USA Today
Facebook and Twitter users take heed: Expect those surges of spam you've been experiencing to recur. Hackers and spammers have staked out new turf for attacking the popular social networks, and it'll take the good guys some time to shore up defenses, cybersecurity experts say.
Here's what's happening: Hackers are aggressively probing Twitter and Facebook for security holes, especially ones they can use to tap into mechanisms for rapidly disseminating content to millions of users. On discovering a fresh vulnerability, an attacker will usually disperse a test posting that spreads in wormlike fashion, proving his skill.
Next, alert spamming gangs move into action. They stand ready to blast high volumes of spam through the new hole for as long as it stays unpatched. Often, such spam comes from "clickjackers" who make money by getting users to click to a webpage full of ads, or to an advertising-related survey. They get paid up to $1 a click from advertisers, and can make hundreds of thousands of dollars a day.
Facebook and Twitter "are the new toy everybody wants to attack to get visibility and also to make a little money," says Catalin Cosoi, research director at anti-virus firm BitDefender.
Spammers pounced all over a flaw recently uncovered in Twitter's mouse-over feature. Anyone who simply moused over a corrupted microposting, or tweet, caused an identical tainted tweet to be sent to all of his or her followers. Each subsequent click spread the attack exponentially.
Twitter devotes 23 of its 250 employees to security, trust and safety issues, says Twitter security director Bob Lord. The team reacted quickly to users tweeting about the spam surge in progress and patched the hole over the course of six hours. "We work very hard to protect our users, which is at the core of what we do," says Lord.
Attackers also recently discovered fresh holes in Facebook's photo-upload and status-messaging features. Spammers used those holes to blast out tainted Web links. Anyone who clicked on the link spread spam to all of his or her friends. Reacting to users' messages about the attack, Facebook cut off each spam surge within hours, says spokesman Simon Axten. "We continue to work tirelessly to reduce the impact of attacks," he says.
The companies expect to contain the impact of spam surges in no small part due to a built-in early warning system: users who aren't shy about bringing new attacks to their attention. They also warn users to be careful what they click on.
Yet, soaring popularity is proving to be a blessing and a curse. The companies have their hands full keeping basic services running reliably, in addition to battling cyberattackers.
"Twitter and Facebook can be turned into vehicles for mass distribution of malware if they don't deploy countermeasures," says Neil Daswani, chief technical officer of security firm Dasient. "The numbers of users that can be affected in a short time is incredible."
Here's what's happening: Hackers are aggressively probing Twitter and Facebook for security holes, especially ones they can use to tap into mechanisms for rapidly disseminating content to millions of users. On discovering a fresh vulnerability, an attacker will usually disperse a test posting that spreads in wormlike fashion, proving his skill.
Next, alert spamming gangs move into action. They stand ready to blast high volumes of spam through the new hole for as long as it stays unpatched. Often, such spam comes from "clickjackers" who make money by getting users to click to a webpage full of ads, or to an advertising-related survey. They get paid up to $1 a click from advertisers, and can make hundreds of thousands of dollars a day.
Facebook and Twitter "are the new toy everybody wants to attack to get visibility and also to make a little money," says Catalin Cosoi, research director at anti-virus firm BitDefender.
Spammers pounced all over a flaw recently uncovered in Twitter's mouse-over feature. Anyone who simply moused over a corrupted microposting, or tweet, caused an identical tainted tweet to be sent to all of his or her followers. Each subsequent click spread the attack exponentially.
Twitter devotes 23 of its 250 employees to security, trust and safety issues, says Twitter security director Bob Lord. The team reacted quickly to users tweeting about the spam surge in progress and patched the hole over the course of six hours. "We work very hard to protect our users, which is at the core of what we do," says Lord.
Attackers also recently discovered fresh holes in Facebook's photo-upload and status-messaging features. Spammers used those holes to blast out tainted Web links. Anyone who clicked on the link spread spam to all of his or her friends. Reacting to users' messages about the attack, Facebook cut off each spam surge within hours, says spokesman Simon Axten. "We continue to work tirelessly to reduce the impact of attacks," he says.
The companies expect to contain the impact of spam surges in no small part due to a built-in early warning system: users who aren't shy about bringing new attacks to their attention. They also warn users to be careful what they click on.
Yet, soaring popularity is proving to be a blessing and a curse. The companies have their hands full keeping basic services running reliably, in addition to battling cyberattackers.
"Twitter and Facebook can be turned into vehicles for mass distribution of malware if they don't deploy countermeasures," says Neil Daswani, chief technical officer of security firm Dasient. "The numbers of users that can be affected in a short time is incredible."