Cybercrooks have quit pouring barrels of spam into email inboxes in favour of hassling marks on social networks as an easier way to make money.
The dismantling of remote-controllable armies of compromised PCs, the collapse of some shady affiliate advertising networks, and better spam-filtering technology have all resulted in a decrease in traditional email spam delivery.
However, dodgy messaging to promote sites selling knock-off goods, pills to enhance performance beneath the sheets, and other tat, has only been displaced rather than destroyed. Twitter and Facebook have both become primary conduits for spam in the process - and the messages sent usually look far more convincing.
Paul Judge, chief research officer at Barracuda Networks, said that one in 100 tweets on Twitter and one in 60 messages on Facebook were either spam or malicious. The switch from email was an obvious move for crooks because social networks are where the majority of internet users spend their time, Judge told delegates at Barracuda's technical conference in Munich on Friday.
"Wherever users are attackers will follow," he explained.
Judge described automated tools used to set up fake accounts on Facebook. These accounts use like-jacking (a form of click-jacking), among other techniques, to trick users into landing on pages that promote survey scams, earning miscreants affiliate revenue in the process. The nuisance level created by fake accounts is not in proportion to their actual number, which Judge admitted was hard to quantify. He compared the situation to the early days of email spam.
"Tools are available to automatically generate a profile and make it look like a real user by adding likes and places of education attended, for example," Judge explained. Fake profile are very different from legitimate profiles: 97 per cent of fakes are female, compared to 40 per cent of the real population on Facebook, and 58 per cent claim to be bisexual females, compared to 6 per cent of the real female users of the social network who say they like both men and women. Fake profiles also tend to have "more friends", 726 on average compared to the 130 average for the general Facebook population.
Creating a snowball of spam:
Spammers also use fake fan pages, featuring big names such as Harry Potter and Nike, to promote dodgy links - a situation Judge described as "out of control". Once established, the bogus pages are linked up by the fake profiles through wall posts and photo tagging to gain extra traction and can attract hundreds of thousands of likes from misled punters in just a few days.
“If a person likes a page, they can be tagged in a photo with 50 other people who each have hundreds of friends. Thousands can be reached from one photo, making the process very efficient,” Judge explained. The photo has a comment underneath containing a malicious link that poses as links to more photographs.
"Facebook could make changes to restrict the utility of photo tagging to spammers by, for example, only allowing the photo tagging of someone you are already friends with but this would reduce the overall number of page views."
Twitter is also extensively used by spammers: fake accounts can be created far more easily than on Facebook via a trivial scripted process that involves submitting only a name, email address and password. Fake accounts either mention legitimate users or comment on trending topics in order trick surfers into following dodgy links. Many fake accounts can be recognised by following a large number of people but having few people following them back.
Stephen Pao, vice president of product management at Barracuda, said that much the same groups involved in email spam have moved over to peppering social networks with junk messages. "It's the same ecosystems and you can see examples of spam campaigns that start in email moving onto social networks," he explained.
Exploit kits and "Facebook cloaking tools" are been offered for sale in underground cybercrime marketplaces in much the same way tools that automated the process of email spamming have long been flogged, he added.
Google+ and LinkedIn have also attracted some malicious activity but the lack of software interfaces to automate message sending, and weak popularity in terms of sheer numbers of visitors, have made these less of a target for spammers than either Twitter or Facebook. Spam on Pinterest and Foursquare remains a nascent problem.
"It's more dangerous than the early days of email spam because you get a link ostensibly sent to you by your friend or mum rather than a bank you don't do business with," Pao concluded.