Spamming the socially active - spam diversifies to Twitter, IM, SMS, etc

The growing familiarity with short form URLs is being exploited by hackers that use the services to obscure links to offensive material or malicious websites
The growing familiarity with short form URLs is being exploited by hackers that use the services to obscure links to offensive material or malicious websites
Spam is now polluting every form of electronic communication in hope of gaining more victims
Spam is now polluting every form of electronic communication in hope of gaining more victims
Spammers, not content with profits from email, have moved on to attacking other forms of social media
Spammers, not content with profits from email, have moved on to attacking other forms of social media
Paul Ducklin, Sophos
Paul Ducklin, Sophos
Hemanshu Nigam, Myspace
Hemanshu Nigam, Myspace

Experiencing new communications technology now comes, by default, with a delicious helping of spam to ruin the experience. There's spam for instant messaging, spam for blogs, spam for search engine optimisation, spam for sms and spam for Twitter. True to the originating ideals of the Monty Python sketch, spam comes with everything – sometimes it even seems that spam is the entire purpose of a technology.

Take Twitter, the web 2.0 micro-blogging phenomenon that allows short text messages of a few sentences, and the service that sparked a David Cameron expletive this summer. Users may post messages about their status, their moods, their location and other info-nuggets on social networks and blogging sites.

While there are genuine conversations about events and topics, these are often triggered by vested interest. A survey by the Harvard Business School found 10% of users produce over 90% of the messages. Follow any Twitter conversation and you may just find a slice of spam between every crust; if used incorrectly, the service is often little more than a voluntary way to consume advertising.

Tapping into a network like this is a Holy Grail for spammers and marketers alike, and recently furniture retailer Habitat found itself on the wrong side of the Twitterarti when it broadcast messages for its "totally desirable Spring collection" within Twitter conversations supposedly about the iPhone, an Australian Masterchef contestant and even, for the Iranian election.

Habitat apologised for its inappropriate use of the service, but that has not prevented others from exploiting the same mechanism. Tweets related to the death of Michael Jackson have often pushed unrelated commercial messages.

Twitter has also come into focus because of the ubiquitous short-form URL. Since Twitter messages can be at most 140 characters long, any embedded URLs take up much needed message space. Services such as TinyURL and bit.ly allow users to translate a long URL into a shortened version which is forwarded to the original address by the service's servers when a click request is made.

Yet these services take away vital information from the user about the type of site they are visiting and have themselves come under attack. (See box out, Short URLs for big trouble).

More people, more spam

As with so many digital services, success attracts spammers since only success breeds the mass market that spammers covet.

Hemanshu Nigam, chief security officer with social networking giant Myspace, likens his service to a giant city. "As towns get bigger and become cities, eventually you have bad influences showing up and people willing to victimise the larger target base. It's no different online, as you become larger there is no question you will garner the attention of people intent on violating the law."

In the context of social networking, spam takes the form of unsolicited messages sent via IM, or posted on profile pages, or as bulk comments on blog posts containing links or references to products, or external websites.

"While organisations like Twitter would like to restrict advertising on their service, where there's a chance to make money via spam, then people will ignore it."
Paul Hanley

Nigam says that spammers are predictable only in that they will attempt to subvert the service at any opportunity. A broad front is therefore required in defence. "It's our job to implement a holistic approach. It's the kind of thing that takes many facets on a 24/7 basis."

Critically he splits security into three focus areas. First, Myspace has teams of developers working round the clock identifying miscreants and putting the stops on unwelcome behaviour. "This might includes front end and back end technology and development, first to empower users to protect themselves, then to identify spammy behaviour so it can be stopped quickly, cleanse the site or prevent it in the first place", he says.

Secondly, he explains, "It's a constant requirement that you educate your users on what to look out for, what not to do, not to give up a user name and password. Education becomes a critical part of it”.

But the third area, "is to build partnerships with the outside world of experts and other companies so you can do joint enforcement." Myspace participates in the Anti-Phishing Group for example, explains Nigam.

The holistic approach is not just taken for the operations and maintenance of Myspace either, he explains. Security is embedded in all application development as part of the process, not as simply a ‘nice to have while the budget allows’ add-on.

"It's more than a risk strategy, security is in-grained in the product development life cycle", says Nigam."It's a forethought, not an afterthought, and that's a key distinction between different results. From our perspective it has to be a forethought at the earliest stages, otherwise the user will suffer."

Selling security concerns to developers is not always easy, but Nigam advises that it's about communicating with your own people properly to set their expectations. "When folks are developing something that's really cool or exciting they don't want it used in a negative way." They have an incentive not to let security flaws creep in and are thankful to be told of the types of situations that may occur, he explains.

Broad based platforms

But as well as being fabulously successful, many spammer-targeted social networking websites also have a broad base of functionality to defend. Facebook, for example, includes instant messages, email, blog posts and comments, video posting, SMS, and an entire ecosystem of third party applications that can interface to the platform.

"It's more than a risk strategy, security is ingrained in teh product development lifecycle."
Hemanshu Nigam

Paul Ducklin, head of technology, Pacific region, for Sophos loosely puts non-email spam into a number of categories:

  • SPIT – spam over internet telephony
  • SPIM – spam over instant messaging
  • SPASM – spam over sms texts
  • SPEW – spam over electronic web submission

A platform like Facebook is subject to all of these forms of spam apart from SPIT. (Though there is no reason that VoIP could not be added to Facebook as part of the service or a third-party application.)

Test for humanity

Protection relies on forcing a real person into the loop at some point, explains Ducklin. This will prevent the ‘bulk’ aspect of spam by slowing each message.

"A computer, if you were trying to automate this, would have to do something that takes human time, copying something in a grainy, strange font, listening to a sound clip and repeating the words; these are things which a computer finds jolly hard to do”, says Ducklin.

"10% of Twitter users produce over 90% of the messages."
 

"Some of the social networking sites don't take this into account", he adds. "A Twitter administrator account was hacked earlier in the year. She'd used the dictionary word 'happiness' as a password, she was able to do remote logins without authentication, and there was no sort of rate limiting on the number of logins. By the time the Dictionary Attack got to H, it was in."

It could have been a disaster as the administrator account was able to operate with impunity creating accounts and changing user names.

"Fortunately the person [attacker] decided to show off the flaw by mucking about with high profile Twitter accounts", says Ducklin.

A significant portion of spam avoidance strategy comes down to user education. One anonymous software developer wrote: "There is no patch for human stupidity. How are we supposed to stop an idiot from clicking on a link and willingly typing in their username and password? It's not an easy problem to solve, and just when you think you solve it, the spammers evolve".

Short URLs for big trouble

The booming popularity of social networking – in particular, micro-blogging service Twitter – has driven growth in services such as TinyURL, bit.ly and is.gd. The services are used to create convenient, short URLs that are re-directed to the target web page. The growing familiarity with short form URLs is being exploited by hackers that use the services to obscure links to offensive material or malicious websites, and then distribute the links in spam emails, or by posting them on Twitter and other networks. Shortened URLs are less likely, at present, to be detected by content-filters.

Earlier this year, URL-shortening service Cligs was attacked by hackers, who redirected the short-URLs created with the service, resulting in 2.2 million links to an Orange County Register article, demonstrating how users can find themselves visiting unexpected websites when clicking on shortened links.

In a Cligs blog post about the issue, Cligs creator Pierre Far wrote that "a security hole in the Cligs editing functionality was discovered and was exploited by a malicious attacker. The attack edited most URLs on Cligs to point to a single URL hosted on freedomblogging.com. The attacker’s IP address appears to have been from Canada."

But while user behaviour can exacerbate the problem, policy and guidelines aimed at users are also key to fighting it. Myspace can throttle-back a user's messaging capability, suspend accounts and reserves the right to charge for bulk mailing, and these are used on a daily basis, admits Myspace's Nigam. "Terms of use are critical", he adds.

Trading in rules for cash

"There is a fair amount of spam on the social networking sites Facebook, Youtube, and even some of the discussion forums often contain spam", says Paul Hanley, senior manager with Deloitte's Enterprise Risk Services.

Yet Hanley makes the point that one man's spam is another's legitimate advertising, that much of the perceived spam is tolerated and may even support the platform in question. "The Mobile Marketing Association in Europe has essentially allowed Blue Tooth spam, you could argue", he says, "and while organisations like Twitter would like to restrict advertising on their service, where there's a chance to make money via spam, then people will ignore it".

If only a virtual Micheal Palin would appear and announce, "I'll have your spam, I love it. I'm having spam, spam, spam, spam, spam, spam, spam, baked beans and spam". But one suspects even Palin's appetite would be sated by today's processed offerings.

What’s hot on Infosecurity Magazine?