Facebook and Twitter Build Up Their Defenses as Hackers Attack Social Networks
One of their foot soldiers is Tao Stein, a Facebook engineer. At 4 a.m. one May morning, Mr. Stein was jolted out of bed by a spam alert on his cellphone. Facebook was being inundated with messages that read, "hey check out this link FREE IPAD." But there was no free iPad—just malware that caused Facebook users who clicked on the link to unintentionally rebroadcast the annoying message to friends.Mr. Stein switched on his coffee pot and logged on to his computer, launching a program to filter out the iPad offers. He adjusted his filter as the spammers quickly modified their come-on to evade it. "We have to continue iterating until we find their Achilles' heel," says Mr. Stein, whose efforts stemmed the tide only for about a day.
Spam, one of the Internet's oldest annoyances, is gearing up for a second act. Unlike traditional email spam, which usually comes from strangers, this new form—dubbed "social" spam—often appears to be from a friend. Criminals find social networks alluring because they can spread messages though a chain of trusted sources.
Such spam puts the usefulness of social networking at risk. Facebook says less than 4% of the content shared on its site is spam and Twitter says just 1.5% of all tweets were "spammy" in 2010. But Facebook adds that the volume is growing faster than its user base. On any given day, spam hits less than 0.5% of Facebook users, or some four million people.
"It's an arms race, and our goal is to be one step ahead," says Pedram Keyani, a Facebook engineering manager in charge of the effort.
In 2008, Facebook had just four engineers like Mr. Stein working on site integrity. Today, he works with a team of 30, plus a separate security team of 46 and another 300 focused on user issues. In all, some 1,000 of Facebook's 3,000 employees—including engineers, lawyers, user-operations managers and risk analysts—play a role in fighting spam in some capacity, the company says.
Meanwhile,Twitter says that by the end of the year, it will have five "spam science" programmers—up from two such employees now—and nine account-abuse specialists on its staff of about 750.
Social spam is growing as attacks launched via traditional email come-ons appear to be declining. In November, 70.5% of all email was spam, down from a recent high of 92.2% in August 2010, according to security-software maker Symantec Corp. Improved filters and law enforcement have made email attacks increasingly difficult.
"Spammers have decided to move where the people are and where the defenses are weak: Facebook and Twitter," says Chester Wisniewski, an analyst at security firm Sophos Ltd.
Hackers commonly sow social spam by creating false Facebook profiles and then "friending" people they don't know. Once the new friend clicks on a bad link, the spam begins propagating as his other friends do the same. And it can get started through nefarious third-party apps, or when people download malware outside Facebook or Twitter that gives hackers control of their computers.
A common social-spam attack on Facebook, known as "like-jacking," involves duping users into clicking on an image that looks as if a friend has clicked the "Like" button, recommending it.
More nefarious are come-ons for seemingly irresistible posts—like getting a free iPad—that lead people to run malware that can take over a Web browser, or even entire computer. Some social malware impersonates users, starting eerie one-on-one Facebook chat sessions with friends. Security experts also warn that a growing volume of sophisticated hacker attacks take information gleaned from social-networking profiles to trick people with convincing targeted messages.
San Francisco resident Clint Wilson discovered firsthand that his Facebook account was spamming his friends when his co-worker, who shares Mr. Wilson's account for work purposes, clicked on an offer for free dinner vouchers at the Cheesecake Factory. The offer was fake, and included a link that installed Web-hijacking malware.
Mr. Wilson, chief executive of software maker Cazoomi Technology Corp., quickly posted a note onto his Facebook account warning his friends to ignore the spam. "It's worse than email spam, because it's hard to stop," he says. He eventually figured out how to uninstall the malware from his Web browser, but estimates it cost him $500 in lost productivity.
Fighting social spam requires manpower because spammers move quickly. At Facebook, the company's site-integrity team spends its days and nights scanning for spikes in what users report as spam, and other unusual activity, such as friend request rejections. Every day, Facebook says it blocks 200 million malicious actions, such as messages linking to malware.
About once a quarter, Facebook gets hit with a big attack—and it's all hands on deck until the spam is destroyed, say employees. Weeks like that turn into "a very intense battle," says Mr. Stein. A poster on his team's wall features a unicorn slaying a spam monster.
Spammers' weak spots are typically things that cost them money, such as Internet addresses to house malware or the human effort required to set up and manage accounts. Facebook can't prevent spam, but it is stepping up measures to make it harder to create and use fake profiles.
When Facebook is suspicious about an account, it asks the owner to prove his identity, even if he has the correct password. Sometimes it does this by asking users to identify their friends. The point is to ensure that a real person—not a computer—will have to complete the test, thereby increasing the costs of spamming.
Some of the combat efforts may be working. Twitter says its "spammy" tweet rate of 1.5% in 2010 was down from 11% in 2009. Those being affected by spam and the number of spammer accounts escaping detection are "not tracking in an upward direction," says Del Harvey, Twitter's head of trust and safety.
Facebook's Mr. Keyani says he is taking the long view: "This is a game where there is never going to be a winner or a loser. We're just going to be battling it out."
Δεν υπάρχουν σχόλια:
Δημοσίευση σχολίου