With social networks being increasingly targeted by spammers, spyware, phishing and other attacks, Netizens begin to wonder how safe they really are online. When companies like Myspace start to avoid questions, the issue becomes that much more important.
By Paul Wallis and Chris Hogg (Part 1 of 2)
The electronic parasite otherwise known as spam has been flooding inboxes since the early days of the Internet. Pornographers, hackers and Nigerian scam artists looking to make a quick buck off erectile dysfunction pills are as common in your inbox as a hello from a friend.
But that was spam 1.0, and today’s version is an irritant on steroids. With the growth of social networks, spammers are smarter than anything the world has ever seen. The result is a smut-filled labyrinth where Web users are being bombarded with everything from dating propositions to shell companies selling fake products to the growth of organized crime online.
This is a serious issue. We asked major industry players how safe we are while on the Net. What surprised us most is the deafening silence and myriad of non-answers we received. Improbable silence and tangential babble is rampant from anyone who has something to lose.
Case in point: Myspace. While the social network is making great strides in protecting its users from attack, there are still gaping holes in security, particularly in dialogue about security. And when you ask tough questions to which Web users deserve answers, public relations people working for multi-million dollar organizations clam up faster than a political candidate ravaged by scandal.
MySpace Defending Against Spam, But Not Talking About It
This whole story came to be after we were contacted by a number of 22-year-old women. Getting contacted by someone you don’t know on a social network is not out of the ordinary, but when you get contacted by droves of people, all female, all 22, alarm bells sound.
Both of us began receiving several very unambiguous Friend Requests on MySpace (all from American females aged 22). This, despite the fact we both live on opposites sides of the world and we had never received anything prior. Every single one of them used a macro to advertise things like “Millions of boys and girls ready to get laid tonight.”
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. The person on the other end, whom you've never met, links to sex and pornography sites and adding friends on MySpace helps them reach large numbers of people quickly.
image:39116:0::0
|
(So much for the Safe Sex message, too. “Click a disease.” Just what every pubescent kid needs.)
Spam, definitely. But using social networks, it seems that spam has taken on a new face and it’s far more advanced than anything that clogs up your email inbox. The Friend Requests through MySpace, as one example, link to odd senders who are definitely not dating agencies. They don’t even look like English speaking links, let alone 22-year-old American women. And while the content of their messages change from person to person, it's always sex related.
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. The person on the other end, whom you've never met, links to sex and pornography sites and adding friends on MySpace helps them reach large numbers of people quickly.
image:39115:0::0
|
High-profile sites like MySpace are natural targets for spam, and the company has a series of hard line policies about spam eradication. Simply put: spam isn’t tolerated.
With “Friend Requests” rolling in, more 22-year-old women looking to be pals on MySpace, we took up the challenge of finding out just what MySpace is doing to stop this type of spam. We compiled a list of questions to be sent to MySpace officials hoping to learn a number of things ranging from how they handle friend-request spam, to any potential risks to MySpace users.
From Canada (Hogg’s home country), we sent questions off to MySpace in the United States. Quick response: No spokesperson available, we were told.
In all fairness to MySpace, we understand the company has a lot on its plate. We understand “busy”. We have to respect that, and we do.
So we waited a few days for a spokesperson to be freed up and tried contacting the company again through Australia (Wallis’ backyard). They were very quick, and a helpful guy got all our questions together and sent them off for official response.
The response came in the form of a phone call to Wallis’ home. The only problem was: It was 2:15 a.m. and the rep clearly didn’t look up time zones before phoning Australia from the U.S. God himself doesn’t call people at that hour, so an answering machine took the call. Again, no official comment.
When morning broke, we exchanged emails (and a certain amount of informed cursing) about how MySpace was addressing the issue and we learned something about how they handle media: The person who said no official response would be given (from MySpace in the U.S.) was the same person who made the 2 a.m. call to Australia. MySpace had pulled everything into one central place for handling these things in a monitoring division, despite the fact we put our questions through in two different countries.
What started out as a perfectly normal media inquiry was turning into a most bizarre series of events. We were also by now a bit concerned that a fairly normal press inquiry hadn’t received a set of responses.
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one.
image:39121:0::0
|
Unlike most mainstream coverage, we can’t just wind up a few clichés about something that’s been happening for years on the Net and call it “coverage.” That’d be a weather report, and an old one at best,not news to our readers. DigitalJournal.com is also a news site, not a rumour factory. We can’t just make squeaky accusations that MySpace isn’t doing anything about the possible risks to users without talking to them. It wouldn’t be correct, to start with, and it’s not even information, just innuendo.
It’s standard journalistic practice to balance information, where the views of every party are essential to understanding the issues. Normally a company would jump at the opportunity to talk about its technology, defend its product and praise what it’s doing for users. Not MySpace. At least not officially in something quotable.
As the 22-year-olds piled up, we continued to ask MySpace to give us answers. We sent more emails and left voicemails to express our disappointment that we couldn’t get an official response.
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one.
image:39120:0::0
|
Then it came. The official statement (not answers to our questions) from MySpace.
Verbatim: “MySpace employs a variety technological, legal and policy solutions to protect our users from spam which is in direct violation of MySpace’s Terms of Use. We have removed and blocked the sources of these spam attempts. In addition, MySpace works with law enforcement to prosecute spammers who violate the law.” -- Hemanshu Nigam, MySpace Chief Security Officer.
OK, War and Peace it isn’t, but it does address the basics of the questions. Sort of. It’s great to hear the company takes spam seriously, but the lack of detail leads us to believe MySpace would rather we go away than engage in any meaningful dialogue.
When we were emailed this statement, we were also told: "MySpace will not be providing further comment from any other spokesperson as Mr. Nigam is the only appropriate spokesperson." Despite some great people who helped with the company’s PR (and we do appreciate whatever it took to do that), we weren’t finding answers.
MySpace removed some profiles of 22-year-old women who added us as friends after they were found to be a source of spam. Since then, we’ve had more add us.
MySpace also does several things to quash unsolicited spam, and the company encouraged us to read the spam portion of their website to learn more. We replied saying it was not good enough for readers who want answers to simple questions, and the spam section of the site is boilerplate.
By not answering media questions in detail, the company makes it seems as though it doesn’t care about who is behind the action. Instead, they delete someone’s account and move on. You can kill an account, but you can’t kill a cause or a movement as large as spam.
These are issues where MySpace needs to clearly explain its own position. It’s also lousy media relations.
Not all media are hostile to MySpace. We don’t think this possibility is funny, either. It’s a real risk to the public, and the big sites will need all the help they can get, and public awareness, to deal with it.
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one.
image:39123:0::0
|
How safe is the Net, really?
In order to find out just how much of a threat users face online in social networks, we set out to interview two big experts in the field of spam, spyware and Internet attacks: Symantec (the makers of Norton Antivirus) and McAfee.
First up, McAfee: A leader in the area of protecting users online. Or so they say. Their corporate mission statement reads, “McAfee proactively secures systems and networks from known and as yet undiscovered threats worldwide.” Sounds lovely. But when we contacted the company with basic questions on where threats exist, a McAfee spokesperson replied, “I spoke with a couple of the researchers at McAfee and unfortunately they are unable to answer [your] questions. They do not typically focus on social networking sites but the overall idea of spam and malware.”
That certainly sounds like the “comprehensive and proven solutions” the company raves about. Also makes you wonder how people handle these threats, if they don’t bother to define their sources, and don’t look at their major targets. Remember, this is one of the top security sites on Earth, systematically not doing that.
Moving on, we also spoke with Symantec who had much more to say. In an interview with DigitalJournal.com, Symantec (Canada) vice-president and general manager, Michael Murphy, outlined today’s pock-filled Web.
(Our gratitude to Mr. Murphy for his comments are undying. We finally found someone in the major league who understood the questions, and who hadn’t taken a Vow of Silence or a post-doctorate degree in Implausible Media Relations 101).
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one.
image:39122:0::0
|
“Although spam is a substantial risk to users of social networking sites, the real risk is with the wide variety of customization options and third-party applications available,” he said in an email interview with us. “Users can customize details in their profile, include links to other sites, upload images, videos and, in some cases, users are even allowed to embed code into their profile page. The problem is that hackers can do all of these things...”
Murphy says this is a significant risk to social networks because a hacker can hijack another user’s profile and gain access to a social network, using all information stored in profiles to carry out a “social engineering attack.” It’s all done through third-party applications.
Third-party applications are all the rage in today’s social Web. Sites like Facebook and MySpace have become famous because external companies are now developing applications to run on social networks. They are not created by MySpace or Facebook, but they can be used by any of the site’s members. Social networks win because they don’t have to invest a penny in creating any of their own applications, and external companies get the added benefit of gaining access to millions of people using the sites. It’s win-win for both parties, but it’s this bleeding wound that catches the attention of swimming sharks.
One example of a breach using third-party applications happened on Facebook; an application designed to tell members about secret relationship crushes actually attempted to fool users into downloading spyware. Fortinet, a security firm, found the problem.
“Gone are the days of the hacker who is looking for recognition and fame,” said Murphy. “Today, highly professionalized and organized criminal networks have been established to generate substantial financial payoffs for attackers. These networks have matured over the past year and have evolved to become a consolidated underground economy.”
Symantec sent us the following breakdown of places from which threats originate:
Source: Symantec Corporation The following chart shows the top countries hosting phishing sites and top targets phished
image:39105:0::0
|
Social Networks, Wake Up
Nobody envies MySpace’s position. Sometimes, when you are big you will be criticized no matter what you do. Media has been more negative than helpful, in terms of MySpace’s quite legitimate problems.
Now the big problem: The trouble with regulation on the Web is that it will always be behind the eight ball, after the event. Prevention is the only answer. All the previous Internet scams have taken far too long to get attention. You can’t play catch up and expect to beat them.
MySpace is the big bull’s-eye for any collection of jerks who are looking for an easy target and a lot of inexperienced users.
So why are social networks still being reactive instead of proactive? Big public sites are sitting ducks. They are being targeted already, and it’s more a matter of when, rather than if, they get hit with something that works.
Imagine if something like the World of Warcraft virtual plague got on to MySpace. What if, instead of a game, it was a zombie plague, hitting millions of computers, doing a lot of robotic phishing? The results would be catastrophic. People wouldn’t even know they’d been hit until their cards and payments started bouncing. It would cost users billions, and the legal side of the equation doesn’t really bear thinking about, for the sites.
Screenshot by DigitalJournal.com A new type of spam has hit social networks like MySpace, coming in the form of friend requests. You get an email saying so-and-so wants to be added as your friend, but when you click through to find out who they are it leads to pornography sites and images like this one.
image:39124:0::0
|
This the Internet Pandemic scenario, complete with ready-made epidemics. People who are prepared to phish systematically are more than likely to be ready to try big hits. All they need is site access.
It can be done, too. The difficulty is only in terms of numbers of affected computers, not any technical obstacle. Spam routinely affects huge numbers of users, so volumes aren’t a problem, and malicious software only needs a few lines or so of code.
Anything can carry that kind of code, too. Wallis’ anti-virus got four hits in less than a minute from something in a picture posted on the Net just recently. Expand this to the level of a social network, with millions of people and you have the potential for a full blown cyber World War 3.
But spam is only part of the problem, and with so much potential to earn big money, the people behind it are also becoming increasingly more dangerous.
If you’re still not convinced about the potential threat from spammers and phishers who target users through social networks, perhaps you’d also like to know that organized crime is also behind it. The problem is a whole lot bigger than ads for porn sites.
This article is the first in a two-part series. To read our investigation into organized crime's growth online and how social networks are being targeted, click here to read part two.
