entice Facebook users to "friend" people they didn't know; they also found that many users were willing to click on links without knowing who sent them or where they led.
|Fake friends: This screenshot shows real|
users who befriended a bogus Facebook
user created by George Petre and colleagues.
Speaking last week at the MIT Spam Conference in Cambridge, MA, Petre described how spammers exploit social networks via messaging systems by enticing users to click on links, and by gathering personal information to target mail-outs.
Most social networks have internal messaging systems for communication between members. Petre's group examined that of Facebook, which boasts 5 percent of the world's population as its users. While Facebook has an antispam engine, the group found that it was better at filtering out phishing e-mails than preventing spam messages from getting through.
The group started by creating fake profiles to trick users into friending them. They created three profiles, one containing almost no information about the user, one with some information, and one with detailed information. They used those profiles to join popular groups and began sending out friend requests.
Within 24 hours, 85 users had accepted a request from the first profile, 108 from the second, and 111 from the third. Petre says that acceptances began to accelerate, since more than 50 percent of the time, users would accept the request if they shared a "mutual friend" with the fake profile. In some cases, he says, users would send a message asking for more information about how they knew this supposed new friend. The researchers didn't respond to these requests, but in many cases, Petre says, users accepted the request anyway.
The researchers then posted a link without any explanation to the fake profiles' walls, using a URL shortener to obscure where the link went. Almost 25 percent of the profiles' "friends" visited the link, Petre says.
To send messages to large numbers of people, Petre says, spammers often trick users into joining groups and befriending fake profiles. For example, in the aftermath of the Haitian earthquake, fraudsters started a group on Facebook that claimed the social networking company would donate money to relief efforts for each user who joined. The group collected nearly two million members in the five days before Facebook discovered the activity and suspended the group. While active, Petre says, the group was used to send spam messages to the group's members.
Spammers can also blast messages to users who have accepted friend requests from them. Petre found that scammers use social games to make contacts with legitimate users. In many of these games, such as Farmville, users get ahead by having friends on the network who play the same game. As a result, there are lots of groups on Facebook devoted to helping users connect with others players. This provides a way for spammers to find users to connect with.
Once connected, spammers can also do more than just send spam messages. They can gather data on users, and those users' contacts, to create more targeted fraudulent messages. Scammers also post links to profiles that aim to entice users to view advertising or visit compromised phishing or malware websites. While spammers could, in theory, use scripts to harvest e-mail addresses from other users' profiles, Facebook has implemented several protections that make this difficult to do without getting caught and suspended.
"Social networking spam may be more dangerous than regular old spam because it creates a trust factor not available through blindly sending out mass e-mail," says Garth Bruen, creator of software called Knujon, which classifies and tracks spam. By mining social networks, he says, criminals can get access to personal details such as where a person lives, where they go out to drink, or what movies they like. "It is very good intel for establishing trust with strangers," he says. Though Bruen notes that working within a social network costs spammers more resources than traditional methods, he believes the payout could be much bigger.
Kathy Liszka, a professor of computer science at the University of Akron and the chair of the MIT Spam Conference, says that fighting spam is no longer just about mathematics and statistics. Spam and malware companies today are actively recruiting people with backgrounds in psychology, she says, and Petre's work shows that social networks provide fertile ground for spammers to try more sophisticated forms of manipulation. Liszka says, "If we don't get up on the psychology aspect, we're going to start losing ground again."