First appeared on Wall Street Journal
"Spammers have decided to move where the people are and where the defenses are weak: Facebook and Twitter," says Chester Wisniewski, an analyst at security firm Sophos Ltd.
Hackers commonly sow social spam by creating false Facebook profiles and then "friending" people they don't know. Once the new friend clicks on a bad link, the spam begins propagating as his other friends do the same. And it can get started through nefarious third-party apps, or when people download malware outside Facebook or Twitter that gives hackers control of their computers.
A common social-spam attack on Facebook, known as "like-jacking," involves duping users into clicking on an image that looks as if a friend has clicked the "Like" button, recommending it.
More nefarious are come-ons for seemingly irresistible posts—like getting a free iPad—that lead people to run malware that can take over a Web browser, or even entire computer. Some social malware impersonates users, starting eerie one-on-one Facebook chat sessions with friends. Security experts also warn that a growing volume of sophisticated hacker attacks take information gleaned from social-networking profiles to trick people with convincing targeted messages.
San Francisco resident Clint Wilson discovered firsthand that his Facebook account was spamming his friends when his co-worker, who shares Mr. Wilson's account for work purposes, clicked on an offer for free dinner vouchers at the Cheesecake Factory. The offer was fake, and included a link that installed Web-hijacking malware.
Mr. Wilson, chief executive of software maker Cazoomi Technology Corp., quickly posted a note onto his Facebook account warning his friends to ignore the spam. "It's worse than email spam, because it's hard to stop," he says. He eventually figured out how to uninstall the malware from his Web browser, but estimates it cost him $500 in lost productivity.
Fighting social spam requires manpower because spammers move quickly. At Facebook, the company's site-integrity team spends its days and nights scanning for spikes in what users report as spam, and other unusual activity, such as friend request rejections. Every day, Facebook says it blocks 200 million malicious actions, such as messages linking to malware.
About once a quarter, Facebook gets hit with a big attack—and it's all hands on deck until the spam is destroyed, say employees. Weeks like that turn into "a very intense battle," says Mr. Stein. A poster on his team's wall features a unicorn slaying a spam monster.
Spammers' weak spots are typically things that cost them money, such as Internet addresses to house malware or the human effort required to set up and manage accounts. Facebook can't prevent spam, but it is stepping up measures to make it harder to create and use fake profiles.
When Facebook is suspicious about an account, it asks the owner to prove his identity, even if he has the correct password. Sometimes it does this by asking users to identify their friends. The point is to ensure that a real person—not a computer—will have to complete the test, thereby increasing the costs of spamming.
Some of the combat efforts may be working. Twitter says its "spammy" tweet rate of 1.5% in 2010 was down from 11% in 2009. Those being affected by spam and the number of spammer accounts escaping detection are "not tracking in an upward direction," says Del Harvey, Twitter's head of trust and safety.
Facebook's Mr. Keyani says he is taking the long view: "This is a game where there is never going to be a winner or a loser. We're just going to be battling it out."
