Spam Attacks Social Media

First appeared on Wall Street Journal

"Spammers have decided to move where the people are and where the defenses are weak: Facebook and Twitter," says Chester Wisniewski, an analyst at security firm Sophos Ltd.

Hackers commonly sow social spam by creating false Facebook profiles and then "friending" people they don't know. Once the new friend clicks on a bad link, the spam begins propagating as his other friends do the same. And it can get started through nefarious third-party apps, or when people download malware outside Facebook or Twitter that gives hackers control of their computers.

A common social-spam attack on Facebook, known as "like-jacking," involves duping users into clicking on an image that looks as if a friend has clicked the "Like" button, recommending it.

More nefarious are come-ons for seemingly irresistible posts—like getting a free iPad—that lead people to run malware that can take over a Web browser, or even entire computer. Some social malware impersonates users, starting eerie one-on-one Facebook chat sessions with friends. Security experts also warn that a growing volume of sophisticated hacker attacks take information gleaned from social-networking profiles to trick people with convincing targeted messages.

San Francisco resident Clint Wilson discovered firsthand that his Facebook account was spamming his friends when his co-worker, who shares Mr. Wilson's account for work purposes, clicked on an offer for free dinner vouchers at the Cheesecake Factory. The offer was fake, and included a link that installed Web-hijacking malware.

Mr. Wilson, chief executive of software maker Cazoomi Technology Corp., quickly posted a note onto his Facebook account warning his friends to ignore the spam. "It's worse than email spam, because it's hard to stop," he says. He eventually figured out how to uninstall the malware from his Web browser, but estimates it cost him $500 in lost productivity.

Fighting social spam requires manpower because spammers move quickly. At Facebook, the company's site-integrity team spends its days and nights scanning for spikes in what users report as spam, and other unusual activity, such as friend request rejections. Every day, Facebook says it blocks 200 million malicious actions, such as messages linking to malware.

About once a quarter, Facebook gets hit with a big attack—and it's all hands on deck until the spam is destroyed, say employees. Weeks like that turn into "a very intense battle," says Mr. Stein. A poster on his team's wall features a unicorn slaying a spam monster.

Spammers' weak spots are typically things that cost them money, such as Internet addresses to house malware or the human effort required to set up and manage accounts. Facebook can't prevent spam, but it is stepping up measures to make it harder to create and use fake profiles.

When Facebook is suspicious about an account, it asks the owner to prove his identity, even if he has the correct password. Sometimes it does this by asking users to identify their friends. The point is to ensure that a real person—not a computer—will have to complete the test, thereby increasing the costs of spamming.

Some of the combat efforts may be working. Twitter says its "spammy" tweet rate of 1.5% in 2010 was down from 11% in 2009. Those being affected by spam and the number of spammer accounts escaping detection are "not tracking in an upward direction," says Del Harvey, Twitter's head of trust and safety.

Facebook's Mr. Keyani says he is taking the long view: "This is a game where there is never going to be a winner or a loser. We're just going to be battling it out."

Abusing The IRS For Google Bombing
Originally Posted to Fast Company

Tax season is here, and like many Americans I recently went online to download forms. Usually I'd head straight to the Internal Revenue Service Web site but I find Google a more efficient way of navigating big government sites. When I Googled "IRS form 1065," there was no direct link to it on the IRS Web site, just manuals and tax tips. I skimmed the page and the ninth result was:

Form 1065 B

IRS Form 1065-B (Schedule K-1) is the partner's share of income or loss from an electing large partnership. This form is to be filled out by each partner in ...

form-1065-b.bejegsugy.com/

Curious, I clicked on the link but a warning popped up, claiming the site contained malware, which meant the application, if downloaded, could cause serious harm to a PC--anything from surreptitiously installing adware, spyware, and malicious programs to turning it into a zombie that unleashes billions of spam emails, or even wipes out the hard drive. I wondered how a site like this ended up in the top 10 search results, with Google's much-vaunted claims of relevance and reliability. Indeed, Google boasts that it uses "more than 200 signals," including its patented PageRank algorithm, to rank sites.

Yet, here was a site that clearly shouldn't have been in the first 10 results. I entered other forms--1041s, K-1s--and found more suspicious sites appearing within the first 20 results, one of them listed as the fourth result.

For example:

When I used Mozilla Firefox these bogus sites were blocked automatically, part of the security features built into the browser. This was not the case when I visited the sites on Safari. Nor was it so when I switched to a PC running Internet Explorer. Notably, Google's own Chrome browser didn't offer any protection either. I followed the link to a site that warned I had malware on my computer, urging me to click on a program to eradicate it from my hard drive and protect me from future incursions. The only way you can click away is to quit the browser. It won't let you close the window or move backward or forward to another page. If you own a PC (Macs are not affected) and download the promised cleansing agent (called Malware Defender 2009), you would be downloading spyware that has been traced to hackers from the Russian Federation. Pretty clever, offering an antivirus tool that is in itself a virus tool.

Over the years, the IRS has issued numerous warnings covering online scams (last updated nine months ago). Usually they are classic identity-theft phishing schemes that rely on official-looking email messages informing you that you are going to be audited, are due a big refund or government stimulus check, or offered $80 to participate in a survey. Another version attempts to lure you to a Web site offering free online tax-filing services. In each instance, the message advises you to click on a link that then takes you to a fake IRS site where you're asked for personal information such as social security and credit card numbers.

In this case, however, fraudsters manipulate Google search results to hijack a user's browser. The fact that these sites are lodged high in Google's search rankings give them the patina of authenticity. That's what makes them so dangerous. (The same didn't appear true for Yahoo or Microsoft's search, which, as far as I could tell, didn't display these bogus sites--at least not in the first several pages of results.)

This Google bomb tactic is not new. Black hat search engine optimization (SEO) has been going on for years. According to Dave Dittrich, a senior security engineer and researcher at the Information School at the University of Washington, a typical approach is to create thousands of web pages running on hundreds of servers that cross-link to one another. Each file contains text that includes a word and strings that result from doing a search for that word. It can then push a product or service on to the first page of results--and that is by far the most valuable search engine real estate, because most people don't bother to venture past the first page.

As far back as November 2007, cybercriminals have been borrowing black hat SEO techniques to target popular keywords on Google--everything from "how to teach a dog to play fetch" to recent ones that include terms relating to Easter, March Madness and Barack Obama. Their goal: to disseminate destructive payloads. By one count, more than 1 million links point to a single poisonous domain. A while back Google created a filter in response to this malware frenzy, which earlier this year went haywire, blocking every single site Google turned up for almost an hour and freaking out some users.

With April 15 approaching, it was perhaps inevitable the IRS would also become a prime target. The attackers appear to be taking advantage of a specific PageRank vulnerability that weighs a page's popularity by treating every inbound link as a "vote," with pages attracting lots of links given more weight than pages with just a few. Larry Page and Sergey Brin, Google's founders, view this as a form of democracy on the Web. (Apparently governing through democracy in search is as difficult as it is in the real world.) These digital ne'er-do-wells also found a way around Google's "hypertext-matching analysis" that claims to analyze "the full content of a page" and factors in "the precise location of each word." If a Google searcher clicks on the bogus link, he is either taken directly to a site hosting malicious software or redirected to one.

To see if this IRS Google bomb tactic adhered to this model, I googled "b.bejegsugy.com," which was the first bogus site I'd encountered.

The first four sites listed were:

After clicking on them at different times I was transported to either a) a fake YouTube site (carelessly misspelled YuoTube), b) the same Malware Defender 2009 site, or a page that looked like this:

That's the content the scamsters use to fool PageRank and push to the top of Google's search results.

On the bottom were links to links and more links, such as the ones on this page (which the page above linked to):

When I visted bejegsugy.com, I found a semi-legitimate search page with topics like "Film School," "Stock Photos," and "Car Insurance," which offered links to genuine sites. (Later it would morph into different-looking search site.)

And the search box? It was powered by Google. I found it a tad unnerving that it remembered many of my previous searches. For example, one I recently conducted on the economist Paul Krugman.

The domain name Bejegsugy.com was registered to an individual affiliated with a company called Zitoclick on March 26--the day I first encountered the site as a malware host. The registrant information provided an email address: support@zitoclick.com.

Zitoclick.com is a barebones search site that claims to offer for download a toolset that "combines a richer, more intuitive internet search experience" and "works directly with Windows XP or Vista and either Internet Explorer or Firefox." A quick search indicated it was part of the extensive cross-linking network that characterizes a site used to help juice Google rankings, often appearing as a link on a page with no obvious connection. Plus, Zitoclick owns more than 13,438 other domains.

I contacted Google to ask about this latest twist on the IRS scam--namely, how was it possible to so badly fool PageRank? A Google spokesperson, via email, offered the usual corporate boilerplate response. (Below you'll find the entire statement.)

More to the point, it appeared that Google took immediate steps to clean up its search results, eradicating the bogus malware sites from IRS form-related searches, and reprogramming its Chrome browser to block the site that hosted the malware. When I checked later that day, none of the malware sites I'd stumbled on were there anymore.

And the next time I used the Chrome browser to visit the malware scanner Web site, Google had blocked it. The advisory listed the site as "suspicious," and warned that visiting it "could harm your computer." It also reported: "The last time Google visited this site was on 2009-03-26, and the last time suspicious content was found on this site was on 2009-03-26."

That was the day I contacted Google.

Now that Sergey and Larry's engineers were on the case, I figured these bogus IRS form malware sites wouldn't stand a chance.

I was wrong. Two days later I checked again by googling "IRS form 1065."

The 39^th result was another malware site:

I also tried other keywords, like "IRS Form 940 January 2009."

This time three bogus sites appeared on the first page. In other words, three of the top ten results were malware sites. Worse, Google didn't block any of them. As soon as it did, hackers would unleash another wave of malware sites, and the game will continue round and round.

Google has built its billion-dollar empire on search, yet hackers have learned to subvert the system at will. It makes you wonder what other keywords are tainted. If Google search isn't democracy incarnate, which is how the company advertises it, then what is it? In some instances a rigged system that rewards not the sites that have earned placement on the most valuable real estate--the first page or two of results--but one in which scammers can profit.

And what if these cybercriminals, like those behind the mysterious Conficker worm, which has been getting heaps of press lately, were to deploy more damaging payloads? For now, they have stuck with basic PC-busting malware that is often sniffed out by antivirus products. If these hackers switch to more damaging Microsoft PC "0days" (pronounced "oh-days" or "zero days," it generally refers to unknown, or zero-hour, software threats that are easily attained on the hacker black market ) Google could become a most inhospitable place to do your searching. And those responsible for Conficker are not the only ones worth worrying about. A recent report identified a vast cyberespionage campaign dubbed GhostNet that infected 1,295 infected computers in 103 countries, including embassies, international organizations, ministries of foreign affairs, news media and NGOs. It, too, relied on malware to disseminate an application called Gh0st Rat that transformed PCs into spy devices--pilfering confidential documents and turning on cameras and microphones without users' knowledge. And most antivirus products didn't provide protection.

As for those who plan to download IRS forms, it probably doesn't need to be said that you should skip Google and head straight to the IRS Web site, which will necessarily have "irs.gov" in its address. Accept no substitutes. If you do, you do so at your own peril.

Google Spokesperson response:

Hi Adam,

Thanks for getting in touch with us. Feel free to attribute the following information to a Google spokesperson:

Search is a complex problem and the heart of what we do. We use more than 200 signals, including our PageRank technology, to help us rank sites. At the same time, we work hard to protect our users from malware. We've removed many of these types of results from our search index. However, this issue affects more than just Google, as these sites are still part of the general web. In all cases, we actively work to detect and remove sites that serve malware from our index. To do this, we have manual and automated processes in place to enforce our policies. We also flag suspicious sites with malware warnings using our Safe Browsing tools. We'll continue to monitor for these bad results and will remove any as necessary. Additionally, we're always exploring new ways to identify and eliminate malicious sites from our index.

Please let me know if you have any other questions.

All the best,

XXXX

Network Solutions Making Bold and Empty SEO Promises

Desperate For Revenue Gains Network Solutions is Now Breaking The Golden Rule of SEO and Guarantees Top 10 Keyword Rankings.

Google Has Been Warning Website Owners For Years to Avoid Any SEO Company That Guarantees Top 10 Keyword Results. Yet despite the warnings from the search engines themselves Network Solutions Continues to Promote False Promises.

Here's Google's Warning on SEO's promoting top keyword placement:

No one can guarantee any top rankings on Google.

Also Google goes further to warn website owners to be wary of SEO firms and web consultants or agencies that send you email out of the blue.

Reserve the same skepticism for unsolicited email about search engines as you do for "burn fat at night" diet pills or requests to help transfer funds from deposed dictators.

Yet depsite these warning Network Solutions is sending unsolicited email messages to hundreds of thousands of website domain owners that include bizarre hype and false guarantees of Top 10 Search Results.

Beware of any top 10 placement guarantees, especially this one from Network Solutions that includes this lack of SEO talent, excuse-filled, legal disclaimer.

"Any Web site that is all Flash, contains frames/layers or adult content is not eligible for the guarantee. Guarantees may be voided for, among other reasons, Web sites that have downtime for one day or more, Web sites that have been altered after they have been optimized by Network Solutions, Web sites that are cloned, or that do not use 301 for redirects.

If customers do not respond to communications from Network Solutions for more than 60days, the natural search optimization project may be considered "abandoned" and payment will be surrendered in full.

For optimization packages ("Top 10 Search Results service"), Network Solutions guarantees a minimum number of top ten listings in one or more of 12 search engines within 10 months from completion date. Most engines will index your site in about three (3) months, but it takes time to gain the popularity and ranking needed to compete using competitive phrases. Network Solutions will only submit keywords to search engines in the United States. The search engines included are: AOL, AlltheWeb, AltaVista, Ask.com (formerly known as AskJeeves), Google, Hotbot, IWon, Looksmart, Lycos, MSN, Netscape, and Yahoo!. The minimum number of top ten listings guaranteed is 5 for the 20 keyword phrase package, 10 for the 30 keyword phrase package and 20 for the 50 keyword phrase package. There is no guarantee for the 10 keyword package. The guarantee is a full money back guarantee, subject to these and the other terms and conditions of our Services Agreement, provided at the 10 month mark from date of completion if results are not obtained. (10 months?) In no event will Network Solutions be liable to you for any lost profits, lost savings, or other incidental or consequential damages arising from the optimizations services provided.

This service(s) does not guarantee any sales or traffic to your Web site. Traffic and sales depend upon the demand for your particular product or service, the design and layout of your Web site, and many other factors that are beyond the control of Network Solutions. (top 10 keyword positions are definitely our of Network Solutions control, which search engine do they own? oh that's right, they don't own any search engine, they simply launch Google AdWords on parked domains in an attempt to profit on brands and trademarked protected names).

Network Solutions services do not include the paid submission fees that some engines charge for inclusion. Network Solutions is not affiliated with these submission services in any way (or any search engines for that matter). You may opt to pay these fees directly to the search engine for inclusion. Additional fees may apply for changes, modifications, updates, and optimization alterations that exceed the scope of these optimization services.


Be wary of any top 10 keyword position guarantee, from any party including: Network Solutions.